I have a dedicated server in which I host many websites. Today ALL of my sites conatin this on homepage...
http://www.createonlinebusiness.com/


Does anyone know what has happened. Moreover how one can prevent this in the future??


Appreciate any feedback I can get

Take your server offline now. Otherwise, you're open up for more abuse.

Then I would contact your host, request they perform a backup of anything important, work out how they got in, and then do a fresh reinstall of the OS.

Chances are they have installed a rootkit, you _need_ to do a fresh OS install, or revert to a backup image (if your host has one). That's the only way to be sure.

In order to prevent it for happening again you must first find out how it happen to start with.

Is everything on your server updated/patched ?
Linux Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a
from: http://news.netcraft.com/archives/web_server_survey.html

One more thing if you login to your server using a windows machine, check it for spyware this is becoming a common way of getting into a Linux server.

To follow up my earlier post, since you're sites still only you should do one of the following:

Shutdown:

shutdown -h now


Or, block all ports:

/sbin/iptables -I INPUT -j DROP
/sbin/iptables -I FORWARD -j DROP
/sbin/iptables -I OUTPUT -j DROP


The first method would be better, since some rootkits will bypass the firewall, making the second method useless.

Once it's blocked off, then you should deal with the problem.

nullbit AND Mushroom thanks so much for your help...Sorry I can't chat more but I have to go fire fighting :eek:


Thanks again :)

BTW guys just heard back from the host they say the cause was kernel apache wasn't up to date :confused:

Well now I am in a bit of a quandery. My host is now saying that the intrusion occurred from phpbb forum that I installed through cpanel. Also added that I am on my own to fix it. I have about 20 forums with data :mad:

It seems that this defacing has attacked all files named index.php, htm,shtml, etc. I have 100's of them. So my problem is I don't really know if I am being told the truth by my host and my skillset on a webserver is very limited. So I am OK reinstalling what needs to be reinstalled via FTP but not familiar enough with the server environment to find out EXACTLY how this happened.

I can also say that I am not impressed with the help (Lack thereof) that I am receiving from my hosting company. So once I get this under control I will need to find a new host...any suggestions...any help...forever in debt :o

phpBB has had a few published exploits recently, mostly down to bugs in older PHP versions. So this would make sense.

You really need to get your host to do a fresh OS install, and then make sure your system is up-to-date (especially PHP). Most crackers (or whatever you wish to call them) will leave a backdoor, so addressing the PHP/phpBB issue alone will not prevent them gaining access, and potentially using your server as a proxy to compromise other hosts.

OMG remind me not to get hacked again :o . The problem was, indeed phpbb forum. If ANYONE is running version 2.0.10 or less go here now http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

It's actually pretty painless. This is my first hack that I have had to deal with. What a pain in the ass. Back on track now. Upgrading forums 1 at a time...fresh OS installed.

I must also take back a few of my words. (I know theoretically you can't do that). My host actually got on the phone with me (3rd level admin) and walked me through the technicallities of this process. :cool:

Thanks

phpbb 2.0.11 is hackable also with a perl exploit , so watch out.

phpbb 2.0.11 is hackable also with a perl exploit , so watch out.

Thanks for feedback webjunkey. Does the above link cover the pearl exploit?

This is the code I find in every file with 'index' in it (100's of them across 60 domains on 1 server)

<SCRIPT Language = "JavaScript">

document.write (unescape("%3CHTML%3E%3CHEAD%3E%3CTITLE%3EHacked%20by%20unix%20irc%2Egigachat%2Enet%20%23THG%3C%2FTITLE%3E%0D%3CSTYLE%20type%3Dtext%2Fcss%3EBODY%20%7B%0D%09SCROLLBAR%2DFACE%2DCOLOR%3A%20%23000000%3B%20SCROLLBAR%2DHIGHLIGHT%2DCOLOR%3A%20%23000000%3B%20%0D%0DSCROLLBAR%2DSHADOW%2DCOLOR%3A%20%23000000%3B%20SCROLLBAR%2DBASE%2DCOLOR%3A%20%23000000%0D%7D%0D%3C%2FSTYLE%3E%0D%0D%3CMETA%20http%2Dequiv%3DContent%2DType%20content%3D%22text%2Fhtml%3B%20charset%3Dwindows%2D1254%22%3E%0D%3Cbgsound%20src%3D%22http%3A%2F%2Ffile%2Esukson%2Ecom%2Ffiles%2Faraiwa%2Ewma%22%20loop%3D%22infinite%22%3E%0D%3CSCRIPT%20language%3DJavaScript%3E%0D%3C%21%2D%2D%0D%0Dfunction%20SymError%28%29%0D%7B%0D%20%20return%20true%3B%0D%7D%0D%0Dwindow%2Eonerror%20%3D%20SymError%3B%0D%0D%2F%2F%2D%2D%3E%0D%3C%2FSCRIPT%3E%0D%3C%21%2D%2D%5Bif%20IE%20%5D%3E%0D%3CSTYLE%20type%3Dtext%2Fcss%3EBODY%20%7B%0D%09OVERFLOW%3A%20hidden%0D%7D%0Dv%5C%3A%2A%20%7B%0D%09BEHAVIOR%3A%20url%28%23default%23VML%29%0D%7D%0D%3C%2FSTYLE%3E%0D%3C%21%5Bendif%5D%2D%2D%3E%0D%3CSCRIPT%20language%3DJavascript%3E%3C%21%2D%2D%0Dvar%20tl%3Dnew%20Array%28%0D%22Hello%2E%2E%22%2C%0D%0D%0D%22Site%20defaced%20by%20unix%22%2C%0D%22T%2EH%2EG%20Security%20Team%22%2C%0D%22Contact%20Me%20%2E%2E%2E%22%2C%0D%22IRC%20%3A%20IRC%2EGigaChat%2ENet%22%2C%0D%22Channel%20%3A%20%23THG%22%2C%0D%22Email%20%3A%20THG%5Bat%5DLinuxMail%5Bdot%5DOrg%22%2C%0D%22Greetz%20%3A%20%20kernel%20apache%20TaekunG%20MassOps%20Mianwalian%20%22%0D%29%3B%0Dvar%20speed%3D70%3B%0Dvar%20index%3D0%3B%20text%5Fpos%3D0%3B%0Dvar%20str%5Flength%3Dtl%5B0%5D%2Elength%3B%0Dvar%20contents%2C%20row%3B%0D%0Dfunction%20type%5Ftext%28%29%0D%7B%0D%20%20contents%3D%27%27%3B%0D%20%20row%3DMath%2Emax%280%2Cindex%2D7%29%3B%0D%20%20while%28row%3Cindex%29%0D%20%20%20%20contents%20%2B%3D%20tl%5Brow%2B%2B%5D%20%2B%20%27%5Cr%5Cn%27%3B%0D%20%20document%2Eforms%5B0%5D%2Eelements%5B0%5D%2Evalue%20%3D%20contents%20%2B%20tl%5Bindex%5D%2Esubstring%280%2Ctext%5Fpos%29%20%2B%20%22%7C%22%3B%0D%20%20if%28text%5Fpos%2B%2B%3D%3Dstr%5Flength%29%0D%20%20%7B%0D%20%20%20%20text%5Fpos%3D0%3B%0D%20%20%20%20index%2B%2B%3B%0D%20%20%20%20if%28index%21%3Dtl%2Elength%29%0D%20%20%20%20%7B%0D%20%20%20%20%20%20str%5Flength%3Dtl%5Bindex%5D%2Elength%3B%0D%20%20%20%20%20%20setTimeout%28%22type%5Ftext%28%29%22%2C500%29%3B%0D%20%20%20%20%7D%0D%20%20%7D%20else%0D%20%20%20%20setTimeout%28%22type%5Ftext%28%29%22%2Cspeed%29%3B%0D%20%0D%7D%0D%2F%2F%2D%2D%3E%3C%2FSCRIPT%3E%0D%0D%3CSTYLE%20fprolloverstyle%3EA%3Ahover%20%7B%0D%09COLOR%3A%20%23000000%3B%20TEXT%2DDECORATION%3A%20overline%0D%7D%0DINPUT%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0DTEXTAREA%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0DSELECT%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0D%3C%2FSTYLE%3E%0D%0D%3CMETA%20content%3D%22Microsoft%20FrontPage%205%2E0%22%20name%3DGENERATOR%3E%3C%2FHEAD%3E%0D%3CBODY%20text%3D%23000000%20vLink%3D%23000000%20aLink%3D%23000000%20link%3D%23000000%20bgColor%3D%23000000%20%0Donload%3Dtype%5Ftext%28%29%3E%0D%3CTABLE%20height%3D250%20cellSpacing%3D0%20cellPadding%3D0%20align%3Dcenter%20border%3D0%3E%0D%20%20%3CTBODY%3E%0D%20%20%3CTR%3E%0D%20%20%20%20%3CTD%20colSpan%3D3%20height%3D303%3E%0D%20%20%20%20%20%20%3CTABLE%20cellSpacing%3D0%20cellPadding%3D5%20width%3D557%20border%3D0%20height%3D%22287%22%3E%0D%20%20%20%20%20%20%20%20%3CTBODY%3E%0D%20%20%20%20%20%20%20%20%3CTR%3E%0D%20%20%20%20%20%20%20%20%20%20%3CTD%20width%3D600%20height%3D%22267%22%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CH2%20align%3Dcenter%3E%3Ci%3E%3CSTRONG%3E%3Cfont%20color%3D%22%23FF0000%22%20size%3D%227%22%3ET%2EH%2EG%3C%2Ffont%3E%3C%2FSTRONG%3E%3C%2Fi%3E%3C%2FH2%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3Cp%20align%3Dcenter%3E%3CSTRONG%3E%3Ci%3E%3Cfont%20color%3D%22%2300FF00%22%20size%3D%225%22%3EMassege%20%3A%20%0D%20%20%20%20%20%20%20%20%20%20%20%20Unix%20Was%20Here%3C%2Ffont%3E%3C%2Fi%3E%3C%2Fp%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CCENTER%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CFORM%3E%3CFONT%20color%3D%23ff0000%3E%26nbsp%3B%20%3CTEXTAREA%20rows%3D10%20cols%3D75%3E%3C%2FTEXTAREA%3E%20%0D%20%20%20%20%20%20%20%20%20%20%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFORM%3E%3C%2FCENTER%3E%3C%2FTD%3E%3C%2FTR%3E%0D%20%20%20%20%20%20%20%20%3CTR%20align%3Dmiddle%3E%0D%20%20%20%20%20%20%20%20%20%20%3CTD%20height%3D%221%22%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cb%3E%3Cu%3E%3Cfont%20color%3D%22%23FF0000%22%20size%3D%225%22%3EThis%20web%20site%20has%20been%20%0Dhacked%3C%2Ffont%3E%3C%2Fu%3E%3C%2Fb%3E%3C%2Fi%3E%3C%2FP%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cfont%20size%3D%224%22%20color%3D%22%23C0C0C0%22%3ESorry%20admin%21%20Go%20and%20path%20it%20now%3C%2Ffont%3E%3C%2Fi%3E%3C%2FP%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cfont%20color%3D%22%23008000%22%3ECopyright%20%3C%2Ffont%3E%3Cfont%20color%3D%22%23FF0000%22%3E%0DT%2EH%2EG%3C%2Ffont%3E%3Cfont%20color%3D%22%23008000%22%3E%20%3C%2Ffont%3E%3Cfont%20color%3D%22%23FF0000%22%3ESecurity%20Team%3C%2Ffont%3E%3Cfont%20color%3D%22%23008000%22%3E%20all%20right%20reserved%3C%2Ffont%3E%3C%2Fi%3E%3C%2FP%3E%0D%20%20%20%20%20%20%3CSCRIPT%20language%3DJavaScript%3E%0D%3C%21%2D%2D%0D%2F%2A%20status%20%2A%2F%0D%0D%20%20function%20one%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22two%28%29%22%2C60%29%3B%0D%20%20%20%20%7D%0D%20%20function%20two%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22three%28%29%22%2C120%29%3B%0D%20%20%20%20%7D%0D%20%20function%20three%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22one%28%29%22%2C180%29%3B%0D%20%20%20%20%7D%0D%20%20one%28%29%3B%0D%2F%2F%20%2D%2D%3E%0D%20%20%20%20%0D%20%20%20%20%3C%2FSCRIPT%3E%0D%3C%2FBODY%3E%3C%2FHTML%3E"));

</SCRIPT>

That's why I don't like phpbb. A bug is found, but rather than put a wrapper around the vunurable function, they get on their high and holy horse and say "FORCE YOUR ISP TO UPGRADE THEIR SERVER SOFTWARE!". Yeah, right. Like that is going to happen overnight. Meanwhile you take your site offline or you are running vunurable just waiting for a script kiddie to come along. At least the securityfocus alert gives you the chance to get a backup in before the kiddies find you.

Decent package otherwise, but anyone who doesn't know php well enough to go in and put the wrapper on themselves is in for a heap of hurt with an attitude like theirs.

That's why I don't like phpbb. A bug is found, but rather than put a wrapper around the vunurable function, they get on their high and holy horse and say "FORCE YOUR ISP TO UPGRADE THEIR SERVER SOFTWARE!". Yeah, right. Like that is going to happen overnight. Meanwhile you take your site offline or you are running vunurable just waiting for a script kiddie to come along. At least the securityfocus alert gives you the chance to get a backup in before the kiddies find you.

Decent package otherwise, but anyone who doesn't know php well enough to go in and put the wrapper on themselves is in for a heap of hurt with an attitude like theirs.

Well that's me :o. I am a novice with PHP. Is there an easy explaination of the 'wrapper' you speak of, ziandra?

Homer, this is old news, did you happen to read this thread :confused:

http://forums.digitalpoint.com/showthread.php?t=6793&page=5&pp=40

:rolleyes: :rolleyes: :rolleyes:

This forum is just TOO big to read ALL. You seem to be the walking dictionary of DP. The next time I'm in a jam like this is it alright if I ask you first? :D


Thanks Bro

Well that's me :o. I am a novice with PHP. Is there an easy explaination of the 'wrapper' you speak of, ziandra?

Ok, let's say you are a computer programmer. Let's say the run time library has a function called "open the door". You call the function with a 1 and the door is opened. You call it with a 0 and the door is closed. Everything sounds good so far. But, let's say the operation of this function does not check to make sure nothing is blocking the door. So, calling "open the door" with a 0 will potentially close the door on the baby crawling around the house. A programmer might write a function called "my open the door" that checks to see if a baby is near the door before opening or closing the door. This is called a "wrapper function". It encapsulates the features provided by the library but typically adds additional safety checks.

Many "hacks" take advantage of buffer overflows. You will see a bunch of attempts to break in to your web server every day with those really long and obnoxious URL's. People who are not willing to wait for their library provider to fix the problem will write wrappers that do little other than verify that the data passed into the function is not too big.

In the case of phpbb, there was one function in php used by phpbb that was susceptable to a buffer overflow. Rather than create a wrapper function for the half dozen (I am guessing at the number) places it is used that verifies the buffer is not too big, the people who develop phpBB said "it is their problem, not ours". They ignored a fundamental philosophy of computer software vendors which goes something like "I don't care who's fault it is, it is all of our problem". They choose to point fingers rather than fix the problem.

Hence my disgust for the developers of an otherwise very nice package.

Quality and support cost money. :/

Thanks ziandra. Is there a better forum (more secure) that you would recommend I use??

:o Homer, go here www.vbwebmaster.com and tell them that I sent you :p

But is IS a php problem rather than a phpBB problem and it IS avoided by upgrading the php version, no?

It doesn't even have to be the latest version of php... just one of the newer ones. It's a little like saying people who are still running Windows 1.0 should be launching a class action suit against Microsoft rather than at least partially upgrading their software...

But is IS a php problem rather than a phpBB problem and it IS avoided by upgrading the php version, no?
Absolutely.
It doesn't even have to be the latest version of php... just one of the newer ones. It's a little like saying people who are still running Windows 1.0 should be launching a class action suit against Microsoft rather than at least partially upgrading their software...

No, actually, after the exploit was announced, PHP was patched and you had to run the latest, latest greatest version. People who ran their own servers had to upgrade their servers quick and did not have time to run a proper validation. People who did not manage their own servers had two choices. Turn off their forum or pray the script kiddies did not find them.

The analogy to windows 1.0 is not very accurate. It is not even accurate to compare to people who are still running SP1 and have not upgraded to SP2. It is people who are running SP2 without hotfix KB3434321-ab-prime2..

As for alternatives, there are a lot of forum packages out there. Few are as feature rich at the price point (Free) of phpBB.

Yes PHP is the real problem. I am running the most recent version, now. Also have a back up drive I did not have before :o.

I am told the latest verion of phpbb (2.0.13) is safe but it seems it's a cat and mouse game when the 'fixes' are made public... http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

So that's why I'm wondering if there is better (safer) programs to run. I lost all my data which means I have to start from scratch anyways. I'll be f*#cked if I'm going to let this happen again. A wise man once said 'no lunch is free'...maybe I'm better to purchase a good forum program. :confused:

You should also considering installing Bastille (http://www.bastille-linux.org/) (assuming you're running a Linux box). It hardens your system nicely and provides daily emails letting you know if your security's been tested by crackers.