1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

My site is hacked but how please check

Discussion in 'Programming' started by TheSyndicate, Jan 14, 2009.

  1. #1
    Hi!

    My sites were hacked by Muslim hackers for the second time now in 1 year.

    I need to know how they do it so i can stop them.

    First i think its was Wordpress but now many sites not have WP.

    I locked all the 755 files.

    They just replace the index.php with a index.html page.

    you can see on this page
    ifreefax dot com
    PHP:
    They also upload some strange file i do not know this one and it can not be downloaded.
    bangkokevents.org/1.cdk
    PHP:
     
    TheSyndicate, Jan 14, 2009 IP
  2. deleted-account

    deleted-account Active Member

    Messages:
    655
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    85
    #2
    I think you mean Turkish hackers, you might have said something to offend Muslims which is probably why you got hacked.
     
    deleted-account, Jan 14, 2009 IP
  3. TheSyndicate

    TheSyndicate Prominent Member

    Messages:
    5,394
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    365
    #3
    No i got hacked beucase my website is not secure enough.
     
    TheSyndicate, Jan 14, 2009 IP
  4. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #4
    They might've uploaded a shell to your server by using an XSS exploit on one of your sites. Look for files that could be named r57, c99 or anything to do with shell.
     
    leet, Jan 14, 2009 IP
  5. Infekted

    Infekted Banned

    Messages:
    304
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    How do you know this leet? and how can I prevent this from happening to my website?
     
    Infekted, Jan 14, 2009 IP
  6. TeKn1qu3z

    TeKn1qu3z Well-Known Member

    Messages:
    1,496
    Likes Received:
    23
    Best Answers:
    0
    Trophy Points:
    130
    #6
    Secure your website better next time. If you need help PM me.
     
    TeKn1qu3z, Jan 14, 2009 IP
  7. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #7
    Just a guess. From his post I understand that multiple sites got hacked with different scripts on all of them, and all index.php files were changed with index.html's. Sounds like a mass deface using a shell to me. You can read this thread I opened a while ago telling how to prevent these attacks to an extent: http://forums.digitalpoint.com/showthread.php?t=575793
     
    leet, Jan 14, 2009 IP
  8. skorpion

    skorpion Peon

    Messages:
    38
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    wow thats kinda scary. May be dumb question but could this potentially hurt someone's PC if they where viewing the page?

    Im sure your site is not the only site that isnt secure enough. Why would they pick yours? Do we all have to worry about this?
     
    skorpion, Jan 14, 2009 IP
  9. TheSyndicate

    TheSyndicate Prominent Member

    Messages:
    5,394
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    365
    #9
    Leet yes i have files with that name on it on my server.

    But i do not have shell on my server
     
    TheSyndicate, Jan 14, 2009 IP
  10. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #10
    You mean you have files named c99 or r57? If so, remove each and every of them. If you are talking about the .cdk file however, I don't really know what .cdk extension is. The only CDK I know is a Perl development library but I doubt that's relevant unless they used a Perl exploit. I'd say use this thread to do a quick check on your server to see if there is any shell files: http://forums.digitalpoint.com/showthread.php?t=575793

    edit: Just realized you are on Servage, so the thread I just pointed won't help you.
     
    leet, Jan 14, 2009 IP
  11. TheSyndicate

    TheSyndicate Prominent Member

    Messages:
    5,394
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    365
    #11
    right so what can i do? Anything other way i can check?

    I can do a FTP search but what should i search for only 2 tings?

    I have image with this name 398499958494dacdc998b6.gif

    Can that be the file?
     
    TheSyndicate, Jan 14, 2009 IP
  12. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #12
    It can be a .gif file too, yes. How big is it? Try to open it by going to its URL such as abc.com/blabla.gif, if it works like a .php file, that is it.
     
    leet, Jan 14, 2009 IP
  13. TheSyndicate

    TheSyndicate Prominent Member

    Messages:
    5,394
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    365
    #13
    it is only 1.36 KB i looks like a gif not a php file
     
    TheSyndicate, Jan 14, 2009 IP
  14. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #14
    Shell files mostly range from XX to XXX KBs.
     
    leet, Jan 14, 2009 IP
    TheSyndicate likes this.
  15. iam.xavier

    iam.xavier Well-Known Member

    Messages:
    521
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    125
    #15
    Leet helped you a lot friend... But one more possiblity is that if you are getting hacked on site which are not WP apart from file uploading... Hackers can run the command from URL. So check your script if you are giving any area of hacking in URL site like (index.php?cmd=) some this like this.

    Thanks
    -Xak
     
    iam.xavier, Jan 14, 2009 IP
    TheSyndicate likes this.
  16. CaseyPC

    CaseyPC Active Member

    Messages:
    85
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    98
    #16
    I would guess that the bangkokevents.org/1.cdk file was the r57/c99 shell script (usually a PHP script named a different extension to hide it (the file is 404 now.)) and they are "hacking in" via an XSS flaw in a script you are running. I would check that you are not running a website with any versions found here: http://www.milw0rm.com/ if you are... update/patch them.
     
    CaseyPC, Jan 15, 2009 IP
  17. TheSyndicate

    TheSyndicate Prominent Member

    Messages:
    5,394
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    365
    #17
    1. I know its not bound to any script. I have a pure no script domains and they are still hacked.
    2. They only hacked the index file.
    3. I have a shared server.
    4. I still do not know how


    So check your script if you are giving any area of hacking in URL site like (index.php?cmd=) some this like this.

    What does this mean
     
    TheSyndicate, Jan 15, 2009 IP
  18. CaseyPC

    CaseyPC Active Member

    Messages:
    85
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    98
    #18
    That is an example of how XSS exploits can be executed. Basically, do your websites process any user submitted data. ie: forms, includes, etc.

    If you do ensure that they are not vulnerable to XSS attacks. Ensure that users can not remotely include a file and use your script to execute it.
     
    CaseyPC, Jan 15, 2009 IP
  19. TheSyndicate

    TheSyndicate Prominent Member

    Messages:
    5,394
    Likes Received:
    289
    Best Answers:
    0
    Trophy Points:
    365
    #19
    Anybody have a good site for this how to stop it?
     
    TheSyndicate, Jan 15, 2009 IP
  20. mann3r

    mann3r Peon

    Messages:
    1,416
    Likes Received:
    100
    Best Answers:
    0
    Trophy Points:
    0
    #20
    mann3r, Jan 15, 2009 IP
    TheSyndicate likes this.