My site is hacked but how please check

Hi!

My sites were hacked by Muslim hackers for the second time now in 1 year.

I need to know how they do it so i can stop them.

First i think its was Wordpress but now many sites not have WP.

I locked all the 755 files.

They just replace the index.php with a index.html page.

you can see on this page

ifreefax dot com

PHP:

They also upload some strange file i do not know this one and it can not be downloaded.

bangkokevents.org/1.cdk

PHP:

 

I think you mean Turkish hackers, you might have said something to offend Muslims which is probably why you got hacked.

 

No i got hacked beucase my website is not secure enough.

 

They might've uploaded a shell to your server by using an XSS exploit on one of your sites. Look for files that could be named r57, c99 or anything to do with shell.

 

How do you know this leet? and how can I prevent this from happening to my website?

 

Secure your website better next time. If you need help PM me.

 

Just a guess. From his post I understand that multiple sites got hacked with different scripts on all of them, and all index.php files were changed with index.html's. Sounds like a mass deface using a shell to me. You can read this thread I opened a while ago telling how to prevent these attacks to an extent: http://forums.digitalpoint.com/showthread.php?t=575793

 

wow thats kinda scary. May be dumb question but could this potentially hurt someone's PC if they where viewing the page?

Im sure your site is not the only site that isnt secure enough. Why would they pick yours? Do we all have to worry about this?

 

Leet yes i have files with that name on it on my server.

But i do not have shell on my server

 

You mean you have files named c99 or r57? If so, remove each and every of them. If you are talking about the .cdk file however, I don't really know what .cdk extension is. The only CDK I know is a Perl development library but I doubt that's relevant unless they used a Perl exploit. I'd say use this thread to do a quick check on your server to see if there is any shell files: http://forums.digitalpoint.com/showthread.php?t=575793

edit: Just realized you are on Servage, so the thread I just pointed won't help you.

 

right so what can i do? Anything other way i can check?

I can do a FTP search but what should i search for only 2 tings?

I have image with this name 398499958494dacdc998b6.gif

Can that be the file?

 

It can be a .gif file too, yes. How big is it? Try to open it by going to its URL such as abc.com/blabla.gif, if it works like a .php file, that is it.

 

it is only 1.36 KB i looks like a gif not a php file

 

Shell files mostly range from XX to XXX KBs.

 

Leet helped you a lot friend... But one more possiblity is that if you are getting hacked on site which are not WP apart from file uploading... Hackers can run the command from URL. So check your script if you are giving any area of hacking in URL site like (index.php?cmd=) some this like this.

Thanks
-Xak

 

I would guess that the bangkokevents.org/1.cdk file was the r57/c99 shell script (usually a PHP script named a different extension to hide it (the file is 404 now.)) and they are "hacking in" via an XSS flaw in a script you are running. I would check that you are not running a website with any versions found here: http://www.milw0rm.com/ if you are... update/patch them.

 

1. I know its not bound to any script. I have a pure no script domains and they are still hacked.
2. They only hacked the index file.
3. I have a shared server.
4. I still do not know how


So check your script if you are giving any area of hacking in URL site like (index.php?cmd=) some this like this.

What does this mean

 

That is an example of how XSS exploits can be executed. Basically, do your websites process any user submitted data. ie: forms, includes, etc.

If you do ensure that they are not vulnerable to XSS attacks. Ensure that users can not remotely include a file and use your script to execute it.

 

Anybody have a good site for this how to stop it?

 

just a random thought, what's the take of your host? Maybe just maybe some domains hosted on the server has been compromised and gain access to all domains on that host,
here the link also created by leet here in DP
http://forums.digitalpoint.com/showthread.php?t=575793
quick search
http://www.hacking-truths.net/blog/find-r57-and-c99-shells-hidden-inside-php-and-txt-files/