kfunk

Ugh.

I got an email today from RSA Cyota on behalf of JPMorgan Chase. Turns out there was a phishing site buried on my website with a fake Chase bank login page! And perhaps a php bulk emailing script too. Someone found a way to upload this crap to my site. Pisses me off so much. So tired of fighting hackers, it takes all the fun out of having a website; makes me want to just shut it down.

__________________
KFunk.net
Server: Yesenia

Bigjohn

Oww. that SUCKS.

Keep on. Make sure your stuff is always up to date and as secure as you can make it. Fight the good fight, Amigo.

__________________
Proud to be a Surmunity Mod!
XEON PASS60 PASS61
Make a fundamental difference!
My Sites:
Curious about Brewing Beer? Join the community!
>>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax
Get into an Art museum
Victorian London
It's your brain -ON WEB - mybrainhost.com (under development)
What SHOULD Government do? Much Less than it Does!

kfunk

The surpass tech thinks it was due to some homebrew code. Course, I've had it that way for 4 years now. The way my site was setup is I made index.php be the layout for everything and used index.php?page=page.html and a php include in the body to put that page.html in the right place. This way I only had one file with layout stuff and could bring in anything to it. The tech thinks they used this to do page=someexternalURL and execute foreign php code shell scripts to upload those files.

So, I had to change it so now it's index.php?page=keyword and then I have in the body some if statements like if page == about, then include about.html. I think this should fix the suspected security hole... but it sure makes it a pain in the ass adding new pages cause now I gotta add a new if statement every time

__________________
KFunk.net
Server: Yesenia

H

Dynamic includes are one of the leading causes of this sort of problem. This a good reason why Surpass is disabling allow_url_fopen.

kfunk

Oy, people leaving me messages on my bulletin board:

"James E Kanehl [1-25-07] : Unsubscribe!!!!!!"

"Notstupid [1-24-07] : Nice phishing e-mail, but very very foolish, you'd better hope some hacker stole your site and planeted the crap in the directories http://kfunk.net/G20/.online/ and beyond, or your heading for jail"

I hope emails aren't being sent using my account... I deleted a folder that I didn't recognize that said something about php bulk emailer in it.. I'd hope that if my account was sending the emails, that it isn't now that I deleted that folder

__________________
KFunk.net
Server: Yesenia

Skipdawg

It could be spoofed email too. The true IP should be in the emails header. So anyone willing to help you who has received that email could look and send you the IP. Not a whole lot can be done about spoofed email though.
Hope you can get it worked out quickly. Can be a royal pain and annoyance.

__________________

kfunk

I'm looking in awstats for this month...

Any idea why in the Pages-URL (Top 25) list, this is at the top:
/gallery1/templates/default/images_spanish/edit.php
with 735 viewed.

gallery1 is my 4images image gallery

__________________
KFunk.net
Server: Yesenia

Bigjohn

Is your 4images fully patched?

__________________
Proud to be a Surmunity Mod!
XEON PASS60 PASS61
Make a fundamental difference!
My Sites:
Curious about Brewing Beer? Join the community!
>>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax
Get into an Art museum
Victorian London
It's your brain -ON WEB - mybrainhost.com (under development)
What SHOULD Government do? Much Less than it Does!

kfunk

apparently there was a small upgrade available in fantastico... went ahead and did that just now.

__________________
KFunk.net
Server: Yesenia