1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

I got hacked

Discussion in 'Forum Management' started by Homer, Mar 30, 2005.

  1. #1
    I have a dedicated server in which I host many websites. Today ALL of my sites conatin this on homepage...
    http://www.createonlinebusiness.com/


    Does anyone know what has happened. Moreover how one can prevent this in the future??


    Appreciate any feedback I can get
    SEMrush
     
    Homer, Mar 30, 2005 IP
    SEMrush
  2. nullbit

    nullbit Peon

    Messages:
    489
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Take your server offline now. Otherwise, you're open up for more abuse.

    Then I would contact your host, request they perform a backup of anything important, work out how they got in, and then do a fresh reinstall of the OS.

    Chances are they have installed a rootkit, you _need_ to do a fresh OS install, or revert to a backup image (if your host has one). That's the only way to be sure.
     
    nullbit, Mar 30, 2005 IP
  3. mushroom

    mushroom Peon

    Messages:
    369
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #3
    In order to prevent it for happening again you must first find out how it happen to start with.

    Is everything on your server updated/patched ?
    from: http://news.netcraft.com/archives/web_server_survey.html

    One more thing if you login to your server using a windows machine, check it for spyware this is becoming a common way of getting into a Linux server.
     
    mushroom, Mar 30, 2005 IP
  4. nullbit

    nullbit Peon

    Messages:
    489
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #4
    To follow up my earlier post, since you're sites still only you should do one of the following:

    Shutdown:
    
    shutdown -h now
    
    Code (markup):
    Or, block all ports:
    
    /sbin/iptables -I INPUT -j DROP
    /sbin/iptables -I FORWARD -j DROP
    /sbin/iptables -I OUTPUT -j DROP
    
    Code (markup):
    The first method would be better, since some rootkits will bypass the firewall, making the second method useless.

    Once it's blocked off, then you should deal with the problem.
     
    nullbit, Mar 30, 2005 IP
  5. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #5
    nullbit AND Mushroom thanks so much for your help...Sorry I can't chat more but I have to go fire fighting :eek:


    Thanks again :)
     
    Homer, Mar 30, 2005 IP
    miko67 likes this.
  6. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #6
    BTW guys just heard back from the host they say the cause was kernel apache wasn't up to date :confused:
     
    Homer, Mar 30, 2005 IP
  7. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Well now I am in a bit of a quandery. My host is now saying that the intrusion occurred from phpbb forum that I installed through cpanel. Also added that I am on my own to fix it. I have about 20 forums with data :mad:

    It seems that this defacing has attacked all files named index.php, htm,shtml, etc. I have 100's of them. So my problem is I don't really know if I am being told the truth by my host and my skillset on a webserver is very limited. So I am OK reinstalling what needs to be reinstalled via FTP but not familiar enough with the server environment to find out EXACTLY how this happened.

    I can also say that I am not impressed with the help (Lack thereof) that I am receiving from my hosting company. So once I get this under control I will need to find a new host...any suggestions...any help...forever in debt :eek:
     
    Homer, Mar 30, 2005 IP
  8. nullbit

    nullbit Peon

    Messages:
    489
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #8
    phpBB has had a few published exploits recently, mostly down to bugs in older PHP versions. So this would make sense.

    You really need to get your host to do a fresh OS install, and then make sure your system is up-to-date (especially PHP). Most crackers (or whatever you wish to call them) will leave a backdoor, so addressing the PHP/phpBB issue alone will not prevent them gaining access, and potentially using your server as a proxy to compromise other hosts.
     
    nullbit, Mar 30, 2005 IP
  9. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #9
    OMG remind me not to get hacked again :eek: . The problem was, indeed phpbb forum. If ANYONE is running version 2.0.10 or less go here now http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

    It's actually pretty painless. This is my first hack that I have had to deal with. What a pain in the ass. Back on track now. Upgrading forums 1 at a time...fresh OS installed.

    I must also take back a few of my words. (I know theoretically you can't do that). My host actually got on the phone with me (3rd level admin) and walked me through the technicallities of this process. :cool:

    Thanks
     
    Homer, Mar 30, 2005 IP
  10. TheWebJunkie

    TheWebJunkie Banned

    Messages:
    630
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    0
    #10
    phpbb 2.0.11 is hackable also with a perl exploit , so watch out.
     
    TheWebJunkie, Mar 30, 2005 IP
  11. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Thanks for feedback webjunkey. Does the above link cover the pearl exploit?

