Urgently, some porn links has been added to my directory

Antonio, out of interest, what file did you find that line of code in?

 

index.php

@MeetHere

I have no idea about that, every thing seems working smoothly before I got the warning email.

 

Antonio, wld u mind if i posted the details of this finding on my PR5 blog at linksfactory.net? think it wld be very helpful for many to know of this issue and be wary of it....

Proper credit wld be given to u of course

 

Of course you can.

I hope this would help people keep away from the problem.

 

What would help more is if we figured out how someone managed to edit your index.php file.

People have suggested that the attack was carried out via the contact form... now if the permissions on the index.php file were correct then the only person who *should* be able to edit the file would be the owner, e.g. you, by uploading or editing through FTP.

This therefore leads to the question, how is it possible that someone has gained 'owner' status via the contact form, or any form for that matter.

If the file permissions are wrong, e.g. 0777 then this would help explain how the attack occured via a form, but none the less, the forms should be protected to prevent such attacks from being initiated in the first place.

Phew, just my tuppence worth.

 

I don't know whether there is a bug in the contact form. But all the files has no written permission, all the .php files are in the default 644, and so template files are.

 

Do you have any of the emails you received still? If so can you PM me one so that I can take a look at it and try and figure out what they did.

Please don't post the emails publicly as you may inadvertently start an attack on all directories

 

I have checked the backups, the code was there since last month.

All the emails are deleted, and they would now all be in my spam box.


Directory owners check your directory source codes, does any one else get the same problem. I have seen many directories using the same mods like me.

 

what mods?

 

Contact form and report form, they both send spam emails.

But the contact is provided by David in V3.2 now. I do not think there will be any problems.

 

I checked last night and there were only 12 other sites on the internet (from Y!'s backlink checker) that had links to the bad neighborhood sites that were on your homepage (ironically, yours was not listed). I emailed each of them and notified them of the problem and pointed them out to the solution (as well as offered to help clean it up). FYI: yours was the only directory effected, the rest were normal sites (businesses, doctors, etc)

As far as this contact forms go ... If they wiped your SQL db out, I would blame the contact form. But, having write permissions to index.php ... you are looking at a crack that has your master password. This stuff can happen any number of ways and it is difficult to find footprints sometimes (potential weak points are local viruses, adware, keyloggers, help tickets with host, and anyone you gave access to (including the installer of your mods, sorry)). I strongly suggest (as I did last night) that you change your passwords in a hurry, and make them as random as possible.

Awesome to hear you are back up and running, sorry to hear that they have been up for almost a month. I hope there are no long term repercussions for this.

Good Luck & thanks for the rep

 

Your site is loading slow today. Not sure if that is my connection.

If you like our contribution, give us all a free link.
One free link for each who posted or tried to help you.


Thanks

 

could this have come from a mod installed?
i just cant see this as a submission issue...

But then again im not a coder thats why i have an0n
and silk work on that stuff...

thx
malcolm

 

I just read this thread and I have to agree with you Erect. I'm trying to think to myself the concept the attacker used to do this, and I can't see how they would do it from a form post either. Antonio, you should perhaps track back the last week or so to think of any situations that applies to what Erect mentioned.

 

I have changed all the password already.

I would check all my local PC, but it is only happened to one site, others are working fine.

Really, it is on hostgator, it is loading fast for me.

Anyway, the free link is to every one following the submission guide.

 

I noticed that Dawzz had said he was happy to run a full security audit of your site, so if you are unsure still of what happened, check over again on the phpLD forums.

 

I cannot explain how this was done, but it is possible to 'inject' code into a site using a contact form. I know this for a fact because it happened to one of my own sites awhile back.

 

I found some sites with the problem, bisg.org and winthropgroup.com

All the links are only on their homepage, what's more, winthropgroup.com is full of .html file. How could they inject the code?

I have 10 sites on the same host, but all others have not got the problem, so I do not think they got the server access.

More script would get the problem, from this page (check source code), you would find it happened on wordpress.

 

The site that it happened to me on was completely static HTML, no script whatsoever. I really have no idea how they do this. When it hapened to me I received a very suspiscious contact via email and went to the site and noticed the problem. I contacted my host with a copy of the strange message (I cant recall now what it was - this was about almost a year ago) and they told me that the code had been injected (via an iframe in this case) through my contact form. They told me which files to check and what to look for. So, I was able to fix everything fairly quickly and up to now have never had any ore troubles with it.

 

have compiled this issue and discussions into my LinksFactory Blog as promised. Hopefully, it can serve to warn others abt this unsolved mystery