2
So, the story.
It all had begun two days ago in the 2:00am.
Some SQL-injection was performed. So, site name and language were changed and links
to "hacked"-titled site were inserted. Also i can not change anything using administrative kit -
I see "OK" message but no changes are done.
The system version was 2.0.13.2.
I had restored it from backup. Pity for six day information but there is no choice -
site was hacked befory daily backup. Either account and database credentials were changed.
2:00 pm - site was hacked.
I had restored again and had applyed may (it seems) patch.
8:00 pm - site was hacked.
I had restored again. Had found new 2.0.14 version at .org and had upgraded site to this distributive.
2:00 am - site was hacked.
I had restored it using new installed version backup. Had found protector-module and had installed it.
Then i had change table prefix and had truned on all module protection. The protector had sweared only at
"register_globals on" and "fopen". If i use "register_globals off" administrative kit feels bad not mention
to the site. So i had to use "register_globals on" expression. Also i have no possibility to switch off "fopen"
cause all site users use it.
2:00 pm - site was hacked.
Restoring again. I had moved all this account sites to other account (i thought may be site was hacked throgh 'em).
8:00 pm - site was hacked.
I had suspended account. Waiting while they leave me.
But I think that it is not a wayout cause it is obviously that automatics is performing this attacks on shedulde.
However I saw other attacks - yesterday in the evening. They had hacked 3-4 times through 20-30 minutes.
Attack type is almost not changed but is morphing during to upgrades. It seems It became to be hard for them,
but it doesn't stop.
I need advise - what to do?
log file: hack.log
It all had begun two days ago in the 2:00am.
Some SQL-injection was performed. So, site name and language were changed and links
to "hacked"-titled site were inserted. Also i can not change anything using administrative kit -
I see "OK" message but no changes are done.
The system version was 2.0.13.2.
I had restored it from backup. Pity for six day information but there is no choice -
site was hacked befory daily backup. Either account and database credentials were changed.
2:00 pm - site was hacked.
I had restored again and had applyed may (it seems) patch.
8:00 pm - site was hacked.
I had restored again. Had found new 2.0.14 version at .org and had upgraded site to this distributive.
2:00 am - site was hacked.
I had restored it using new installed version backup. Had found protector-module and had installed it.
Then i had change table prefix and had truned on all module protection. The protector had sweared only at
"register_globals on" and "fopen". If i use "register_globals off" administrative kit feels bad not mention
to the site. So i had to use "register_globals on" expression. Also i have no possibility to switch off "fopen"
cause all site users use it.
2:00 pm - site was hacked.
Restoring again. I had moved all this account sites to other account (i thought may be site was hacked throgh 'em).
8:00 pm - site was hacked.
I had suspended account. Waiting while they leave me.
But I think that it is not a wayout cause it is obviously that automatics is performing this attacks on shedulde.
However I saw other attacks - yesterday in the evening. They had hacked 3-4 times through 20-30 minutes.
Attack type is almost not changed but is morphing during to upgrades. It seems It became to be hard for them,
but it doesn't stop.
I need advise - what to do?
log file: hack.log
4
create backup main file xoops\modules\myalbum\photo.php
if you get error, for to return into the default position.
open file xoops\modules\myalbum\photo.php
find (line 68 )
replace
find (line 102 )
replace
note:
style=\"FILTER: Alpha( style=0,opacity=25) gray\" it works only Internet Explorer
height='60' change height value how would you like
find (line 104)
replace
note:
height='60' change height value how would you like
it was
http://img490.imageshack.us/my.php?image=16uy.jpg
it became
http://img207.imageshack.us/my.php?image=27cp.jpg
end
if you get error, for to return into the default position.
open file xoops\modules\myalbum\photo.php
find (line 68 )
$fullcountresult = $xoopsDB->query( "SELECT lid FROM $table_photos WHERE cid=$cid AND status>0 ORDER BY {$myalbum_orders[$orderby][0]}" ) ;
$ids = array() ;
while( list( $id ) = $xoopsDB->fetchRow( $fullcountresult ) ) {
$ids[] = $id ;
}
replace
$fullcountresult = $xoopsDB->query( "SELECT lid, title, ext FROM $table_photos WHERE cid=$cid AND status>0 ORDER BY {$myalbum_orders[$orderby][0]}" ) ;
$ids = array() ;
while( list( $id, $title, $ext) = $xoopsDB->fetchRow( $fullcountresult ) ) {
$ids[] = $id ;
$ide[] = $ext ;
$idt[] = $title ;
}
find (line 102 )
$photo_nav .= "$i ";
replace
$photo_nav .= "<img style="FILTER: Alpha( style=0,opacity=25) gray" src='$thumbs_url/".$ids[$i-1].".".$ide[$i-1]."' alt='".$idt[$i-1]."' height='60' > ";
note:
style=\"FILTER: Alpha( style=0,opacity=25) gray\" it works only Internet Explorer
height='60' change height value how would you like
find (line 104)
$photo_nav .= "<a href='photo.php?lid=".$ids[$i-1]."'>$i</a> ";
replace
$photo_nav .= "<a href='photo.php?lid=".$ids[$i-1]."'><img src='$thumbs_url/".$ids[$i-1].".".$ide[$i-1]."' alt='".$idt[$i-1]."' height='60' ></a> ";
note:
height='60' change height value how would you like
it was
http://img490.imageshack.us/my.php?image=16uy.jpg
it became
http://img207.imageshack.us/my.php?image=27cp.jpg
end
Login
Search
Recent Posts
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | $100.00 |
| Due Date: | Apr 30 |
| Gross Amount: | $0.00 |
| Net Balance: | $0.00 |
| Left to go: | $100.00 |
 |
|