21
Bazus
Re: someone hacked my sites.. help needed
  • 2004/1/16 2:32

  • Bazus

  • Not too shy to talk

  • Posts: 144

  • Since: 2002/9/23


I found this long thread about blank pages HERE but most of them refer to a blank page after installation, my sites have been up and running for 8 months the most and the other for 4 months without a hitch.

I'm going to backup the dbase from phpmyadmin and after that I will delete all the tables so I can reinstall XOOPS again. then I will try to backup the tables that have data in it like the users table. any suggestion on a better solution before I start messing things up ?

22
DonXoop
Re: someone hacked my sites.. help needed

If you make a backup of the db and webroot then you can always go back. Quickest thing to do after the backups and a rename of the webroot is to copy the X files like a fresh install and make the mainfile.php and chmod changes and see if you can get in against the existing database without the install routine. You can then Update modules and maybe be back up.

First thing to do after an attack is make a copy of the whole site and db before any changes are made. If you don't discover how they got into the servers they might be back again.

23
Bazus
All back to normal. Thanks to all the people who help one way or another.
  • 2004/1/16 3:45

  • Bazus

  • Not too shy to talk

  • Posts: 144

  • Since: 2002/9/23


you were right dnxoops on that.. I was so overwhelm with the replacing of all the index.php files that i overlooked the file theme.html. this file some how was replaced to but was renamed to theme_.html and I noticed it just before started to deleting all the tables from the database :) lucky me I didn't have to go to all that process again, now the 2 sites are back to normal.

I do really appreciate all the help and suggestions here in this post.. Just be aware one day you may get hit by this hackers and make your work double.

Regards.

24
DonXoop
Re: All back to normal. Thanks to all the people who help one way or another.

wow. Checking the theme files now goes into my list of first checks. You could have forced a theme change for default and had your site up. Now I'm humbled.

But it is a BIG clue. Someone had physical access to that file and knew what to do. Keep that file in a safe and find out when it was done and how. All the logs should have already been copied off and stored for analysis. If they didn't cover their tracks that is.

You say they defaced all or several sites on the same box? Is your access (ftp etc.) account common to all of them? If not then they had root access which makes the box suspect until fixed. If your account (or other) is common than best guess they used that one and you should (have already) changed all passwords.

Then start looking at a member that knows XOOPS a bit. It is easy to know which theme is used as default and target it if they have ftp access.

now have a beer

25
DonXoop
Re: All back to normal. Thanks to all the people who help one way or another.

And.... after the dust settles I say start working toward dumping all unencrypted site management. Use encrypted file transfer and or VPN for files and site admin. A good 3DES compressed IPSEC tunnel and compressed SSH/SFTP is much safer and faster.

And have another beer. Wish I had one too.

26
GoFuYo
Re: All back to normal. Thanks to all the people who help one way or another.
  • 2004/1/16 4:37

  • GoFuYo

  • Just popping in

  • Posts: 8

  • Since: 2003/12/16


All normal again ? Are You sure ?

I would in case of such an event, not only delete the changed files. How do you know, btw. WHAT the HaCKorZ have EXACTLY done ?
Logfiles analyzed? Checked for RootKits? Checked SUIDs, IDs, checked Ports etc.?
Most often the HaCKorZ leave themselves a backdoor, if possible and an autorooter used. This is one cause for these 'shame' Redefacements.

BTW. seems that these guys have 'nuked' again most php-Nukes's and clones. Maybe again some injections or exploit, but not gone so far yet.

See http://www.zone-h.org/en/defacements and for these guys
http://www.zone-h.com/en/defacements/filter/filter_defacer=Ir4dex/ and after reupsetting their sites (the defaced ones) what you see php-Nuke.s and Clones ...

But i would normally take EXTREM care what's up with your account, maybe even reinstall. Call me paranoid :)

Just my 2cents.

27
GoFuYo
Re: All back to normal. Thanks to all the people who help one way or another.
  • 2004/1/16 19:00

  • GoFuYo

  • Just popping in

  • Posts: 8

  • Since: 2003/12/16


Just for updating:

Some defacements about My_eGallery are currently running now: So check your My_eGallery-configuration, if using it !

http://fuckru.net/modules/My_eGallery/public/symba.html

Date/time: 2004/01/16 19:43
Defacer: powHacK
Domain: http://fuckru.net/modules/My_eGallery/public/symba.html
Mirror: Display mirror
IP address: 61.77.57.224
System: Linux
Web server: Apache
Attack method:

Those sucxxxx idiots have nothing more to do, than trouble other peoples

Login

Who's Online

202 user(s) are online (99 user(s) are browsing Support Forums)


Members: 0


Guests: 202


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits