Here we go...

Posted: Sat Jan 20, 2007 2:08 pm

...even though that I keep all my Sentinel up to date, and running on Raven Nuke, this time the hacking bastards got me.
They got in through my guest book from Raven ... how ironic! Wink

Well they replaced my index page with their crap, which was not shown. My site just seemed not to have an index page. So I investigated the thing and found out, that my guestbook files in modules had been replaced with some C90 files and other trojan horse crap. I erased the whole guestbook.
Then today, my account got suspended by my service provider due to somebody reporting my site as a "Phishing site"....gee...
We found out that they replaced on day later, than the initial hacking attack, the files in the db folder. Sure enough, I had linked to www.nationwide.co.uk...
I was able to ftp the infected files and saved them, in case some of you specialists want to see them, let me know. I erased the infected db files from my server, and uploaded my backup and my site is working fine again.

I just want to know, how those freaks got in, and how we can stop such a stupid attack.

Sells PC To Pay For Divorce Joined: Posts: 5661

to bad....but im not aware of ravens guestbook being vulnerable.
the c90 often comes as c99 ,so maybe a different one but used to gain access on a server..
but realise that sentinel only protect core stuff,not 3d party stuff.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

It's unusual that files were created / changed on your site. That indicates that an upload script (e.g. photo gallery, etc.) was in use, or that your FTP or control panel has been compromised. No likely done through the guestbook.

Posted: Sat Jan 20, 2007 5:00 pm

I will check the log files and will try to check how they got in.
As far as the photo album, it seemed to be ok and had not been used by those guys.
What is this C90 or C99 file in the first place?
All I know so far, is that the guestbook files were corrupted, as well as the db folder. I did not say that it could have been the guestbook, but currently I have no idea how they managed to get in.

Posted: Sat Jan 20, 2007 6:03 pm

the C99 is a mean sob.
if you get that on your server you can kiss it goodbye to... Laughing

registered · Posted: Sun Jan 21, 2007 1:08 am

c99shell is a very malacious shell script, it can let the hacker take over your server.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I am readying the security release even as we talk. Do you have register_globals turned off?

Posted: Sun Jan 21, 2007 10:42 am

Raven wrote:

I am readying the security release even as we talk. Do you have register_globals turned off?

Help me out...where could I could have done that?

Posted: Sun Jan 21, 2007 12:21 pm

If you have access to your php.ini, then set register_globals=off. Otherwise, add the line to your .htaccess file. In addition, at the bottom of your config.php you should have these lines:

Code:

######### DO NOT EDIT BELOW THIS LINE!! ##########


if (file_exists($path_to_user_prefs)&&$use_userprefs) @include($path_to_user_prefs);


$version = $app_version;

MODIFY it to read

Code:

######### DO NOT EDIT BELOW THIS LINE!! ##########


if ($hide_errors) @ini_set('display_errors','off');


function stripAllTags (&$arrayGET, $value) {


   if (is_array ($arrayGET)) @array_walk ($arrayGET, "stripAllTags");


   else $arrayGET = @strip_tags ($arrayGET);


}


if (isset ($_GET)) @array_walk ($_GET, "stripAllTags");


elseif (isset ($HTTP_GET_VARS)) @array_walk ($HTTP_GET_VARS, "stripAllTags");


if (file_exists($path_to_user_prefs)&&$use_userprefs) @include($path_to_user_prefs);


$version = $app_version;

That should get you by until I get the fix pack out.

Would you zip up the log entries pertaining to the compromise and send it to me, please? I want to be sure that what I have done covers what hole they used.

raven
at
phpscripts
dot
com

Thanks.

Posted: Tue Jan 23, 2007 9:42 pm

Raven wrote:

If you have access to your php.ini, then set register_globals=off. Otherwise, add the line to your .htaccess file. In addition, at the bottom of your config.php you should have these lines:...

I do not have access to this/these file(s).

Raven wrote:

That should get you by until I get the fix pack out.

Would you zip up the log entries pertaining to the compromise and send it to me, please? I want to be sure that what I have done covers what hole they used.

raven
at
phpscripts
dot
com

Thanks.

I've sent you the complete log files of the last couple days around the attack and after. I hope it helps...

Posted: Tue Jan 23, 2007 9:57 pm

Just add a file called .htaccess in your guestbook home folder. In it place the following line:

php_flag register_globals off

Thanks for the logs!

Posted: Tue Jan 23, 2007 10:04 pm

Let me know if I can help you going through this large amount of data from the logs...
I will have to re-install the kisgb after I make a couple changes to my site...
Thank you very much Raven!

Posted: Tue Jan 23, 2007 10:08 pm

okay, but I haven't received them [yet]. When did you send them?

Posted: Tue Jan 23, 2007 10:12 pm

Yesterday evening 11:30 Eastern to the email mentioned earlier. However it is 6MB! Should I make it available for DL, in case it is too big?

Posted: Tue Jan 23, 2007 10:19 pm

Strange. Yes, make the zip a d/l and PM to me the name/location of the file. Thanks.

Posted: Tue Jan 23, 2007 10:39 pm

Done!