Are All Your Index.php Files Hacked?

geoffreywalton · June 12, 2012

Ran into an interesting little hack on a 2.3.1 site.

The customers site has a shop installed in a sub-directory called shop and all of his index.php files had code added to them. Just a little matter of 15 of the little bu**ers.

Checking the access logs I found this, the real script name has been changed to ascriptname.

91.224.160.132 - - [03/Jun/2012:09:30:36 -0500] "POST /ascriptname.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 82 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.04 Chromium/15.0.871.0 Chrome/15.0.871.0 Safari/535.2"

A file called rytwi.php was created in a download directory at this time.

The next entry in the log was

91.224.160.132 - - [03/Jun/2012:09:30:37 -0500] "POST /downloads/rytwi.php HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"

A little change to the .htaccess in the site root directory should fix it!!

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

So the whole thing looks like this.

ErrorDocument 404 http://www.Customer_site.com/404page.php

Redirect /catalog http://www.Customer_site.com/shop

# Deny domain access to spammers and other scumbags
RewriteEngine on
php_flag register_globals off
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

# Redirect index.php to domain.com
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.Customer_site.com/ [R=301,L]


# Redirect domain.com to www.domain.com
RewriteCond %{HTTP_HOST} ^Customer_site.com [NC]
RewriteRule ^(.*)$ http://www.Customer_site.com/$1 [L,R=301]
RewriteBase /

# filter for most common exploits
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

# ban spam bots
RewriteCond %{HTTP_USER_AGENT} almaden [OR]
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]
RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]
RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]
RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DA [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]
RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} email [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]
RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]
RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]
RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]
RewriteCond %{HTTP_USER_AGENT} ^likse [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]
RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]
RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]
RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]
RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]
RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
RewriteCond %{HTTP_REFERER} ^http://www.Customer_site.com$
RewriteRule !^http://[^/.]\.Customer_site.com.* - [F,L]

# stop hotlinking (gif/jpg) and serve alternate content
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?Customer_site\.com/.*$ [NC]
RewriteRule .*\.(gif|jpg)$ http://www.Customer_site.com/images/stolen.gif [R,NC,L]
</ifModule>

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">
deny from all
</FilesMatch>

# Disable .htaccess viewing from browser
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

# Disable access to config.php
<Files ~ "shop\includes\configure.php$">
deny from all
</Files>


# FORCE TYPE
<Files site>
ForceType application/x-httpd-php
</Files>

# XSS Protection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ 404page.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

osCommerce VTS and Site Monitor can both find the hacked index.php files.

HTH

G

DunWeb · June 12, 2012

@@geoffreywalton

The customers site has a shop installed in a sub-directory called shop and all of his index.php files had code added to them. Just a little matter of 15 of the little bu**ers.

Did I read this wrong ? Were there 15 index.php files ? As far as I know, osCommerce only uses ONE. Did you ascertain how the hacker gained access to the v2.3.1 site ? I have not found any vulnerabilities in v2.3.1. Was it the hosting providers insecure server ?

Just looking for more detail Geoffrey so everyone knows what to look for.

Chris

geoffreywalton · June 12, 2012

As far as I know OSC uses 4 index.php files.

Anyway there were multiple directories each with index.php files in them as well as OSC in a sub-directory called /store.

Yes the way they get in is to use the auto append to append a file with their code in it, then accessed rytwi.php and then added the code to all the index.php files, and then all the usual cr*p they do.

Bit of a waste to say they did this & this over and above every index.php is infected because you still need to check every single file as well as the entire contents of the db.

No need to update VTS as curent version will already detect files hacked in this way.

Cheers

G

Juto · June 12, 2012

The origin of many malware scripts like c99shell which often hacks osC:

http://ccteam.ru/

ip:178.170.161.34

ISP data

NetRange: 178.0.0.0 - 178.255.255.255

CIDR: 178.0.0.0/8

Thus, add this to your htaccess:

deny from 178.0.0.0/8

You can also check your site with:

http://phpsec.org/projects/phpsecinfo/

Sara

geoffreywalton · June 13, 2012

Seems like others are being hacked and different actions being performed.

http://forums.oscommerce.com/topic/386862-egy-spider-hacking-attempt/page__view__findpost__p__1635635

The solution is to upgrade php but another solution is on https://bugs.php.net/bug.php?id=61910

this mod_rewrite condition and
rule should take care of it for Apache users:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

So the original solution I came up with is along the right lines, but this one appears to be better as it covers more threats.

You can tell if your server is vunerable by putting this in to your browser

http://www.yoursite.com/?-s

or in my case I tried

www.mysite.com/shop/banned/IP_Trapped.txt?-s

which shows the banned ips.

HTH

G

Now off to get Easy Populate to update category descriptions during a file upload!!

ggrant3 · June 13, 2012

Seems like others are being hacked and different actions being performed.

http://forums.oscommerce.com/topic/386862-egy-spider-hacking-attempt/page__view__findpost__p__1635635

The solution is to upgrade php but another solution is on https://bugs.php.net/bug.php?id=61910
this mod_rewrite condition and
rule should take care of it for Apache users:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]
So the original solution I came up with is along the right lines, but this one appears to be better as it covers more threats.

You can tell if your server is vunerable by putting this in to your browser

http://www.yoursite.com/?-s

or in my case I tried

www.mysite.com/shop/banned/IP_Trapped.txt?-s

which shows the banned ips.

HTH

G

Now off to get Easy Populate to update category descriptions during a file upload!!

So using this:

this mod_rewrite condition and
rule should take care of it for Apache users:
	RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
	RewriteRule ^(.*) $1? [L]

inside of the root htaccess file replaces what you wrote in your first post, right?

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

or were you talking about another solution you had?

Also, I just tried using

/?-s

at the end of my domain and nothing happened. The browser just kept timing out. Should I have had something come up if my site was vulnerable?

geoffreywalton · June 13, 2012

If you put in

http://www.yoursite.com/?-s

and you get to see the source code of index.php your server is vunerable to this kind of attack.

I would not use these 2 lines

RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]

and would add these after a rewrite rule line

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

Cheers

G

Mort-lemur · June 13, 2012

Hi,I

tried the site.co.uk/?-s attempt and am pleased to say that OSC SEC stopped it dead and banned me from my own site :-) with the following reason for the ban :

REASON FOR BAN: osC_Sec detected an attempt to exploit a PHP bug. (CVE-2012-1823)

Thanks

geoffreywalton · June 13, 2012

That is good news!!

The trouble is when you have a information site in the root directory and osc in a sub directory such as /catalog or /shop. If you have a site like this htacess is the only protection, as Os Sec will protect hack attempts on the directory osc is in and those "below" it but not against the root directory.

G

nedragdnuos · July 27, 2012

Hi all,

I have just tried the above test on my shop - http://www.yoursite.com/?-s

I received the email no problem so I am pleased that OS sec is working, but now I am trying to access my shopfront and am having no luck.

My IP address has not been added to .htaccess deny so I am wondering how do I go about "unblocking" myself from my own site LOL.

Any help will be appreciated.

Cheers!!

MrPhil · July 27, 2012

Your IP address isn't listed in any .htaccess file? Be sure to check if your host just created a new one somewhere just to ban YOU! If you can't find anything, open a support ticket with your host explaining that you were running the check for PHP vulnerability, and you seem to have gotten yourself on some ban list, and could you please be taken off. By the way, if in testing this you were hitting your server many times in a short time period, it's possible that you're being banned as a Denial of Service attacker. You would have to explain the situation to your host tech support and get unbanned.

nedragdnuos · July 27, 2012

Hi Phil, thank you for your prompt reply.

Yep, the IP was not in any .htaccess files and after contacting my hosting service they said that my IP was not on any of their lists, so after all that I simply uploaded yesterdays backup files and hey presto I was able to access the whole site again.

I have a strange feeling that I may have missed a write to a file somewhere, but of course now, in my haste to get the site back online, I never took a copy of the dead site so I cant compare files from one to the other...... well I could always try that attack again but I DONT THINK SO LOL.

All I can say is that if OSC Sec is that effective then I am very glad I have it installed and it has already caught a couple of suspect IPs in the meantime.

Thanks again for your help Phil.

Cheers!

Archived

Are All Your Index.php Files Hacked?

12 posts in this topic

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites