My Site has been hacked

Hangin' Around Joined: Jun 30, 2003 Posts: 39

Could any of you guys look at my site and let me know where the problem is?
My site has been hacked since this morning

http://www.xxxxxxxx.com/

registered · Posted: Tue Jun 12, 2007 5:55 pm

Looks like the code was replaced with some nasty Javascript

It could be anywhere, hacked files... hacked database, etc.

Posted: Tue Jun 12, 2007 6:06 pm

yes I see the javascript, how can I locate it and delete it?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Look for recently changed files.

Posted: Tue Jun 12, 2007 6:33 pm

That's what I am doing, but it's hard
I see config.php 5/6/2007 but when I look into it I do not see the javascript code

Can I give you access to my ftp in you PM so you can help me locate it?

Posted: Tue Jun 12, 2007 7:00 pm

I did a search in the entire database, and I could not find anything javascript.

I could not see any fils or folders modified 6/12/07, it happened this morning

Posted: Tue Jun 12, 2007 7:24 pm

It could be in your database - check the messages, news and blocks tables.

Posted: Tue Jun 12, 2007 7:54 pm

I downloaded the whole database and did a search, no javascript found

Posted: Tue Jun 12, 2007 8:34 pm

OK. I looked at the site. If there aren't any new files (e.g. index.html, index.htm) or changes to your index.php (assuming it's PHP-Nuke), I'd check the includes and themes directory for changes to files there.

Posted: Tue Jun 12, 2007 10:20 pm

could he be pulling the javascript from somewhere else, such that when i do a search on the javascript code, i do not find anything?

Posted: Tue Jun 12, 2007 10:37 pm

Something in mainfile...haven't found it yet.

Posted: Tue Jun 12, 2007 10:51 pm

You need to check with your host. There is a bigger problem. It looks like they are adding a google analytics reference that is interfering with your scripts. I added an info.php file, and all it does is execute phpinfo. Even that has the google analytics stuff. Is this a free host?

Don't forget to remove the info.php after you verify.

Posted: Tue Jun 12, 2007 10:55 pm

no, it is a VPS, I have access to the server too. I can give you access to the server also

Posted: Tue Jun 12, 2007 10:59 pm

Is it managed? If so, have them check the configuration. Even regular .html files are loading the google-code script.

Posted: Tue Jun 12, 2007 11:04 pm

Sorry - it's pointing to google-counter.com Probably to drive up adsense or some other nonsense. Giving me VPS access won't help - I wouldn't know where to start. But it's definitely not your script, though you should have different passwords for cpanel, database and nuke admin. Not sure if that's the case, but you should also update your NukeSentinel - it looks a few versions old.

Posted: Tue Jun 12, 2007 11:09 pm

I don't know what you mean by managed, but I do have pretty much control of the server. I have sent them an email, I will see what they say, and if they can identify the root cause.

Thank you for your help

registered · Posted: Wed Jun 13, 2007 6:28 am

checksum, there are typically two levels of service provided by hosting companies for a VPS and dedicated. There is "managed" and "not managed". "managed" is more expensive, but generally speaking, if the plan is a good one, the hosting company will do almost anything you need done at the server level. Let's face it, most of us are not server admins, so we need help from time-to-time. If your plan is not "managed", then there may be a charges for support tickets.

In other words, it boils down to how much help you can expect to get from your hosting company for your VPS or dedicated server.

Posted: Wed Jun 13, 2007 6:49 am

Looks like it's working now. Please let us know the details.

Posted: Wed Jun 13, 2007 5:02 pm

Hi,

Sorry for the delay, was at work.

They fixed it early this morning I pointed them to this thread also.
Here is what they said:

Could you please chech now, that code shouldn't load on your pages anymore.
It was exploit that is using bug in mod_layout apache module. I've disabled it, and your serevr is safe now.
Best regards,
Tom H.
HostForWeb Inc.

Thank you kguske for your help

Posted: Wed Jun 13, 2007 8:46 pm

Thanks for following up. Don't forget to remove the info.php file in your Nuke root. Make sure have different cPanel, VPS, and Nuke database user IDs / passwords for extra security...

Posted: Thu Jun 14, 2007 5:14 am

One more follow up - can you get some details (i.e. a link) on this exploit from your host? That was a particularly nasty issue, and we couldn't find any details about it based on the response.

Posted: Thu Jun 14, 2007 7:05 pm

Ok, will do

Posted: Tue Jun 26, 2007 12:04 am

any updates?