I got hacked

I have a dedicated server in which I host many websites. Today ALL of my sites conatin this on homepage...
http://www.createonlinebusiness.com/


Does anyone know what has happened. Moreover how one can prevent this in the future??


Appreciate any feedback I can get

 

Take your server offline now. Otherwise, you're open up for more abuse.

Then I would contact your host, request they perform a backup of anything important, work out how they got in, and then do a fresh reinstall of the OS.

Chances are they have installed a rootkit, you _need_ to do a fresh OS install, or revert to a backup image (if your host has one). That's the only way to be sure.

 

In order to prevent it for happening again you must first find out how it happen to start with.

Is everything on your server updated/patched ?

from: http://news.netcraft.com/archives/web_server_survey.html

One more thing if you login to your server using a windows machine, check it for spyware this is becoming a common way of getting into a Linux server.

 

To follow up my earlier post, since you're sites still only you should do one of the following:

Shutdown:

shutdown -h now

Code (markup):

Or, block all ports:

/sbin/iptables -I INPUT -j DROP
/sbin/iptables -I FORWARD -j DROP
/sbin/iptables -I OUTPUT -j DROP

Code (markup):

The first method would be better, since some rootkits will bypass the firewall, making the second method useless.

Once it's blocked off, then you should deal with the problem.

 

nullbit AND Mushroom thanks so much for your help...Sorry I can't chat more but I have to go fire fighting


Thanks again

 

BTW guys just heard back from the host they say the cause was kernel apache wasn't up to date

 

Well now I am in a bit of a quandery. My host is now saying that the intrusion occurred from phpbb forum that I installed through cpanel. Also added that I am on my own to fix it. I have about 20 forums with data

It seems that this defacing has attacked all files named index.php, htm,shtml, etc. I have 100's of them. So my problem is I don't really know if I am being told the truth by my host and my skillset on a webserver is very limited. So I am OK reinstalling what needs to be reinstalled via FTP but not familiar enough with the server environment to find out EXACTLY how this happened.

I can also say that I am not impressed with the help (Lack thereof) that I am receiving from my hosting company. So once I get this under control I will need to find a new host...any suggestions...any help...forever in debt

 

phpBB has had a few published exploits recently, mostly down to bugs in older PHP versions. So this would make sense.

You really need to get your host to do a fresh OS install, and then make sure your system is up-to-date (especially PHP). Most crackers (or whatever you wish to call them) will leave a backdoor, so addressing the PHP/phpBB issue alone will not prevent them gaining access, and potentially using your server as a proxy to compromise other hosts.

 

OMG remind me not to get hacked again . The problem was, indeed phpbb forum. If ANYONE is running version 2.0.10 or less go here now http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

It's actually pretty painless. This is my first hack that I have had to deal with. What a pain in the ass. Back on track now. Upgrading forums 1 at a time...fresh OS installed.

I must also take back a few of my words. (I know theoretically you can't do that). My host actually got on the phone with me (3rd level admin) and walked me through the technicallities of this process.

Thanks

 

phpbb 2.0.11 is hackable also with a perl exploit , so watch out.

 

Thanks for feedback webjunkey. Does the above link cover the pearl exploit?

This is the code I find in every file with 'index' in it (100's of them across 60 domains on 1 server)

<SCRIPT Language = "JavaScript">

document.write (unescape("%3CHTML%3E%3CHEAD%3E%3CTITLE%3EHacked%20by%20unix%20irc%2Egigachat%2Enet%20%23THG%3C%2FTITLE%3E%0D%3CSTYLE%20type%3Dtext%2Fcss%3EBODY%20%7B%0D%09SCROLLBAR%2DFACE%2DCOLOR%3A%20%23000000%3B%20SCROLLBAR%2DHIGHLIGHT%2DCOLOR%3A%20%23000000%3B%20%0D%0DSCROLLBAR%2DSHADOW%2DCOLOR%3A%20%23000000%3B%20SCROLLBAR%2DBASE%2DCOLOR%3A%20%23000000%0D%7D%0D%3C%2FSTYLE%3E%0D%0D%3CMETA%20http%2Dequiv%3DContent%2DType%20content%3D%22text%2Fhtml%3B%20charset%3Dwindows%2D1254%22%3E%0D%3Cbgsound%20src%3D%22http%3A%2F%2Ffile%2Esukson%2Ecom%2Ffiles%2Faraiwa%2Ewma%22%20loop%3D%22infinite%22%3E%0D%3CSCRIPT%20language%3DJavaScript%3E%0D%3C%21%2D%2D%0D%0Dfunction%20SymError%28%29%0D%7B%0D%20%20return%20true%3B%0D%7D%0D%0Dwindow%2Eonerror%20%3D%20SymError%3B%0D%0D%2F%2F%2D%2D%3E%0D%3C%2FSCRIPT%3E%0D%3C%21%2D%2D%5Bif%20IE%20%5D%3E%0D%3CSTYLE%20type%3Dtext%2Fcss%3EBODY%20%7B%0D%09OVERFLOW%3A%20hidden%0D%7D%0Dv%5C%3A%2A%20%7B%0D%09BEHAVIOR%3A%20url%28%23default%23VML%29%0D%7D%0D%3C%2FSTYLE%3E%0D%3C%21%5Bendif%5D%2D%2D%3E%0D%3CSCRIPT%20language%3DJavascript%3E%3C%21%2D%2D%0Dvar%20tl%3Dnew%20Array%28%0D%22Hello%2E%2E%22%2C%0D%0D%0D%22Site%20defaced%20by%20unix%22%2C%0D%22T%2EH%2EG%20Security%20Team%22%2C%0D%22Contact%20Me%20%2E%2E%2E%22%2C%0D%22IRC%20%3A%20IRC%2EGigaChat%2ENet%22%2C%0D%22Channel%20%3A%20%23THG%22%2C%0D%22Email%20%3A%20THG%5Bat%5DLinuxMail%5Bdot%5DOrg%22%2C%0D%22Greetz%20%3A%20%20kernel%20apache%20TaekunG%20MassOps%20Mianwalian%20%22%0D%29%3B%0Dvar%20speed%3D70%3B%0Dvar%20index%3D0%3B%20text%5Fpos%3D0%3B%0Dvar%20str%5Flength%3Dtl%5B0%5D%2Elength%3B%0Dvar%20contents%2C%20row%3B%0D%0Dfunction%20type%5Ftext%28%29%0D%7B%0D%20%20contents%3D%27%27%3B%0D%20%20row%3DMath%2Emax%280%2Cindex%2D7%29%3B%0D%20%20while%28row%3Cindex%29%0D%20%20%20%20contents%20%2B%3D%20tl%5Brow%2B%2B%5D%20%2B%20%27%5Cr%5Cn%27%3B%0D%20%20document%2Eforms%5B0%5D%2Eelements%5B0%5D%2Evalue%20%3D%20contents%20%2B%20tl%5Bindex%5D%2Esubstring%280%2Ctext%5Fpos%29%20%2B%20%22%7C%22%3B%0D%20%20if%28text%5Fpos%2B%2B%3D%3Dstr%5Flength%29%0D%20%20%7B%0D%20%20%20%20text%5Fpos%3D0%3B%0D%20%20%20%20index%2B%2B%3B%0D%20%20%20%20if%28index%21%3Dtl%2Elength%29%0D%20%20%20%20%7B%0D%20%20%20%20%20%20str%5Flength%3Dtl%5Bindex%5D%2Elength%3B%0D%20%20%20%20%20%20setTimeout%28%22type%5Ftext%28%29%22%2C500%29%3B%0D%20%20%20%20%7D%0D%20%20%7D%20else%0D%20%20%20%20setTimeout%28%22type%5Ftext%28%29%22%2Cspeed%29%3B%0D%20%0D%7D%0D%2F%2F%2D%2D%3E%3C%2FSCRIPT%3E%0D%0D%3CSTYLE%20fprolloverstyle%3EA%3Ahover%20%7B%0D%09COLOR%3A%20%23000000%3B%20TEXT%2DDECORATION%3A%20overline%0D%7D%0DINPUT%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0DTEXTAREA%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0DSELECT%20%7B%0D%09BORDER%2DLEFT%2DCOLOR%3A%20%23000000%3B%20BACKGROUND%3A%20%23000000%3B%20BORDER%2DBOTTOM%2DCOLOR%3A%20%23000000%3B%20FONT%3A%20%0D%0D12px%20Verdana%2C%20Verdana%2C%20Verdana%2C%20Verdana%3B%20COLOR%3A%20%23d3d3d3%3B%20BORDER%2DTOP%2DCOLOR%3A%20%23000000%3B%20%0D%0DBORDER%2DRIGHT%2DCOLOR%3A%20%23000000%0D%7D%0D%3C%2FSTYLE%3E%0D%0D%3CMETA%20content%3D%22Microsoft%20FrontPage%205%2E0%22%20name%3DGENERATOR%3E%3C%2FHEAD%3E%0D%3CBODY%20text%3D%23000000%20vLink%3D%23000000%20aLink%3D%23000000%20link%3D%23000000%20bgColor%3D%23000000%20%0Donload%3Dtype%5Ftext%28%29%3E%0D%3CTABLE%20height%3D250%20cellSpacing%3D0%20cellPadding%3D0%20align%3Dcenter%20border%3D0%3E%0D%20%20%3CTBODY%3E%0D%20%20%3CTR%3E%0D%20%20%20%20%3CTD%20colSpan%3D3%20height%3D303%3E%0D%20%20%20%20%20%20%3CTABLE%20cellSpacing%3D0%20cellPadding%3D5%20width%3D557%20border%3D0%20height%3D%22287%22%3E%0D%20%20%20%20%20%20%20%20%3CTBODY%3E%0D%20%20%20%20%20%20%20%20%3CTR%3E%0D%20%20%20%20%20%20%20%20%20%20%3CTD%20width%3D600%20height%3D%22267%22%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CH2%20align%3Dcenter%3E%3Ci%3E%3CSTRONG%3E%3Cfont%20color%3D%22%23FF0000%22%20size%3D%227%22%3ET%2EH%2EG%3C%2Ffont%3E%3C%2FSTRONG%3E%3C%2Fi%3E%3C%2FH2%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3Cp%20align%3Dcenter%3E%3CSTRONG%3E%3Ci%3E%3Cfont%20color%3D%22%2300FF00%22%20size%3D%225%22%3EMassege%20%3A%20%0D%20%20%20%20%20%20%20%20%20%20%20%20Unix%20Was%20Here%3C%2Ffont%3E%3C%2Fi%3E%3C%2Fp%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CCENTER%3E%0D%20%20%20%20%20%20%20%20%20%20%20%20%3CFORM%3E%3CFONT%20color%3D%23ff0000%3E%26nbsp%3B%20%3CTEXTAREA%20rows%3D10%20cols%3D75%3E%3C%2FTEXTAREA%3E%20%0D%20%20%20%20%20%20%20%20%20%20%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFORM%3E%3C%2FCENTER%3E%3C%2FTD%3E%3C%2FTR%3E%0D%20%20%20%20%20%20%20%20%3CTR%20align%3Dmiddle%3E%0D%20%20%20%20%20%20%20%20%20%20%3CTD%20height%3D%221%22%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cb%3E%3Cu%3E%3Cfont%20color%3D%22%23FF0000%22%20size%3D%225%22%3EThis%20web%20site%20has%20been%20%0Dhacked%3C%2Ffont%3E%3C%2Fu%3E%3C%2Fb%3E%3C%2Fi%3E%3C%2FP%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cfont%20size%3D%224%22%20color%3D%22%23C0C0C0%22%3ESorry%20admin%21%20Go%20and%20path%20it%20now%3C%2Ffont%3E%3C%2Fi%3E%3C%2FP%3E%0D%3CP%20align%3Dcenter%3E%3Ci%3E%3Cfont%20color%3D%22%23008000%22%3ECopyright%20%3C%2Ffont%3E%3Cfont%20color%3D%22%23FF0000%22%3E%0DT%2EH%2EG%3C%2Ffont%3E%3Cfont%20color%3D%22%23008000%22%3E%20%3C%2Ffont%3E%3Cfont%20color%3D%22%23FF0000%22%3ESecurity%20Team%3C%2Ffont%3E%3Cfont%20color%3D%22%23008000%22%3E%20all%20right%20reserved%3C%2Ffont%3E%3C%2Fi%3E%3C%2FP%3E%0D%20%20%20%20%20%20%3CSCRIPT%20language%3DJavaScript%3E%0D%3C%21%2D%2D%0D%2F%2A%20status%20%2A%2F%0D%0D%20%20function%20one%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22two%28%29%22%2C60%29%3B%0D%20%20%20%20%7D%0D%20%20function%20two%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22three%28%29%22%2C120%29%3B%0D%20%20%20%20%7D%0D%20%20function%20three%28%29%0D%20%20%20%20%7Bwindow%2Estatus%20%3D%20%22%5B%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%20%5D%5BHacked%20by%20unix%20%23THG%20irc%2Egigachat%2Enet%206667%5D%5B%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%2D%20%20%20%5D%22%3B%0D%20%20%20%20setTimeout%28%22one%28%29%22%2C180%29%3B%0D%20%20%20%20%7D%0D%20%20one%28%29%3B%0D%2F%2F%20%2D%2D%3E%0D%20%20%20%20%0D%20%20%20%20%3C%2FSCRIPT%3E%0D%3C%2FBODY%3E%3C%2FHTML%3E"));

</SCRIPT>

PHP:

 

That's why I don't like phpbb. A bug is found, but rather than put a wrapper around the vunurable function, they get on their high and holy horse and say "FORCE YOUR ISP TO UPGRADE THEIR SERVER SOFTWARE!". Yeah, right. Like that is going to happen overnight. Meanwhile you take your site offline or you are running vunurable just waiting for a script kiddie to come along. At least the securityfocus alert gives you the chance to get a backup in before the kiddies find you.

Decent package otherwise, but anyone who doesn't know php well enough to go in and put the wrapper on themselves is in for a heap of hurt with an attitude like theirs.

 

Well that's me . I am a novice with PHP. Is there an easy explaination of the 'wrapper' you speak of, ziandra?

 

Homer, this is old news, did you happen to read this thread

http://forums.digitalpoint.com/showthread.php?t=6793&page=5&pp=40

 

This forum is just TOO big to read ALL. You seem to be the walking dictionary of DP. The next time I'm in a jam like this is it alright if I ask you first?


Thanks Bro

 

Ok, let's say you are a computer programmer. Let's say the run time library has a function called "open the door". You call the function with a 1 and the door is opened. You call it with a 0 and the door is closed. Everything sounds good so far. But, let's say the operation of this function does not check to make sure nothing is blocking the door. So, calling "open the door" with a 0 will potentially close the door on the baby crawling around the house. A programmer might write a function called "my open the door" that checks to see if a baby is near the door before opening or closing the door. This is called a "wrapper function". It encapsulates the features provided by the library but typically adds additional safety checks.

Many "hacks" take advantage of buffer overflows. You will see a bunch of attempts to break in to your web server every day with those really long and obnoxious URL's. People who are not willing to wait for their library provider to fix the problem will write wrappers that do little other than verify that the data passed into the function is not too big.

In the case of phpbb, there was one function in php used by phpbb that was susceptable to a buffer overflow. Rather than create a wrapper function for the half dozen (I am guessing at the number) places it is used that verifies the buffer is not too big, the people who develop phpBB said "it is their problem, not ours". They ignored a fundamental philosophy of computer software vendors which goes something like "I don't care who's fault it is, it is all of our problem". They choose to point fingers rather than fix the problem.

Hence my disgust for the developers of an otherwise very nice package.

 

Quality and support cost money. :/

 

Thanks ziandra. Is there a better forum (more secure) that you would recommend I use??

 

Homer, go here www.vbwebmaster.com and tell them that I sent you

 

But is IS a php problem rather than a phpBB problem and it IS avoided by upgrading the php version, no?

It doesn't even have to be the latest version of php... just one of the newer ones. It's a little like saying people who are still running Windows 1.0 should be launching a class action suit against Microsoft rather than at least partially upgrading their software...