Webmastersite.net
Register Log In

Site was hacked

Comments on Site was hacked

Dawn Wentworth
Member

Usergroup: Customer
Joined: Sep 13, 2005

Total Topics: 6
Total Comments: 13
Posted Nov 14, 2005 - 7:45 AM:

Site was hacked and defaced yesterday. My database backup is corrupt. The backup quits around the "email" tables.

I am paying my web host for a backup - and waiting on that now.

Looking for any advise for future recomendations - I don't ever want to go through this again ..
Olney
Member

Usergroup: Customer
Joined: Oct 30, 2004

Total Topics: 18
Total Comments: 47
Olney
Posted Nov 14, 2005 - 9:24 AM:

Are you running anything else like
phpBB or old version of Mambo or something?

Did they hack through your wsnlinks?
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Nov 14, 2005 - 6:06 PM:

WSN Links is quite unlikely to be hacked if for no other reason than that there's no branding mark. 99% of hacks consist of a hacker reading about a security flaw in a script, writing their exploit, and then googling for all sites containing "Powered by phpBB" or the like in order to try them all. That's obviously not possible for the full version of WSN Links. Even going to your site manually, there's no way someone would know it was WSN Links unless they had a reason to guess it and just needed confirmation.

'Course I do try to have security by more than just obscurity. There was an exploit once in version 2.2 or so, but it was patched and I never heard of anyone actually being hacked because of it.
Dawn Wentworth
Member

Usergroup: Customer
Joined: Sep 13, 2005

Total Topics: 6
Total Comments: 13
Posted Nov 15, 2005 - 4:07 AM:

from what I can tell thus far ...

They somehow changed a good bit of my template - replacing images and text. Many database settings were changed - it looks like they may have sent email to members and changed several email addresses.

In my database I found the email tables were screwy and the settings table variables were changed.

The hacker left the name LatinPimp - but I havent been able to located anything more of a hacker by that name.

All my redrects had been changed and I found it impossible to get into my administration area.

I have 10 domain on the same hosting account, and many subdomains. Nothing else was bothered, so I am leaning more to the thought that they came in from wsnlinks.

I have removed and reinstalled all ...

My host did a backup of the database - then I had errors in the script talking to the database for hours.

A upgrade finally fixed that - but not without losing my templates.

Here is a sniplet of the settings table variables..

NSERT INTO wsnlinks_settings (id, name, content) VALUES (329,'termsofservice','<html>\r\n<title>Hacked by latinpimp</title>\r\n<body>\r\n<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>\r\n<font color=red><b><center><big><big><big><big><big><big><big><big><big><big><big><big>PWNED!</big></center></b></font>\r\n</body>\r\n</html>\r\n');
INSERT INTO wsnlinks_settings (id, name, content) VALUES (330,'bannedemails',' ');
INSERT INTO wsnlinks_settings (id, name, content) VALUES (331,'throw404s','<html>\r\n<title>Hacked by latinpimp</title>\r\n<body>\r\n<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>\r\n<font color=red><b><center><big><big><big><big><big><big><big><big><big><big><big><big>PWNED!</big></center></b></font>\r\n</body>\r\n</html>\r\n');
INSERT INTO wsnlinks_settings (id, name, content) VALUES (332,'expirationwarningdays','0');


WSNLinks is the only thing script installed here.

damon
Member

Usergroup: Customer
Joined: Oct 14, 2005
Location: Singapore

Total Topics: 11
Total Comments: 31
damon
Posted Nov 15, 2005 - 11:50 AM:

Hope its getting better now dawn.

just my 2 cents. Dont forget to delete setup.php after install
Dawn Wentworth
Member

Usergroup: Customer
Joined: Sep 13, 2005

Total Topics: 6
Total Comments: 13
Posted Nov 16, 2005 - 8:17 AM:

Thanks for the reminder .. I had forgotten. Other problems still lurk.

I can not log in .. I followed all the suggestions in the support manual. You can log in at first creation - but once you log out, your unreconized.

sad
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Nov 16, 2005 - 8:20 PM:

Well, one would think I would be hacked first since my WSN installs should be easiest to identify.

The admin password wasn't something that would be easily guessed?

damon wrote:
Dont forget to delete setup.php after install


No, do go ahead and forget. It is logically impossible for setup.php to be a security issue, due to the order of execution and the fact that it's not multi-page. It obviously wasn't used as well because it would overwrite the whole install with a new one instead of making changes to an existing one.

Dawn Wentworth wrote:
You can log in at first creation - but once you log out, your unreconized.


That sounds like what would happen when a cookie path is incorrect or there are multiple cookies... some sort of cookie issue.

Anyhow, you can always do a new install and use phpmyadmin to re-add the data.
Dawn Wentworth
Member

Usergroup: Customer
Joined: Sep 13, 2005

Total Topics: 6
Total Comments: 13
Posted Nov 17, 2005 - 4:09 AM:

It looks more like an sql injection. Random tables injected with the same data - that overwrote the data in them.

If that isn't a possibility then .. maybe the password was the issue.

But so much more or different would have or could have been done with full access.

The data that was replaced ... was all identical in random tables..

I have heard of sql injection before - but do not know anything of it or the workings of sql enough to understand yet.

As far as getting logged in .. I did try all the suggestions with cookies from the help files .. I figure this is the problem - tracking it down or reinstalling soon as I get the time.
Nicky32
Member

Usergroup: Customer
Joined: Sep 27, 2005
Location: Canada

Total Topics: 12
Total Comments: 32
Nicky32
Posted Nov 17, 2005 - 3:56 PM:

If you search Google for "www*/wsnlinks/" it's fairly easy to find WSNlinks sites to hack. That's one reason I've been thinking of changing it on my installs, but then I have to make a redirect with .htacesss and might lose PR.
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



This thread is closed, so you cannot post a reply.