Earlier today I noticed someone on my site under the IP 74.6.vvv.yyy. The YYY represented above was a constantly changing set of digits. The 74.6. were constant.

I noticed that my front page began to have the blocks showing up in all different positions. I checked the blocks in the admin module but they appear to be as they are supposed to be as far as the block supposing to be on the left, right, etc. But, they don't show up as they are designated to be on the front page.

I made no changes to the site itself prior to noticing the difficulties. I just noticed an ever increasing number of "users" on the site (usually runs about 10-25, but at this time up to 58 at one time). The admin area itself does not appear to have been violated nor is there any evidence that the password was broken. But, something happened and not subsequent to anything I did, so far as I can tell.


I am running 2.0.16 with protector installed.

To resolve this, I re-uploaded the 2.0.16 core files, the theme files, cleared the cache directory, cleared the templates_c directory, updated the system module, everything I could think of.

I checked a few minutes ago and it appears they are still trying to hack my site. I have reported it to the host and fully expect their genuine help. BUt, what do I do about restoring the site? What would they have done that I can undo? Thanks for any help,

Chappy

I probably can't help much at all but I'm wondering what modules you have installed?

Also, maybe try temporarily banning the IPs in your .htaccess?

order allow,deny
deny from 74.6
allow from all

Can you see the IPs via phpmyadmin?

C

Got to www.dnsstuff.com and do a IPWHOIS Lookup.
report incident to Network abuse email addy.

Thanks for the responses!

@ Cuidiu:

I have a bunch of mods installed - none of them added in recent days, and certainly none immediately before this began to happen.

Here's the mods installed:
Forms
Sudoku
Code Data Management
XF Planet
Web Digest
XF Article
SmartObject Framework
Cards (eXTGal)
Chat
Chess
Paypal Donations
WF-Downloads
Books of Interest
WordPress
SmartFAQ
Forums (CBB)
Frozen Bubble
WebLinks
News
Polls
Newsletter
Smartsection
Subscriptions
Sitemap
Contact Us
Link 2 Us

I have changed the htaccess to reflect the comments you made. I'll check later to see if I can see the IPs in phpmyadmin.

@Lloyd
I'll check that out, Lloyd!

Again, thanks to both of you. Any more suggestions as to where to look to straighten out the block situation would be appreciated.

If I understand the templates_c directory, your page layouts are cached here to minimize the reads from the DB. If someone gained access to that directory, they could edit or replace the cached versions of your pages, which would result in what you described.

I highly recommend to verify that anonymous ftp access is restricted or disabled on your site. Your server logs (or host) should also be able to tell you if there has been ftp access during the time the hack occurred.

I haven't kept up on vulnerabilities lately. Maybe someone else here can tell you if any modules you've listed ring a bell.

Does anyone else have (or had) access to the admin or is it just you?

Good luck with this. I hope you find out what happened and if so, please do let us know.

C

Chappy,
The IP you listed is probably Yahoo's. Here's one I just looked up that fell into my bot trap.
http://whois.domaintools.com/74.6.70.156

Unless you don't care about being listed in Yahoo's index, then feel free to ban them but if the ones visiting your site are from Yahoo (Inktomi Corporation), then they are probably not the culprits. Yahoo does have a zillion different so I can see why you'd be suspicious but I don't think they are messing with your blocks. Let us know if you find out anything else.
C

Quote:

Thanks again for your response, and for the added insight. IT was very helpful. Nor am I disputing your comments. Really, I am trying to learn about an area I know relatively little about as well as protect my site. Does this suggest that I was just listed by Yahoo and new users found me - and that the user number kept growing. I'm not saying that's the case, I just really don't know. Does the IP indicate the IP address that the visitor was referred from or the IP of the users home/work computer?

Next, I am still concerned about how I restore my blocks? Any ideas? I will turn my site back on if it will help. I just didn't want to turn it on if someone was messing with it. We had hits from these IPs approximately every thirty seconds...

Hi Chappy,

No, they aren't visitors if they show Inktomi Corporation on the whois info. They are search engine bots. Looks like Yahoo has discovered your site and is having a field day with it. I've had more than one bot on my site at a time.

What has happened to the blocks, I can't say. Can you provide a screen shot? What browser are you using to view the site? If you are on Windows XP, has your computer been automatically updated to Internet Explorer version 7? Some things do not display the same in IE7 as they do in older versions.

That's about all I can think of at the moment.

Thanks a bunch for the help and the clarification. I'm thrilled if they found my site. I'm PO'd that I turned it off now. It's back on now, thanks to you.

Additionally, I think I may have found the blocks issue. I had been using the Spotlight module to manage my recent news block. Why it just did this I have no idea, but when I turned off Spotlight, the blocks went back to normal. Is it that Spotlight doesn't play nice with 2.0.16 or the new news module? I have no idea. All I know is that it appears normal now.

Ya' know, I think I'm a pretty benevolent person. So security is not my strong suit. Our site just wants to help folks and keep the lights on. I learned a little here, so that helps. I just hope yahoo keeps on coming by.