    This is the code I find in every file with 'index' in it (100's of them across 60 domains on 1 server)

    <SCRIPT Language = "JavaScript">
    
    document.write (unescape("%3CHTML%3E%3CHEAD%3E%3CTITLE%3EHacked%20by%20unix%20irc%2Egigachat%2Enet%20%23THG%3C%2FTITLE%3E%0D%3CSTYLE%20type%3Dtext%2Fcss%3EBODY%20%7B%0D%09SCROLLBAR%2DFACE%2DCOLOR%3A%20%23000000%3B%20SCROLLBAR%2DHIGHLIGHT%2DCOLOR%3A%20%23000000%3B%20%0D%0DSCROLLBAR%2DSHADOW%2DCOLOR%3A%20%23000000%3B%20SCROLLBAR%2DBASE%2DCOLOR%3A%20%23000000%0D%7D%0D%3C%2FSTYLE%3E%0D%0D%3CMETA%20http%2Dequiv%3DContent%2DType%20content%3D%22text%2Fhtml%3B%20charset%3Dwindows%2D1254%22%3E%0D%3Cbgsound%20src%3D%22http%3A%2F%2Ffile%2Esukson%2Ecom%2Ffiles%2Faraiwa%2Ewma%22%20loop%3D%22infinite%22%3E%0D%3CSCRIPT%20language%3DJavaScript%3E%0D%3C%21%2D%2D%0D%0Dfunction%20SymError%28%29%0D%7B%0D%20%20return%20true%3B%0D%7D%0D%0Dwindow%2Eonerror%20%3D%20SymError%3B%0D%0D%2F%2F%2D%2D%3E%0D%3C%2FSCRIPT%3E%0D%3C%21%2D%2D%5Bif%20IE%20%5D%3E%0D%3CSTYLE%20type%3Dtext%2Fcss%3EBODY%20%7B%0D%09OVERFLOW%3A%20hidden%0D%7D%0Dv%5C%3A%2A%20%7B%0D%09BEHAVIOR%3A%20url%28%23default%23VML%29%0D%7D%0D%3C%2FSTYLE%3E%0D%3C%21%5Bendif%5D%2D%2D%3E%0D%3CSCRIPT%20language%3DJavascript%3E%3C%21%2D%2D%0Dvar%20tl%3Dnew%20Array%28%0D%22Hello%2E%2E%22%2C%0D%0D%0D%22Site%20defaced%20by%20unix%22%2C%0D%22T%2EH%2EG%20Security%20Team%22%2C%0D%22Contact%20Me%20%2E%2E%2E%22%2C%0D%22IRC%20%3A%20IRC%2EGigaChat%2ENet%22%2C%0D%22Channel%20%3A%20%23THG%22%2C%0D%22Email%20%3A%20THG%5Bat%5DLinuxMail%5Bdot%5DOrg%22%2C%0D%22Greetz%20%3A%20%20kernel%20apache%20TaekunG%20MassOps%20Mianwalian%20%22%0D%29%3B%0Dvar%20speed%3D70%3B%0Dvar%20index%3D0%3B%20text%5Fpos%3D0%3B%0Dvar%20str%5Flength%3Dtl%5B0%5D%2Elength%3B%0Dvar%20contents%2C%20row%3B%0D%0Dfunction%20type%5Ftext%28%29%0D%7B%0D%20%20contents%3D%27%27%3B%0D%20%20row%3DMath%2Emax%280%2Cindex%2D7%29%3B%0D%20%20while%28row%3Cindex%29%0D%20%20%20%20contents%20%2B%3D%20tl%5Brow%2B%2B%5D%20%2B%20%27%5Cr%5Cn%27%3B%0D%20%20document%2Eforms%5B0%5D%2Eelements%5B0%5D%2Evalue%20%3D%20contents%20%2B%20tl%5Bindex%5D%2Esubstring%280%2Ctext%5Fpos%29%20%2B%20%22%7C%22%3B%0D%20%20if%28text%5Fpos%2B%2B%3D%3Dstr%5Flength%29%0D%20%20%7B%0D%20%20%20%20text%5Fpos%3D0%3B%0D%20%20%20%20index%2B%2B%3B%0D%20%20%20%20if%28index%21%3Dtl%2Elength%29%0D%20%20%20%20%7B%0D%20%20%20%20%20%20str%5Flength%3Dtl%5Bindex%5D%2Elength%3B%0D%20%20%20%20%20%20setTimeout%28%22type%5Ftext%28%29%22%2C500%29%3B%0D%20%20%20%20%7D%0D%20%20%7D%20else%0D%20%20%20%20setTimeout%28%22type%5Ftext%28%29%22%2Cspeed%29%3B%0D%20%0D%7D%0D%2F%2F%2D%2D%3E%3C%2FSCRIPT%3E%0D%0D%3CSTYLE%20fprolloverstyle%3EA%3Ahover%20%7B%0D%09COLOR%3A%20%23000000%3B%20TEXT%2DDECORATION%3A%20overline%0D%7D%0DINPUT%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0DTEXTAREA%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0DSELECT%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0D%3C%2FSTYLE%3E%0D%0D%3CMETA%20content%3