posted
My site has been hacked (again). This time, all the files are still intact - I've examined every single one I have access to.
The way it works is that almost any URL I type in goes to the same page. I've checked .htaccess to see if it's redirecting anything. Other than that, I'm not sure how this could be done short of a DNS spoofing attack, which I don't think it is.
Does know of what files I could look at to see if a redirect has been set up? Maybe some kind of weird caching? I don't know enough about Apache to know where to start.
Posts: 26071 | Registered: Oct 2003
| IP: Logged |
posted
Dag, both your site and the Seaton Prince site resolve to a location on secureserver.net. Is that in fact your host? If so, I suspect a hosting problem.
Posts: 37449 | Registered: May 1999
| IP: Logged |
posted
Can you see where dprhensim19.doteasy.com resolves? (How do you do that?) My host is doteasy, and this address is definitely my server.
Posts: 26071 | Registered: Oct 2003
| IP: Logged |
quote:Originally posted by Dagonee: Can you see where dprhensim19.doteasy.com resolves? (How do you do that?) My host is doteasy, and this address is definitely my server.
posted
Yep. It gives access to all the data on my site, and none of it appears to explain this behavior.
It thought it might be a redirect, but I don't have access to an httpd.config, so I can't check that.
Posts: 26071 | Registered: Oct 2003
| IP: Logged |
posted
I take it that you don't have access to the Apache config file itself? The redirect might be in the Apache config file - or if your default index file (index.htm, index.html, index.php) might have a redirect added to it by somebody ...
Posts: 136 | Registered: Aug 2003
| IP: Logged |
posted
I checked the default file - my index.php file is clean, and I don't have an index.htm or index.html file unless they're hidden.
I don't have access to the Apache config, so I think I'm stuck waiting for tech support to wake up tomorrow morning.
Posts: 26071 | Registered: Oct 2003
| IP: Logged |
posted
BTW, you should update your integrity checking script to send you the MD5s of all the files (have it skip image directories, or only do them rarely, or only MD5 the first few hundred bytes of a file), that'll make changes pop out at you.
Posts: 15770 | Registered: Dec 2001
| IP: Logged |
posted
OK, that's very strange. The modified date on the configuration.php file was very old - I'm not sure how they changed that without the date changing.
I've changed it to read only (only the owner had write access), hopefully that will help. But it's worrisome. How did they get owner access to that file?
posted
I wouldn't be surprised if there's an exploit to mambo or one of the common modules that's not been publicized/patched. PHP CMS are known to be, with few exceptions, hives of security problems.
edit: you might be able to find it with some log audits, assuming he didn't edit those. I have some knowledge in that regard if you want me to take a look and can narrow in on some excepts based on exploit time.
Posts: 15770 | Registered: Dec 2001
| IP: Logged |
quote:The hack is a basic "SQL injection" hack, which is why you cannot find any instance of that HTML code in your files on the site. The HTML is located in your database and generated when the headers (or wherever the code was injected) are called by the site files.
To fix this, you need to get into your website control panel. Hopefully, you have access to your database to be able to edit tables. Depending on the type of control panel you have for it, you can perform a search for a string of that code (just a snippet should do). Or, if you had the foresight to back things up, you can restore from a backup. Once that is fixed, you should be able to get to your page in a reasonable condition.
If you need more help there, e-mail me and I'll do what I can to help. I can also help you harden your site against such things in the future, which would include adding a bit of extra code in the files but would mostly involve changing file and folder permissions to a slightly-different-than-instructed-but-totally-functional configuration that is the cause of many holes like this. In fact, most files for content management systems like mambo have to do with the "xmlrpc.inc" file or the folder that holds it (often called "includes").
I've recently dealt with this stuff and with forum software, so if you need assistance I will do what I can.
posted
I found out that the modified date doesn't update when they create a new file with the same name.
fugu, check your email. The file is configuration.php. The time it was created was 15:04 today.
Icarus, I'll take John up on that, but I can't until after the bar exam. If this happens again, I'm going to have to strip the site and put a "down until August" notice up.