1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Topimagehost.org, hacked?

Discussion in 'Security' started by yyyk9, Jun 19, 2007.

  1. #1
    I think my site has been hacked.. I'm hosting on a reseller. But I cant login and the content has changed!! Can someone examine it?
    SEMrush
     
    yyyk9, Jun 19, 2007 IP
    SEMrush
  2. clancey

    clancey Peon

    Messages:
    1,100
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I presume you fixed the immediate problem. I grabbed the top level index page and it seemed to relate specifically to your site. My HTML validator reports a dozen errors, but I do not think they are critical.

    If you suspect you have been hacked, you need to search around for any shells which might have been left behind.

    If you have SSH access to your web server, log in and issue the following command in directories which contain pages:

    grep -il ".ru" *

    It will look for any documents which contain the phrase .ru in them.

    You could also run it as follows:

    grep -il "$group['read']" *

    If that gets some hits, look at those files carefully. They may be PHP shell scripts -- used by hackers to run commands on your box.
     
    clancey, Jun 19, 2007 IP
    yyyk9 likes this.
  3. yyyk9

    yyyk9 Peon

    Messages:
    670
    Likes Received:
    52
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I found out now. They uploaded a php file disguised as a jpg. :p silly
     
    yyyk9, Jun 21, 2007 IP
  4. inworx

    inworx Peon

    Messages:
    4,862
    Likes Received:
    201
    Best Answers:
    0
    Trophy Points:
    0
    #4
    It isnt silly. Thats probably a shell.
     
    inworx, Jun 22, 2007 IP
  5. toby

    toby Notable Member

    Messages:
    6,922
    Likes Received:
    269
    Best Answers:
    0
    Trophy Points:
    285
    #5
    toby, Jun 22, 2007 IP
  6. clancey

    clancey Peon

    Messages:
    1,100
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #6
    To prevent people from uploading php scripts disguised as image files, you need to check the file names as well. If it contains ".php." you need to quietly disallow the upload. Just tell the user some kind of error occured, but log their IP address for banning. You do not want to let hackers know you know what they are doing.

    Even so, make sure you rename all user submitted files so they match file naming conventions!

    These types of files are mainly used to infect your visitors. They are bona fide scripts, which will be parsed by Apache before being displayed to the user. The problem is discussed here:

    http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/
     
    clancey, Jun 23, 2007 IP