1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

my account got hacked yesterday

Discussion in 'Security' started by aRo`, Jan 26, 2008.

  1. #1
    yesterday my account at servage got hacked :mad:

    The hacker included some hidden spammy links(viagra) in the index.php/index.html file of several domains.

    domain1
    time: 25/01/2008 19:53
    domain2
    time: 25/01/2008 20:32
    domain3
    time: 25/01/2008 20:35
    domain4
    time: 25/01/2008 20:40

    There are more domains into that account who where left untouched.

    I coded the sites myself, but they should be clean for sql injections/uploads.

    I can't access server logs, so can anyone tell me what are the most common way's to do this kind of hack ? Notice that he spend some time into my account to get this done or download my stuff !!!

    Kind regards
     
    aRo`, Jan 26, 2008 IP
  2. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #2
    If you're on a shared host, it could be one of the other sites that has the insecure code. Once an attacker has access to a shell on a system he usually has the ability to modify all sites hosted on that system.

    If you can't access the logs then tracking down how he got in will be a matter of guesswork. In fact, you won't even know if you got the guess right or not because you can't verify it in the logs.

    The best place to start would be with what you DO know. Were the links inserted into the file or into the SQL that was displayed by the PHP code ? If the links were directly in the file, then the attacker must have had access to a shell on the system. (Or at least a file editor.)

    The two most common ways that seems to happen is either:
    1. You allow file uploads (usually images) and the attacker uploaded a PHP file.
    2. You use the include() function and pass it parameters found in the URL (include($_GET['page']); where page=contact.php) and the attacker sent a URL instead of a local file path.

    There are other methods of injecting PHP code but many of them are dependent on the version of PHP you are running.

    Most of this is really just wild stabbing in the dark. The only reliable way to figure out what went wrong is by analysing the log files.
     
    Ladadadada, Jan 26, 2008 IP
  3. candlegirl

    candlegirl Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I think this is exactly what happend to me as well. For days i was getting several accounts created in the name Viagra.. they were even loggin in after.. then all heck broke lose.

    Host company wont admit.. says it MY fault. I DO have access to my logs but have no clue what im looking at. I do see the words GET all over them.. sometimes with weird file names.. and i do allow file uploads on a particular page.

    i did notice .htaccess files added, i deleted those of course.

    This is as close as ive gotten to knowing MAYBE what happened! PLEASE tell me what to do to make sure they are not still accessing my files!

    awsome forum.. so wish i would have found it sooner. Im going to disable the upload function right now..
     
    candlegirl, Jan 26, 2008 IP