1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

HackeD by UyuSsman ( Turkish Hacker )

Discussion in 'Site & Server Administration' started by bading, Jul 23, 2007.

  1. #1
    My website www.bading.com was hacked by this Turkish Hacker. My site hosting is Godaddy.com and I am using Joomla for it. If you visit my site, it will prompt you this message:

    HackeD by UyuSsman ( Turkish Hacker )
    UyuSsCoCuk@HoTMaÝL.CoM
    siberharekat.com // org // net


    Any idea how to fix this problem? I already check my configuration.php, globals.php and even rename my template index.php and I can't find anything.

    Hope to hear from you.. Thanks
     
    bading, Jul 23, 2007 IP
  2. demonhale

    demonhale Peon

    Messages:
    352
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #2
    check your htacess and delete files you know is not uploaded by you... If you have forms in your site, it might be an html injection...
     
    demonhale, Jul 23, 2007 IP
  3. KMKM

    KMKM Peon

    Messages:
    546
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I think its ur index.php/html file. In my case , i had left it at 777 lolz, so got pwned :)

    See the files :) There was some software which lets you search in the files for a particular word, if you have that you can search for any part of the sentence and will find the injection.


    ~KMKM~
     
    KMKM, Jul 23, 2007 IP
  4. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4

    Is this the htaccess.txt file? I'm sorry, im not so familiar with Joomla files? Would you mind to tell me the location of the files? thanks for your quick response.
     
    bading, Jul 23, 2007 IP
  5. iNTaYkE

    iNTaYkE Active Member

    Messages:
    259
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    73
    #5
    I don't think htaccess is a .txt i think its .htaccess
     
    iNTaYkE, Jul 23, 2007 IP
  6. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I tried to rename my index.php but still pointing to that hacking page , it means, he didn't touch the index.php. Thanks for your quick response.
     
    bading, Jul 23, 2007 IP
  7. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    I found one htaccess.txt file on my root directory? I can paste here the content if you want. Or maybe this is the one that the hacker modified, i'm not sure. Thanks.
     
    bading, Jul 23, 2007 IP
  8. KMKM

    KMKM Peon

    Messages:
    546
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    0
    #8

    Renaming doesnt work.

    Check .htaccess, config.php and other settings.php and whatever files which control working of your site.

    Do post here about your progress. Somehow i dont like hackers :|

    ~KMKM
     
    KMKM, Jul 23, 2007 IP
  9. demonhale

    demonhale Peon

    Messages:
    352
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #9
    just look on your public_html folder and delete the .htaccess file.

    Then look for index.html and backup it, then delete the one on your public_html folder.

    Now try and access the page if it gets fixed, if not, then there are possibly other htaccess edits and php files on the subfolders. Or check the index.php for header injections or look for a basecode text..
     
    demonhale, Jul 23, 2007 IP
  10. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Sorry but can you tell me the location of this .htaccess, I found htaccess.txt on my root directory, but it seems this is not the one. By the way, I'm using Joomla on my site. Thanks again.
     
    bading, Jul 23, 2007 IP
  11. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Guys I resolved the problem.

    Before I concentrated on my .php and .ini files, then I checked the index.php file under my Joomla \template\ folder because this is the file that I usually modify if I have changes on my main menu. I didn't realize that this file is calling by the index.php of the Base Joomla. When I checked the Joomla's index.php, it was changed to this Turkish file. I just change it back to the original file from the Joomla installer and it resolved my problem.

    Now, I don't know which fault is this?

    Is this something to do with the security of Godaddy.com where my website resides?

    or

    Is this something to do with the Joomla?

    I'm sure it's nothing to do with my FTP, they can't easily guess my password.


    Anyway, I want to thank you all for your helps, especially to Digitalpoint.
     
    bading, Jul 23, 2007 IP
  12. ds316

    ds316 Peon

    Messages:
    154
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #12
    The best thing you can do is download a copy of your access logs, and checkup Joomla at http://securityfocus.com/ to make sure there are no vulnerabilities for your version of Joomla.

    Through the access logs you should be able to find the IP of the hacker, although most likely the attack was launched through a proxy.

    As always though, you should be making backups of your mysql db and files (files not so important) so that you are always covered if any data is lost.
     
    ds316, Jul 23, 2007 IP
  13. KMKM

    KMKM Peon

    Messages:
    546
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    0
    #13


    It was your fault, not godaddy's . That file as I told you to check must have been made 777 by you :p

    Even I had done it on my forum's template file. Make it 644 or anything suitable :)

    Great to see that everything is back to order ;)

    Regards,
    ~KMKM
     
    KMKM, Jul 23, 2007 IP
  14. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14

    It was 644, and even if its 644 they can still change it.

    He attacked me again, after I change the file yesterday, when I woke up this morning he modified the files index.php and configuration.php. It looks like there is a script that he left on my server. Any idea what are those?
     
    bading, Jul 23, 2007 IP
  15. KMKM

    KMKM Peon

    Messages:
    546
    Likes Received:
    62
    Best Answers:
    0
    Trophy Points:
    0
    #15
    There is some hole in ur site, which he can get through. Check that which files are 777, and make sure they are made 644.
    Next try Cross Scripting checks :)

    There are many possibilities, is ur script up to date ?

    ~KMKM
     
    KMKM, Jul 23, 2007 IP
  16. demonhale

    demonhale Peon

    Messages:
    352
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Actually they put in deny htaccess, then with this error handler they install php files with base64 encoding, and when you delete outer files, it reinstalls it self...
     
    demonhale, Jul 23, 2007 IP
  17. bading

    bading Peon

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #17
    This is the reply of Godaddy.com regarding the incident happened.

    Dear sir,

    The vulnerable component is the Expose Module that is not installed by default with Joomla. There is a fix released by the creator of the Joomla module available at the URL below which you can apply on your hosting account to correct future issues.

    http: // extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,254/Itemid,35/

    Please let us know if we can assist you in any other way.

    Regards,
    Advanced Hosting Support

    ----
    So, be careful with those free Joomla Modules, Hackers are looking for this kind of holes.
     
    bading, Jul 24, 2007 IP
  18. Hopper

    Hopper Well-Known Member

    Messages:
    1,330
    Likes Received:
    96
    Best Answers:
    0
    Trophy Points:
    140
    #18
    I've had a similar problem before - not with Joomla but Mambo.

    The best bit of advise I can give you is to check that your current Joomla instellation is up to date with reference to any security issues. My site wasn't, I corrected this and it helped.

    Looking at your raw access data logs will tell you where they got in, check them. As GoDaddy said it maybe a componant you hve added that has the flaw. Check the sites that you downloaded your add-ons from for any recent security patches etc.

    And as has been said before, back-up all the time.

    Good Luck
     
    Hopper, Jul 24, 2007 IP
  19. Sandi

    Sandi Well-Known Member

    Messages:
    317
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    110
    #19
    Backup your data everytime. You use an opensource free script ;)
     
    Sandi, Jul 24, 2007 IP
  20. triggs04

    triggs04 Peon

    Messages:
    47
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #20
    I found that there was some advert code that stored HTML in the database this had been injected with code that basically hid the page using javascript and displayed the message i just restored the original data to the table and everything was back to normal.
     
    triggs04, Jul 24, 2007 IP