Current time: 04-23-2014, 01:00 AM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-03-2012, 10:42 PM (This post was last modified: 03-03-2012 10:48 PM by sXi.)
Post: #181
RE: Sites hacked
(03-03-2012 08:04 PM)stm4725 Wrote:  I am using Concrete5. I have a ton of infected php files. I surely hope that the page one "fix" works. It took me a while to see that I need to upload that cleaner script and then run it from my browser. I also see that my file and directory permissions look like they are way too wide open. What should they be for Concrete5 to work properly. 777 surely is NOT it!

The cleaner on page one is Version 2.3 but the embedded link points to a URL that mentions Version 2.4 and has a command line version. Can someone elaborate...... please!?!

Directory 755, File 644 - Maximum.

I've compiled a program that should theoretically sanitise any script of the exploits used over the past 5 months. The methods employed by the hackbot are not as advanced as it might appear and they are relying on old 3rd party devices to exploit domains rather than any real custom code. If you're willing to be a guinea pig I can help you backup your website and I'll run the program over your C5 installation files on my DH server. If it works then you're good to go.

I've run it against 4 custom apps and a half dozen Open Source'd. Another Dreamhoster sent me a back-up of his exploited WP site earlier (quite sizable at 111MB tar'd) and the proggy worked flawlessly, removing remote shells, injection exploits, and editing ~2000 files back to their original "factory" condition, then recursively reset the ownership and global permission on all files and directories to the account owner. Total run time was in the vicinity of 1 minute.

http://i43.tinypic.com/rcq1s9.png

http://pastebin.com/Dgp3DYVf

Presently it removes 10 exploits.. most importantly the remote shells, directory exploit, a Paypal scam detector, Russian statistcal hijack detector, repairs file injections and garbage header exploits. It also fixes the mess that the "wp cleaners" leave behind in case someone has already run one of them on their site. I have a few htaccess checks cataloged that I'd like to add before it goes out of alpha and was thinking of implementing a DB scanner into it. Dunno. Might be overkill.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-04-2012, 12:30 AM
Post: #182
RE: Sites hacked
(03-03-2012 10:42 PM)sXi Wrote:  I've compiled a program that should theoretically sanitise any script of the exploits used over the past 5 months.

I see why you are quite on the forums sometimes! Because you are busy doing awesome things. Although I haven't had any problems (knock on wood), I'd like to thank you for you work!
Find all posts by this user
Quote this message in a reply
03-04-2012, 03:44 AM
Post: #183
RE: Sites hacked
I have numerous sites with different hosting companies, about 5 of the sites hosted with one company have been hacked. It is no big deal but I am trying to get to the bottom of how they got in.

None of the sites has the same FTP & Password combination
None of the sites have the same WordPress admin logins
The WordPress admin logins are not default
The passwords are strong and generated by a security system
There is no common code, plugin or theme (e.g. Timthumb)

The hack encodes all the PHP files a bit like IonCube, it clickjacks users on the front end once a day, so loads normally on refresh.

The backend is all messed up although you can still login.

Looking at the backups there are some random PHP files in the root, they tend to have two words separated by an underscore e.g. Random_plate.php the files is encoded itself, I suspect it is called by something.

Anyone recognise the hack and what caused it?
Find all posts by this user
Quote this message in a reply
03-04-2012, 03:56 AM
Post: #184
RE: Sites hacked
(03-04-2012 03:44 AM)Zappos Wrote:  Anyone recognise the hack and what caused it?

Check the mod times of the files. Then check the server logs for that time and you'll see exactly what was exploited.
Find all posts by this user
Quote this message in a reply
03-04-2012, 04:02 AM
Post: #185
RE: Sites hacked
(03-04-2012 03:56 AM)bobocat Wrote:  Check the mod times of the files. Then check the server logs for that time and you'll see exactly what was exploited.

DH sent me a 200 line report on my sites, 5 were hacked.

I had already changed the FTP accounts after the recent hack and I have a different username for each site.

I don't use the same admin name or passwords (they are 12 digit generated by Lastpass which is encrypted.

Usually I expect it it to be a common plugin or code (like TimThumb last year) but can't see that here.

The attack times are very close, but looking at the log is not going to tell me what caused it. I can see they accesses and encoded every PHP file on the site.
Find all posts by this user
Quote this message in a reply
03-04-2012, 04:05 AM
Post: #186
RE: Sites hacked
(03-04-2012 04:02 AM)Zappos Wrote:  I had already changed the FTP accounts after the recent hack and I have a different username for each site.

That provides no containment unless 'enhanced security' is enabled on each of the users.

(03-04-2012 04:02 AM)Zappos Wrote:  The attack times are very close, but looking at the log is not going to tell me what caused it.

Yes, it will tell you. That's what logs are for. But don't look if you don't want to know.
Find all posts by this user
Quote this message in a reply
03-04-2012, 06:14 AM
Post: #187
RE: Sites hacked
(03-04-2012 04:05 AM)bobocat Wrote:  That provides no containment unless 'enhanced security' is enabled on each of the users.


Yes, it will tell you. That's what logs are for. But don't look if you don't want to know.

Of course I have enhanced security enabled, what would be the point of having separate accounts otherwise.

How does the log tell me what was hacked, it just shows access, I never noticed it saying "hacking attempt" or "hack Successful" perhaps you can explain. If I have 2000 files accessed within a minute it is meaningless.

There is no point posting ambiguous messages post detailed help and you help this community, otherwise you just come over as an Ahole
Find all posts by this user
Quote this message in a reply
03-04-2012, 06:38 AM (This post was last modified: 03-04-2012 06:46 AM by kelly7552.)
Post: #188
RE: Sites hacked
(03-04-2012 06:14 AM)Zappos Wrote:  Of course I have enhanced security enabled, what would be the point of having separate accounts otherwise.

How does the log tell me what was hacked, it just shows access, I never noticed it saying "hacking attempt" or "hack Successful" perhaps you can explain. If I have 2000 files accessed within a minute it is meaningless.

There is no point posting ambiguous messages post detailed help and you help this community, otherwise you just come over as an Ahole

Zappos,

Send me the access logs (you can PM me), or download my access log program on repairitblog.org (see dreamhost tools) and i'll walk you though editting the access log file names.

-Bill
Find all posts by this user
Quote this message in a reply
03-04-2012, 06:40 AM
Post: #189
RE: Sites hacked
(03-04-2012 06:14 AM)Zappos Wrote:  Of course I have enhanced security enabled, what would be the point of having separate accounts otherwise.

There are legitimate reasons to turn it off. It's not enabled by default.

(03-04-2012 06:14 AM)Zappos Wrote:  How does the log tell me what was hacked, it just shows access, I never noticed it saying "hacking attempt" or "hack Successful" perhaps you can explain. If I have 2000 files accessed within a minute it is meaningless.
You think your logs are going to have a message saying 'here's the hack'? No, it takes a bit of work:
http://discussion.dreamhost.com/thread-134256.html

(03-04-2012 06:14 AM)Zappos Wrote:  There is no point posting ambiguous messages post detailed help and you help this community, otherwise you just come over as an Ahole
Ok, you're on your own. Have fun.
Find all posts by this user
Quote this message in a reply
03-04-2012, 06:57 AM
Post: #190
RE: Sites hacked
I'm sorry dreamhost but you have a problem.

I have a very large list of friends and relationships that use web servers around the globe (mainly spanish and US servers). In the last two weeks I've seen some websites were hacked and the only ones are those that are hosted in dreamhost. I even went to a website and found it was hacked, I did a whois to find out it's listed in dreamhost DNS (dreamhost is aware of this one)...

So I'm sorry, something is happening here, maybe a php server configuration, maybe it's only happening to old users that have something different in their configs, I don't know but what I do know is that the only ones hacked are the ones hosted in dreamhost. Maybe they are simply just attacking dreamhost servers. Again, over hundreds of sites only DH.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: