I've now been hacked! - Page 2

JadedSouls · December 20th, 2007, 11:16 PM

there were 2 php files that were added tonight I think. I don't know what they are and I know I didn't add anything today.

erg..

edit: Also looks like something happened in my modcp file as it was access about the time this happened but none of the files in it were changed as they're still dated from when I had to reinstall the vbulletin software.

Zerxer · December 21st, 2007, 1:03 AM

Be sure to change your Passwords and stuff. It's possible they just cracked into that somehow.

I'd also recommend having Surpass (if they haven't already) scan your site for any weird files. The people who got into mine put some weird script up that looked like it would store any login that is used.

JadedSouls · December 21st, 2007, 1:16 AM

probably those 2 php files I found! haha that was the only thing added dec 20th that I didn't do myself and one was a blank 404.php file and another was a sdp.php file lwith gibberish in it.

erg, just when I got my password memorized too - and it wasn't easy either! haha

**Roxy** · December 21st, 2007, 1:23 AM

Could've also been:

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits."

http://en.wikipedia.org/wiki/XSS Wikipedia.com

JadedSouls · December 21st, 2007, 3:23 AM

and that's how they would have been able to have put 3 (or more) files onto my portion of the server?

this is all new to me... I'm not all that computer literate.. haha

**Roxy** · December 21st, 2007, 11:20 AM

"attackers to bypass access controls". Yes, pretty much. Well it has nothing to do with your computer per say, but the scripts/plugins that you use. They are unsafe and you need to find the bad apple if you haven't already, or it can happen again and God forbid, it can be worse.

Not saying you did this, but just a heads up, NEVER download a script, plug-in, or theme from third party sites. If you noticed that the person distributing the file is not the creator, DON'T DOWNWLOAD it. Chances are the person has modified it especially for cases like this.

**MarkRH** · December 21st, 2007, 12:31 PM

One thing... check your .htaccess file in /public_html/ and make sure that

Code:

Options -Indexes

Is at the top of it; otherwise, it makes it too easy for people to go poking around your directory structure and find scripts, images, or other files you'd rather them not. With this, any directory that does not have a index.(htm, html, shtml, php) will be wide open for viewing.

JadedSouls · December 21st, 2007, 2:02 PM

Quote:

Originally Posted by Roxy

"attackers to bypass access controls". Yes, pretty much. Well it has nothing to do with your computer per say, but the scripts/plugins that you use. They are unsafe and you need to find the bad apple if you haven't already, or it can happen again and God forbid, it can be worse.

Not saying you did this, but just a heads up, NEVER download a script, plug-in, or theme from third party sites. If you noticed that the person distributing the file is not the creator, DON'T DOWNWLOAD it. Chances are the person has modified it especially for cases like this.

I've been trying to be careful about what I do put onto the server and the mods I do get are mainly from vbulletin themselves and trusted coders.

Quote:

Originally Posted by MarkRH

One thing... check your .htaccess file in /public_html/ and make sure that

Code:

Options -Indexes

Is at the top of it; otherwise, it makes it too easy for people to go poking around your directory structure and find scripts, images, or other files you'd rather them not. With this, any directory that does not have a index.(htm, html, shtml, php) will be wide open for viewing.

They must have messed with that as well as that wasn't even in there. I've now added it. but I'm not sure if the .htaccess file that is currently correct as I'm not sure what it's supposed to look like in the first place..

Sometimes I hate being a newbie!

**Roxy** · December 21st, 2007, 2:09 PM

I wish I could help you here, but I am too not sure what a "secure" .htaccess file should look like. =) Hopefully MarkRH or someone else can answer this, but good luck in the future. =D

December 20th, 2007, 11:16 PM	#10 (permalink)
JadedSouls Jezebel From Hell.. Comfy Contributor Joined in Sep 2004 Lives in Canada, eh? Hosted on SH131 143 posts Gave thanks: 7 Thanked 1 Time in 1 Post	there were 2 php files that were added tonight I think. I don't know what they are and I know I didn't add anything today. erg.. edit: Also looks like something happened in my modcp file as it was access about the time this happened but none of the files in it were changed as they're still dated from when I had to reinstall the vbulletin software. __________________ [SIGPIC][/SIGPIC] Jaded Souls \| A Haven For Creative Chaos You're so jaded.. and I'm the one who jaded you! Server: SH131 Serverload: Last edited by JadedSouls; December 20th, 2007 at 11:24 PM..

December 21st, 2007, 1:16 AM	#12 (permalink)
JadedSouls Jezebel From Hell.. Comfy Contributor Joined in Sep 2004 Lives in Canada, eh? Hosted on SH131 143 posts Gave thanks: 7 Thanked 1 Time in 1 Post	probably those 2 php files I found! haha that was the only thing added dec 20th that I didn't do myself and one was a blank 404.php file and another was a sdp.php file lwith gibberish in it. erg, just when I got my password memorized too - and it wasn't easy either! haha __________________ [SIGPIC][/SIGPIC] Jaded Souls \| A Haven For Creative Chaos You're so jaded.. and I'm the one who jaded you! Server: SH131 Serverload:

December 21st, 2007, 1:23 AM	#13 (permalink)
Roxy URB4N 5K1LLZ Super #1 Joined in Sep 2005 Lives in Orlando, FL Hosted on SH63 2,660 posts Gave thanks: 81 Thanked 128 times	Could've also been: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits." http://en.wikipedia.org/wiki/XSS Wikipedia.com __________________ Roxanne Urban Roxy -Personal Blog SH63 - the best darn shared server!

December 21st, 2007, 3:23 AM	#14 (permalink)
JadedSouls Jezebel From Hell.. Comfy Contributor Joined in Sep 2004 Lives in Canada, eh? Hosted on SH131 143 posts Gave thanks: 7 Thanked 1 Time in 1 Post	and that's how they would have been able to have put 3 (or more) files onto my portion of the server? this is all new to me... I'm not all that computer literate.. haha __________________ [SIGPIC][/SIGPIC] Jaded Souls \| A Haven For Creative Chaos You're so jaded.. and I'm the one who jaded you! Server: SH131 Serverload:

December 21st, 2007, 11:20 AM	#15 (permalink)
Roxy URB4N 5K1LLZ Super #1 Joined in Sep 2005 Lives in Orlando, FL Hosted on SH63 2,660 posts Gave thanks: 81 Thanked 128 times	"attackers to bypass access controls". Yes, pretty much. Well it has nothing to do with your computer per say, but the scripts/plugins that you use. They are unsafe and you need to find the bad apple if you haven't already, or it can happen again and God forbid, it can be worse. Not saying you did this, but just a heads up, NEVER download a script, plug-in, or theme from third party sites. If you noticed that the person distributing the file is not the creator, DON'T DOWNWLOAD it. Chances are the person has modified it especially for cases like this. __________________ Roxanne Urban Roxy -Personal Blog SH63 - the best darn shared server!

December 21st, 2007, 1:03 AM	#11 (permalink)
Zerxer Registered User Fresh Surpasser Joined in Dec 2007 Lives in Pennsylvania Hosted on orange 5 posts Gave thanks: 0 Thanked 0 times	Be sure to change your Passwords and stuff. It's possible they just cracked into that somehow. I'd also recommend having Surpass (if they haven't already) scan your site for any weird files. The people who got into mine put some weird script up that looked like it would store any login that is used.

December 21st, 2007, 12:31 PM	#16 (permalink)
MarkRH Race Surpass Super #1 Joined in Jul 2006 Lives in Oklahoma City, OK Hosted on sh102 1,222 posts Gave thanks: 18 Thanked 86 times	One thing... check your .htaccess file in /public_html/ and make sure that Code: Options -Indexes Is at the top of it; otherwise, it makes it too easy for people to go poking around your directory structure and find scripts, images, or other files you'd rather them not. With this, any directory that does not have a index.(htm, html, shtml, php) will be wide open for viewing. __________________ SH102 : Mark Headrick - Blog - Gallery Pelicar \| Company of Valor \| Mysstie Wolfestar

December 21st, 2007, 2:09 PM	#18 (permalink)
Roxy URB4N 5K1LLZ Super #1 Joined in Sep 2005 Lives in Orlando, FL Hosted on SH63 2,660 posts Gave thanks: 81 Thanked 128 times	I wish I could help you here, but I am too not sure what a "secure" .htaccess file should look like. =) Hopefully MarkRH or someone else can answer this, but good luck in the future. =D __________________ Roxanne Urban Roxy -Personal Blog SH63 - the best darn shared server!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search