Topimagehost.org, hacked?

I think my site has been hacked.. I'm hosting on a reseller. But I cant login and the content has changed!! Can someone examine it?

 

I presume you fixed the immediate problem. I grabbed the top level index page and it seemed to relate specifically to your site. My HTML validator reports a dozen errors, but I do not think they are critical.

If you suspect you have been hacked, you need to search around for any shells which might have been left behind.

If you have SSH access to your web server, log in and issue the following command in directories which contain pages:

grep -il ".ru" *

It will look for any documents which contain the phrase .ru in them.

You could also run it as follows:

grep -il "$group['read']" *

If that gets some hits, look at those files carefully. They may be PHP shell scripts -- used by hackers to run commands on your box.

 

I found out now. They uploaded a php file disguised as a jpg. silly

 

It isnt silly. Thats probably a shell.

 

http://forums.digitalpoint.com/showthread.php?t=374497 could seomeon help me prevent the shell attack too?

 

To prevent people from uploading php scripts disguised as image files, you need to check the file names as well. If it contains ".php." you need to quietly disallow the upload. Just tell the user some kind of error occured, but log their IP address for banning. You do not want to let hackers know you know what they are doing.

Even so, make sure you rename all user submitted files so they match file naming conventions!

These types of files are mainly used to infect your visitors. They are bona fide scripts, which will be parsed by Apache before being displayed to the user. The problem is discussed here:

http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/