 | Nightrider argh! |  |
 Posted: 09/15/2007 12:55 PM |
 |
|
|
|
|
| Citation |
| Posts |
1253 |
| Word Cnt. |
68,166 |
| BDay |
Nov 9 |
| Sign |
Scorpio |
| Sex |
 |
|
|
|
Joined: Jan 06, 2006
Local time: 6:15 PM
|
|
|
|
|
 |
My top parenting site has been hacked 
I don't even begin to know where to look to see what they have done and where 
Can you help at all please?  |
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 3:33 PM |
|
|
|
|
|
| Citation |
| Posts |
1253 |
| Word Cnt. |
68,166 |
| BDay |
Nov 9 |
| Sign |
Scorpio |
| Sex |
|
|
|
|
Joined: Jan 06, 2006
Local time: 6:15 PM
|
|
|
|
|
|
| Nooo its now happening to Babydreamz |
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 3:38 PM |
|
|
|
|
|
| Site Admin |
| Posts |
30757 |
| Word Cnt. |
2,628,690 |
| BDay |
Jul 28 |
| Sign |
Leo |
| Sex |
 |
|
|
|
Joined: Sep 25, 2004
Local time: 2:15 PM
Location: St Pete, FL
|
|
|
|
|
|
Ok, I'm looking at it now...
|
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 4:00 PM |
|
|
|
|
|
| Citation |
| Posts |
1253 |
| Word Cnt. |
68,166 |
| BDay |
Nov 9 |
| Sign |
Scorpio |
| Sex |
|
|
|
|
Joined: Jan 06, 2006
Local time: 6:15 PM
|
|
|
|
|
|
Wow that was fast work  |
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 4:19 PM |
|
|
|
|
|
| Site Admin |
| Posts |
30757 |
| Word Cnt. |
2,628,690 |
| BDay |
Jul 28 |
| Sign |
Leo |
| Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 2:15 PM
Location: St Pete, FL
|
|
|
|
|
|
Something made a mess of your portal code and config data. Also, something changed settings in your phpbb_config table as well. Which portal do you have installed? Do you know if the var_cache folder was created by a MOD that you installed? It doesn't look like it belongs and part of the problem was stored in several files there...
Since I haven't figured out how they gained access to your files and database yet, this could easily happen again...
 |
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 4:30 PM |
|
|
|
|
|
| Citation |
| Posts |
1253 |
| Word Cnt. |
68,166 |
| BDay |
Nov 9 |
| Sign |
Scorpio |
| Sex |
|
|
|
|
Joined: Jan 06, 2006
Local time: 6:15 PM
|
|
|
|
|
|
The var_cache was created with the IMportal.
The last thing I did and may of been the problem, was I was looking at topsites and I added one which needed various files permissions changing. Only files from the topsites, not the phpBB files. Thats' the only thing I did, and some of them needed to be at 777.
I deleted that folder tonight when I saw what had happened,and I won't be adding that topsites 
Thanks so much for doing that, you are gaining quite a olot of fans from my site!  
How did you know it was that file?
 |
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 4:43 PM |
|
|
|
|
|
| Site Admin |
| Posts |
30757 |
| Word Cnt. |
2,628,690 |
| BDay |
Jul 28 |
| Sign |
Leo |
| Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 2:15 PM
Location: St Pete, FL
|
|
|
|
|
|
There are still problems that need to be resolved. The phpbb_layouts table records were modified, so the settings need to be restored before the Portal page will display properly again. The md_search_option_text setting in the phpbb_portal_config was also modified and probably needs to be recreated. The sitename field in the phpbb_config table was altered as well. Each had the following stored in their fields:
| Code:
|
<meta http-equiv="Refresh" content="0;url=http://rootinq.sitemynet.com">
or
Hacked by G3N3T1X // <script>location='http://rootinq.sitemynet.com'</script>
|
The index.html file stored in the var_cache folder included the following code:
| Code:
|
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Hacked by G3N3T1X // Spyhackerz.Com # </title>
<meta name="keywords" content="G3N3T1X">
<meta name="description" content="G3N3T1X">
</head>
<body bgcolor="#C0C0C0">
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center">
</p>
<p align="center"><font face="Georgia">Hacked by G3N3T1X<br>"<font color="#FF0000">En büyük olmayý istiyorsan ilk
önce en küçük ihtimalleri göze almalýsýn!</font>"<br>Spyhackerz.Com</font></p>
</body>
</html>
|
The cache_layout_lr1 continues to be recreated in the var_cache folder and stores the following hacking code:
| Code:
|
|
e28b301e97793209f3ebe46559fc6314a:8:{i:0;s:72:"<meta http-equiv="Refresh" content="0;url=http://rootinq.sitemynet.com">";s:8:"template";s:72:"<m eta http-equiv="Refresh" content="0;url=http://rootinq.sitemynet.com">";i:1;s:1:"1";s:10:"forum _wide";s:1:"1";i:2;s:1:"0";s:4:"view";s:1:"0";i:3;s:0:"";s:6:"groups"; s:0:"";}
|
So until we find the root of the problem, it may continue to replicate itself. I was able to look at the timestamp to see what files and folders were recently modified. That was my first clue where to look. Also, from other sites that I've worked on that were hacked, the config settings in the database are generally a favorite target, so it was logical to look there too...
This is the first hacked site I've seen where both the File and Database servers were hacked, so that really makes me nervous and anxious to discover the source of the attack. It might be necessary to change the login details for your database, but that will be of little use if there is a file that can retrieve the information for the hacker. So we really need to find the root of the problem before changing login details...
|
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 4:53 PM |
|
|
|
|
|
| Citation |
| Posts |
1253 |
| Word Cnt. |
68,166 |
| BDay |
Nov 9 |
| Sign |
Scorpio |
| Sex |
|
|
|
|
Joined: Jan 06, 2006
Local time: 6:15 PM
|
|
|
|
|
|
that's scary!
OK what should I/we do first? Do you want to see the folder I deleted? |
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 5:19 PM |
|
|
|
|
|
| Site Admin |
| Posts |
30757 |
| Word Cnt. |
2,628,690 |
| BDay |
Jul 28 |
| Sign |
Leo |
| Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 2:15 PM
Location: St Pete, FL
|
|
|
|
|
|
I would like to see what you installed recently and I would like a link to the IMPortal MOD download. I need to determine what belongs and what doesn't and if anything you installed is responsible for opening the door to this hacker...
|
|
|
|
|
| Back to Top |
|
|
| Re: Nightrider argh! | |
| Posted: 09/15/2007 5:57 PM |
|
|
|
|
|
| Citation |
| Posts |
1253 |
| Word Cnt. |
68,166 |
| BDay |
Nov 9 |
| Sign |
Scorpio |
| Sex |
|
|
|
|
Joined: Jan 06, 2006
Local time: 6:15 PM
|
|
|
|
|
|
|
|
|
|
| Back to Top |
|
|
| Information | |
|
Calendar
