Hi! My sites were hacked by Muslim hackers for the second time now in 1 year. I need to know how they do it so i can stop them. First i think its was Wordpress but now many sites not have WP. I locked all the 755 files. They just replace the index.php with a index.html page. you can see on this page ifreefax dot com PHP: They also upload some strange file i do not know this one and it can not be downloaded. bangkokevents.org/1.cdk PHP:
I think you mean Turkish hackers, you might have said something to offend Muslims which is probably why you got hacked.
They might've uploaded a shell to your server by using an XSS exploit on one of your sites. Look for files that could be named r57, c99 or anything to do with shell.
Just a guess. From his post I understand that multiple sites got hacked with different scripts on all of them, and all index.php files were changed with index.html's. Sounds like a mass deface using a shell to me. You can read this thread I opened a while ago telling how to prevent these attacks to an extent: http://forums.digitalpoint.com/showthread.php?t=575793
wow thats kinda scary. May be dumb question but could this potentially hurt someone's PC if they where viewing the page? Im sure your site is not the only site that isnt secure enough. Why would they pick yours? Do we all have to worry about this?
You mean you have files named c99 or r57? If so, remove each and every of them. If you are talking about the .cdk file however, I don't really know what .cdk extension is. The only CDK I know is a Perl development library but I doubt that's relevant unless they used a Perl exploit. I'd say use this thread to do a quick check on your server to see if there is any shell files: http://forums.digitalpoint.com/showthread.php?t=575793 edit: Just realized you are on Servage, so the thread I just pointed won't help you.
right so what can i do? Anything other way i can check? I can do a FTP search but what should i search for only 2 tings? I have image with this name 398499958494dacdc998b6.gif Can that be the file?
It can be a .gif file too, yes. How big is it? Try to open it by going to its URL such as abc.com/blabla.gif, if it works like a .php file, that is it.
Leet helped you a lot friend... But one more possiblity is that if you are getting hacked on site which are not WP apart from file uploading... Hackers can run the command from URL. So check your script if you are giving any area of hacking in URL site like (index.php?cmd=) some this like this. Thanks -Xak
I would guess that the bangkokevents.org/1.cdk file was the r57/c99 shell script (usually a PHP script named a different extension to hide it (the file is 404 now.)) and they are "hacking in" via an XSS flaw in a script you are running. I would check that you are not running a website with any versions found here: http://www.milw0rm.com/ if you are... update/patch them.
1. I know its not bound to any script. I have a pure no script domains and they are still hacked. 2. They only hacked the index file. 3. I have a shared server. 4. I still do not know how So check your script if you are giving any area of hacking in URL site like (index.php?cmd=) some this like this. What does this mean
That is an example of how XSS exploits can be executed. Basically, do your websites process any user submitted data. ie: forms, includes, etc. If you do ensure that they are not vulnerable to XSS attacks. Ensure that users can not remotely include a file and use your script to execute it.
just a random thought, what's the take of your host? Maybe just maybe some domains hosted on the server has been compromised and gain access to all domains on that host, here the link also created by leet here in DP http://forums.digitalpoint.com/showthread.php?t=575793 quick search http://www.hacking-truths.net/blog/find-r57-and-c99-shells-hidden-inside-php-and-txt-files/