Site Hack in v6.00.305!!!
Asked Modified Viewed 19,607 times
asked
Hey all, I was looking for some help in trying to get rid of this god damn idiot that likes to wipe our website and they use it to forward our site onto adult sites.
At first I thought it could be spy ware, but after uploading the backups I created of our site via (old school MacOS 9.2.2) and we’re still getting hacked. I beginning to wonder if the asshole some how has left a line of code in my previous back-ups and is still getting in even after completely reinstalling php-fusion v.6.00.305 onto my site. I started with v.6.00.305 and still would love to use it… but at this rate it’s almost not worth it if I keep getting hacked.
I’m wondering if somehow they were able to store information to my mysql database and record my information… or even if they might be running a XML script in their signature within their profile.
All I know is once I’ve put back up our site, it usually takes the hacker a few minutes to a couple of hours & it’s gone again. They take one of the .htaccess files and make it a 403 redirect to an adult site of their choice. Now I currently have a few images I’ve upload back onto my site, and just an index.htm file.
It’s been up almost 24 hours which to me says that they must be getting in via fusion somehow because it usually is hacked every 2 hours. I have no other MySQL databases running. My cPanelx has 32 characters mix with symbols, numbers, punctuation, and letters. They can’t be accessing my cPanelx directly.
My host doesn’t know what to do when I ask them for help because they say it’s low level security issue that I should be able to fix… yet they can’t seem to do anything to help because they are pointing fingers at php-fusion or pointing fingers at me saying it’s probably a Trojan or SpyWare. Yet I uploaded the back-ups of my site via MacOS 9.2.2 and still I’m getting hacked? I wonder if there truly is an infected file or a command string within fusion I’m unaware of.
I was hoping that there were a couple things that could be done but was unsure of,
1. Is there anyway to record in php what the hacker is doing? Like recording their steps so that I can put a stop to how they are getting in? Maybe even set something up and transfer the information to another site or through an e-mail. (Just guessing here)
2. Is there anyway to make the passwords longer then 20 digits? (i.e. 32 – 64 digits) Is there also a way to make them not just alphanumeric? Like including punctuation & symbols? Here is a good password generator I use: (http://www.winguides.com/security/password.php)
I would love to know how this asshole is getting in, and if it’s a security issue then I want to let php-fusion know ASAP so it can get corrected in future versions. If you have any comments or question please reply as I’m getting rather desperate seeing how I couldn’t keep our phpBB2 discussion board alive, as they hacked the **** out of that one too. Fusion was suppose to be the alternative to phpBB2 and also be a new facelift on our site… but right now it’s not doing a damn thing.
At first I thought it could be spy ware, but after uploading the backups I created of our site via (old school MacOS 9.2.2) and we’re still getting hacked. I beginning to wonder if the asshole some how has left a line of code in my previous back-ups and is still getting in even after completely reinstalling php-fusion v.6.00.305 onto my site. I started with v.6.00.305 and still would love to use it… but at this rate it’s almost not worth it if I keep getting hacked.
I’m wondering if somehow they were able to store information to my mysql database and record my information… or even if they might be running a XML script in their signature within their profile.
All I know is once I’ve put back up our site, it usually takes the hacker a few minutes to a couple of hours & it’s gone again. They take one of the .htaccess files and make it a 403 redirect to an adult site of their choice. Now I currently have a few images I’ve upload back onto my site, and just an index.htm file.
It’s been up almost 24 hours which to me says that they must be getting in via fusion somehow because it usually is hacked every 2 hours. I have no other MySQL databases running. My cPanelx has 32 characters mix with symbols, numbers, punctuation, and letters. They can’t be accessing my cPanelx directly.
My host doesn’t know what to do when I ask them for help because they say it’s low level security issue that I should be able to fix… yet they can’t seem to do anything to help because they are pointing fingers at php-fusion or pointing fingers at me saying it’s probably a Trojan or SpyWare. Yet I uploaded the back-ups of my site via MacOS 9.2.2 and still I’m getting hacked? I wonder if there truly is an infected file or a command string within fusion I’m unaware of.
I was hoping that there were a couple things that could be done but was unsure of,
1. Is there anyway to record in php what the hacker is doing? Like recording their steps so that I can put a stop to how they are getting in? Maybe even set something up and transfer the information to another site or through an e-mail. (Just guessing here)
2. Is there anyway to make the passwords longer then 20 digits? (i.e. 32 – 64 digits) Is there also a way to make them not just alphanumeric? Like including punctuation & symbols? Here is a good password generator I use: (http://www.winguides.com/security/password.php)
I would love to know how this asshole is getting in, and if it’s a security issue then I want to let php-fusion know ASAP so it can get corrected in future versions. If you have any comments or question please reply as I’m getting rather desperate seeing how I couldn’t keep our phpBB2 discussion board alive, as they hacked the **** out of that one too. Fusion was suppose to be the alternative to phpBB2 and also be a new facelift on our site… but right now it’s not doing a damn thing.
answered
I'm gonna try to help you through a network administrators point of view, so please don't delet the user Tester... that is just me
Possibilites and questions:
1. why is it just your site? have you tried to see if other sites from Acenet have also been hacked, and if so, are they using a cms of any type?
2. the .htaccess file can, as far as i know, only be changed by accessing the root via direct (from isp) or over the ftp port. again, why just your site? the hackers would have access to the isp account files if it was going through them in which case many sites would have been hacked, so i have to agree that the isp is secured enough.
3. php-fusion does store access to the database files (which should, as mine, have a completely different password unless you are using the same password for both the database and main site access, which i doubt is the case.)
4. i don't see any kind of user file upload script being used on your site, which logically means that an upload script is not being exploited to gain access to the root.
5. i can imagine that the upload script for the avatar would and could be a point of expoitation (i am not a programmer... but have been learning) only because it takes files from one destination and sends to the server, but you would have to talk to the people here if there is a possibility of accessing other directories is there.
6. i would, for a while disable the ability to use signatures, because of the fact scripting is uploaded from other site, but then again why haven't the people here at php-fusion and the other fusion sites been hacked?
7. which brings me to my logical point that i doubt that is will be a software (fusion) problem.
8. that leaves only the possibility that you do have a keylogger working in the system somewhere (if you would like to send me a copy of your running processes at the time of the ftp connection i will look at them for you), and a printout of the program and windows directory with files. if one is there (most likely in the processes) then we will find it.
so, running through this as a network admin / technician, these are the logical points that you should first look at if the .htaccess is being changed. i am, of course, ruling out the fact that a "friend" that may be working with you on the site is not passing information. i noticed even in your posts that passwords and usernames were being shown. that's the kind of carelessness that leads to hacking.
i hope these steps will help you in your search because i've been running many sites and networks including my webserver here in my house with many different providers and (knock on wood) have not been hacked.
for a test, i agree that a fresh insatllation would be one way to go, and on the welcome screen you could welcome all hackers and let it run like that for a couple of days. that would at least narrow it down.
The Rubberman
Possibilites and questions:
1. why is it just your site? have you tried to see if other sites from Acenet have also been hacked, and if so, are they using a cms of any type?
2. the .htaccess file can, as far as i know, only be changed by accessing the root via direct (from isp) or over the ftp port. again, why just your site? the hackers would have access to the isp account files if it was going through them in which case many sites would have been hacked, so i have to agree that the isp is secured enough.
3. php-fusion does store access to the database files (which should, as mine, have a completely different password unless you are using the same password for both the database and main site access, which i doubt is the case.)
4. i don't see any kind of user file upload script being used on your site, which logically means that an upload script is not being exploited to gain access to the root.
5. i can imagine that the upload script for the avatar would and could be a point of expoitation (i am not a programmer... but have been learning) only because it takes files from one destination and sends to the server, but you would have to talk to the people here if there is a possibility of accessing other directories is there.
6. i would, for a while disable the ability to use signatures, because of the fact scripting is uploaded from other site, but then again why haven't the people here at php-fusion and the other fusion sites been hacked?
7. which brings me to my logical point that i doubt that is will be a software (fusion) problem.
8. that leaves only the possibility that you do have a keylogger working in the system somewhere (if you would like to send me a copy of your running processes at the time of the ftp connection i will look at them for you), and a printout of the program and windows directory with files. if one is there (most likely in the processes) then we will find it.
so, running through this as a network admin / technician, these are the logical points that you should first look at if the .htaccess is being changed. i am, of course, ruling out the fact that a "friend" that may be working with you on the site is not passing information. i noticed even in your posts that passwords and usernames were being shown. that's the kind of carelessness that leads to hacking.
i hope these steps will help you in your search because i've been running many sites and networks including my webserver here in my house with many different providers and (knock on wood) have not been hacked.
for a test, i agree that a fresh insatllation would be one way to go, and on the welcome screen you could welcome all hackers and let it run like that for a couple of days. that would at least narrow it down.
The Rubberman
Edited by Rubberman on 10-04-2006 14:02,
Category Forum
Bugs and Errors - 6Labels
None yet
Statistics
- Views 0 views
- Posts 35 posts
- Votes 0 votes
- Topic users 14 members
0 participants
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions