Site hacked ~ Check your Google cache NOW!

Don't ask, don't get

It does suck a lot I have to say. It's easy to say 'do this and that' but it's always that one little thing you didn't do or something not even publicly known yet that kills you. Most of us are probably guilty of eagirly getting into the money making, not giving much thought to security. Same why people only start drinking water after they pissed out some kidney bricks. Live and learn. Learning first is boring

 

Trust me, it's a lesson learned...

I'm gonna employ someone to test this sh1t from now on...

It's had too big an impact..

 

The way I understand it, if register globals or on, you can put this in the address bar:

www.dpforums.com?nintendo=wacko

Code (markup):

And then in the code:

echo $nintendo;

PHP:

will output "wacko".

With register globals off you will have to say:

echo $_GET['nintendo'];

PHP:

The voulnerability being that if you know WordPress has a line of code going:

mysql_query($query); // very silly example for illustrative purposes

PHP:

Without initializing $query first (I know, silly example), all the hacker has to do to fuck you up is:

www.dpforums.com?query=DELETE * FROM known_table WHERE 1

Code (markup):

Bye bye known_table.

Which reminds me to add to the list... Rename your tables. Make sure guesswork won't get lucky.

That's why you always have to validate GET and POST data and defo validate variables yo use for SQL queries. Not initializing a variable can also cause troubles.

 

sorry a bit confused here

in terms of what happened to SEbasic, links were being shoved into his pages?

im just reading the thread on jaguar http://www.jaguarpc.com/forums/showthread.php?t=13305

and it seems servers crashed because of this?

 

Once they get write access, it seems they automate pasting in code into every file. Overwrite half a line of PHP and you'll get a load of errors. That's how these people's site 'broke' I believe. That's also the silly part. Had it not cocked up the code, it could have gone unnoticed for months.

 

gotcha. wow this is scary shit. my site looks clean though from the looks of it

i just used firefox, set to googlebot view source and did a find "<a href" and look through all of it.

 

Shawn, T0PS... Thanks, I'm gonna try and go through all of it now.

I just added this to my .htaccess file too...

php_flag display_errors off
php_flag register_globals off

This should give them less info right?

Like T0PS says, it could be pretty widespread ~ how many sites out there *didn't* show that error?

Mine didn't...

For the time being I'm scraping most of the sites and uploading a hard copy...

I think it's time I got the sites moved onto a server I have that much control over...

 

all i got eturned was

ZenOptimzer-2.6.2-linux-glibc21-1386/zui_files/util.inc: chunk_split(base64_encode($data))."\n"
Binary File Zendoptimizer-2.6.2-linux-glibc21-i386.zui_files/php matches

guess not?

 

I've been thinking about that more and more recently...

I've always been worried that I couldn't maintain it, but I think I'll take the plunge...

There have been too many times recently where I've had problems to fix and wasn't able to without shell access...

It would make life easier think.

 

i'll be your best friend if you manage my server SEbasic

i got alot of unused space and bandwidth

 

Ha!

No way man - I wish I could help out, but I couldn't take the responsibility until I learned a bit ; )

 

Here's a tip: Every new command you learn and apply to your server, write it down and document it. It's very slow at first but the learning curve is steep that way. Soon you'll feel the joy of a silently killed apache restart. PuTTy is your friend in need.

 

you should turn off register_globals as well unless you really need it.

advice from a friend

 

We'll add that to the list, strange it wasn't mentioned before, such an obvious one

 

Thank you guys. I reported this about 4 days ago on another forum, but didn't pay much attention, as it didn't show in the browser. Silly me! Now with User Agent Switcher, all is present.

Temporary fix was by deleting common.php and finfo.php (though I realize might be named differently elsewhere) from folders like tmp and backup. Also deleted the cached files (the script that I had it on, uses Smarty templating). Now off to implement safeguards so that it doesn't happen in the future. All the info in this thread was a BIG help! Thanks once again.

 

Thanks SEBasic for the warning - none of my sites seem to be infected with this shit, but as a precaution i did this

# route add 208.185.80.113 reject

Code (markup):

where 208.185.80.133 is user7.phpinclude.ru

There seems to be some communication with your webserver and user7.phpinclude.ru, so why not just deny all traffic from and to that ip address?
(you need to have root access to your server to do this btw)

 

I know the relationship (It looks like they are sending visitor data to their own servers, and pulliing the links to be displayed on your pages from the URL I posted previously (It's in the first post)), but unfortunatley I don't have root access.

I wonder how many people have been infected with this?