D%22Microsoft%20FrontPage%205%2E0%22%20name%3DGENERATOR%3E%3C%2FHEAD%3E%0D%3CBODY%20text%3D%23000000%20vLink%3D%23000000%20aLink%3D%23000000%20link%3D%23000000%20bgColor%3D%23000000%20%0Donload%3Dtype%5Ftext%28%29%3E%0D%3CTABLE%20height%3D250%20cellSpacing%3D0%20cellPadding%3D0%20align%3Dcenter%20border%3D0%3E%0D%20%20%3CTBODY%3E%0D%20%20%3CTR%3E%0D%20%20%20%20%3CTD%20colSpan%3D3%20height%3D303%3E%0D%20%20%20%20%20%20%3CTABLE%20cellSpacing%3D0%20cellPadding%3D5%20width%3D557%20border%3D0%20height%3D%22287%22%3E%0D%20%20%20%20%20%20%20%20%3CTBODY%3E%0D%20%20%20%20%20%20%20%20%3CTR%3E%0D%20%20%20%20%20%20%20%20%20%20%3CTD%20width%3D600%20height%3D%22267%22%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CH2%20align%3Dcenter%3E%3Ci%3E%3CSTRONG%3E%3Cfont%20color%3D%22%23FF0000%22%20size%3D%227%22%3ET%2EH%2EG%3C%2Ffont%3E%3C%2FSTRONG%3E%3C%2Fi%3E%3C%2FH2%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3Cp%20align%3Dcenter%3E%3CSTRONG%3E%3Ci%3E%3Cfont%20color%3D%22%2300FF00%22%20size%3D%225%22%3EMassege%20%3A%20%0D%20%20%20%20%20%20%20%20%20%20%20%20Unix%20Was%20Here%3C%2Ffont%3E%3C%2Fi%3E%3C%2Fp%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CCENTER%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CFORM%3E%3CFONT%20color%3D%23ff0000%3E%26nbsp%3B%20%3CTEXTAREA%20rows%3D10%20cols%3D75%3E%3C%2FTEXTAREA%3E%20%0D%20%20%20%20%20%20%20%20%20%20%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFORM%3E%3C%2FCENTER%3E%3C%2FTD%3E%3C%2FTR%3E%0D%20%20%20%20%20%20%20%20%3CTR%20align%3Dmiddle%3E%0D%20%20%20%20%20%20%20%20%20%20%3CTD%20height%3D%221%22%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cb%3E%3Cu%3E%3Cfont%20color%3D%22%23FF0000%22%20size%3D%225%22%3EThis%20web%20site%20has%20been%20%0Dhacked%3C%2Ffont%3E%3C%2Fu%3E%3C%2Fb%3E%3C%2Fi%3E%3C%2FP%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cfont%20size%3D%224%22%20color%3D%22%23C0C0C0%22%3ESorry%20admin%21%20Go%20and%20path%20it%20now%3C%2Ffont%3E%3C%2Fi%3E%3C%2FP%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cfont%20color%3D%22%23008000%22%3ECopyright%20%3C%2Ffont%3E%3Cfont%20color%3D%22%23FF0000%22%3E%0DT%2EH%2EG%3C%2Ffont%3E%3Cfont%20color%3D%22%23008000%22%3E%20%3C%2Ffont%3E%3Cfont%20color%3D%22%23FF0000%22%3ESecurity%20Team%3C%2Ffont%3E%3Cfont%20color%3D%22%23008000%22%3E%20all%20right%20reserved%3C%2Ffont%3E%3C%2Fi%3E%3C%2FP%3E%0D%20%20%20%20%20%20%3CSCRIPT%20language%3DJavaScript%3E%0D%3C%21%2D%2D%0D%2F%2A%20status%20%2A%2F%0D%0D%20%20function%20one%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22two%28%29%22%2C60%29%3B%0D%20%20%20%20%7D%0D%20%20function%20two%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22three%28%29%22%2C120%29%3B%0D%20%20%20%20%7D%0D%20%20function%20three%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22one%28%29%22%2C180%29%3B%0D%20%20%20%20%7D%0D%20%20one%28%29%3B%0D%2F%2F%20%2D%2D%3E%0D%20%20%20%20%0D%20%20%20%20%3C%2FSCRIPT%3E%0D%3C%2FBODY%3E%3C%2FHTML%3E"));
    
    </SCRIPT>
    PHP:
     
    Homer, Mar 30, 2005 IP
  12. ziandra

    ziandra Well-Known Member

    Messages:
    142
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    138
    #12
    That's why I don't like phpbb. A bug is found, but rather than put a wrapper around the vunurable function, they get on their high and holy horse and say "FORCE YOUR ISP TO UPGRADE THEIR SERVER SOFTWARE!". Yeah, right. Like that is going to happen overnight. Meanwhile you take your site offline or you are running vunurable just waiting for a script kiddie to come along. At least the securityfocus alert gives you the chance to get a backup in before the kiddies find you.

    Decent package otherwise, but anyone who doesn't know php well enough to go in and put the wrapper on themselves is in for a heap of hurt with an attitude like theirs.
     
    ziandra, Mar 30, 2005 IP
  13. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Well that's me :eek:. I am a novice with PHP. Is there an easy explaination of the 'wrapper' you speak of, ziandra?
     
    Homer, Mar 31, 2005 IP
  14. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #14
    anthonycea, Mar 31, 2005 IP
  15. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #15
    This forum is just TOO big to read ALL. You seem to be the walking dictionary of DP. The next time I'm in a jam like this is it alright if I ask you first? :D


    Thanks Bro
     
    Homer, Apr 1, 2005 IP
  16. ziandra

    ziandra Well-Known Member

    Messages:
    142
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    138
    #16
    Ok, let's say you are a computer programmer. Let's say the run time library has a function called "open the door". You call the function with a 1 and the door is opened. You call it with a 0 and the door is closed. Everything sounds good so far. But, let's say the operation of this function does not check to make sure nothing is blocking the door. So, calling "open the door" with a 0 will potentially close the door on the baby crawling around the house. A programmer might write a function called "my open the door" that checks to see if a baby is near the door before opening or closing the door. This is called a "wrapper function". It encapsulates the features provided by the library but typically adds additional safety checks.

    Many "hacks" take advantage of buffer overflows. You will see a bunch of attempts to break in to your web server every day with those really long and obnoxious URL's. People who are not willing to wait for their library provider to fix the problem will write wrappers that do little other than verify that the data passed into the function is not too big.

    In the case of phpbb, there was one function in php used by phpbb that was susceptable to a buffer overflow. Rather than create a wrapper function for the half dozen (I am guessing at the number) places it is used that verifies the buffer is not too big, the people who develop phpBB said "it is their problem, not ours". They ignored a fundamental philosophy of computer software vendors which goes something like "I don't care who's fault it is, it is all of our problem". They choose to point fingers rather than fix the problem.

    Hence my disgust for the developers of an otherwise very nice package.
     
    ziandra, Apr 1, 2005 IP
    Homer likes this.
  17. noppid

    noppid gunnin' for the quota

    Messages:
    4,246
    Likes Received:
    232
    Best Answers:
    0
    Trophy Points:
    135
    #17
    Quality and support cost money. :/
     
    noppid, Apr 1, 2005 IP
  18. Homer

    Homer Spirit Walker

    Messages:
    2,396
    Likes Received:
    150
    Best Answers:
    0
    Trophy Points:
    0
    #18
    Thanks ziandra. Is there a better forum (more secure) that you would recommend I use??
     
    Homer, Apr 2, 2005 IP
  19. anthonycea

    anthonycea Banned

    Messages:
    13,378
    Likes Received:
    342
    Best Answers:
    0
    Trophy Points:
    0
    #19
    anthonycea, Apr 2, 2005 IP
  20. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #20
    But is IS a php problem rather than a phpBB problem and it IS avoided by upgrading the php version, no?

    It doesn't even have to be the latest version of php... just one of the newer ones. It's a little like saying people who are still running Windows 1.0 should be launching a class action suit against Microsoft rather than at least partially upgrading their software...
     
    minstrel, Apr 2, 2005 IP