My site was hacked

i searched a bit on google yesterday after "wp-conf.php" and found this:

http://blog.sucuri.net/2012/07/backdo...ality.html

and this too: http://r.virscan.org/report/00f99cf27...75865.html

last link i checked the php files from my website that had changed code and got this result from example wp-conf.php :

VirSCAN.org Scanned Report :
Scanned time : 2013/03/05 20:33:18 (CET)
Scanner results: 35% Scanner(s) (13/37) found malware!
File Name : wp-conf.php
File Size : 69981 byte
File Type : PHP script text
MD5 : 3eafa40e561e15c8b35230aca019f998
SHA1 : f75a777de5443a705fee4fed9d2b198e37a32270
Online report : http://r.virscan.org/412453670dcfbab78258d866dfa51a21

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20130306030114 2013-03-06 10.42 Backdoor.PHP.WebShell!IK
AhnLab V3 2013.03.06.00 2013.03.06 2013-03-06 3.44 -
AntiVir 8.2.10.202 7.11.50.58 2012-11-16 0.19 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.18 -
Arcavir 2011 201302270013 2013-02-27 8.30 -
Authentium 5.1.1 201303051213 2013-03-05 1.50 -
AVAST! 4.7.4 130305-0 2013-03-05 0.19 PHP:Agent-MN [Trj]
AVG 12.0.1794 2641/5650 2013-03-05 0.46 PHP/BackDoor.CK
BitDefender 7.90123.9214734 7.45808 2013-03-04 5.84 Backdoor.PHP.ASQ
ClamAV 0.97.5 16784 2013-03-05 0.21 Trojan.PHP-43
Comodo 5.1 15464 2013-03-05 2.28 -
CP Secure 1.3.0.5 2013.03.06 2013-03-06 0.17 -
Dr.Web 7.0.4.9250 2013.03.05 2013-03-05 16.59 PHP.Siggen.16
F-Prot 4.6.2.117 20130305 2013-03-05 0.85 -
F-Secure 7.02.73807 2013.03.05.06 2013-03-05 0.20 Backdoor.PHP.ASQ [Aquarius]
Fortinet 4.3.392 16.549 2013-03-06 0.24 -
GData 22.8324 20130306 2013-03-06 7.07 Backdoor.PHP.ASQ [Engine:A]
ViRobot 20130305 2013.03.05 2013-03-05 0.51 -
Ikarus T3.1.32.31.0 2013.03.05.83605 2013-03-05 9.04 Backdoor.PHP.WebShell
JiangMin 16.0.100 2013.02.09 2013-02-09 13.64 -
Kaspersky 5.5.10 2013.03.03 2013-03-03 0.25 -
KingSoft 2009.2.5.15 2013.3.5.9 2013-03-05 1.06 -
McAfee 5400.1158 7004 2013-03-04 10.93 -
Microsoft 1.9203 2013.03.05 2013-03-05 4.04 Backdoor:PHP/WebShell.A
NOD32 3.0.21 7951 2013-01-30 0.19 -
Norman 6.8.3 201208311030 2012-08-31 0.00 -
Panda 9.05.01 2013.03.05 2013-03-05 2.60 -
Trend Micro 9.500-1005 9.674.06 2013-01-22 0.19 -
Quick Heal 11.00 2013.03.05 2013-03-05 1.03 -
Rising 20.0 24.52.00.04 2013-03-04 0.38 -
Sophos 3.39.0 4.85 2013-03-05 9.81 Troj/PhpShel-G
Sunbelt 3.9.2558.2 15866 2013-03-05 0.88 -
Symantec 1.3.0.24 20130303.009 2013-03-03 0.66 PHP.Backdoor.Trojan
nProtect 20130305.01 14108875 2013-03-05 7.09 Backdoor.PHP.ASQ
The Hacker 6.8.0.0 v00201 2013-03-04 0.67 -
VBA32 3.12.20.2 20130305.1242 2013-03-05 2.62 -
VirusBuster 5.5.2.13 15.0.367.0/109791522013-03-05 0.19 -

hope this is someway usefull to you hardcore champs here ;) ( as stated in my earlier post i got access logs and php files to send to the admins here if needed )

already like 2 months have passed since you promised beta:)

You must have missunderstand it, I have personally never given a date on a V8 beta.
Richard however said a while ago (pherhaps 2 months) that according to his schedule he was about 1 month behind at that time.
For the record, i consider the timeframe less important.
The result is the most important thing here, and it is improving everyday.
I do not wanto see a beta or a release that lacks crucial updates or functions that i see needed.
We will see how the upcomming Dev meeting goes, it will give us a better view of things.

ok, I understand
just not worth reassuring people

My site was hacked into last night. This is the email 1&1 sent me. This is the second time my site has been hacked. This second time was the worst. Thank god for 1&1, they stop it when it happens and here is what happened.

******************************************************************************
1. Analysis of the attack
******************************************************************************
1.1 The hackers processed the attack through a security leak in your software

- PhP-Fusion

They misused at least the following modules or files of this software:

./newforum/administration/index.php

1.2 Via this security leak, the hackers have uploaded the following malicious
files to your webspace:

./c.php
./boycurtainleebrown/*
./earthbeautyadamdoyle/*
./commandbear/*
./boycurtain/*
./castcabinet/*
./evilcough/*
./curlcookmichaelmurray/*
./alternativelyestimate/*
./alternativelyestimatemichaelferguson/*
./castcabinetmartinmoore/*
./curlcook/*
./danceeditor/*
./newforum/articles.php
./newforum/contact.php
./newforum/downloads.php
./newforum/edit_profile.php
./newforum/faq.php
./newforum/index.php
./newforum/login.php
./newforum/lostpassword.php
./newforum/maincore.php
./newforum/maintenance.php
./newforum/members.php
./newforum/messages.php
./newforum/news.php
./newforum/news_cats.php
./newforum/photo.php
./newforum/photogallery.php
./newforum/profile.php
./newforum/print.php
./newforum/reactivate.php
./newforum/readarticle.php
./newforum/register.php
./newforum/search.php
./newforum/setuser.php
./newforum/showphoto.php
./newforum/submit.php
./newforum/weblinks.php
./newforum/config.php
./newforum/viewpage.php
./newforum/wp-conf.php
./newforum/accountdY7.php
./newforum/D9index.php
./bind.php
./backgroundcapital/*
./evilcoughbriandavies/*
./encounterienvironment/*
./wp-conf.php
./facebcom.html
./earthbeauty/*
./dollarchartdarrenroberts/*
./enquirychair/*
./enquirychairalanjames/*
./afraiddelivery/*
./afraiddeliveryjamesmorgan/*
./alternativeelevator/*
./alternativeelevatorcraigdavies/*
./adoptbay/*
./adoptbayphilipmurphy/*
./bakeefficient/*
./bakeefficientcraigsmith/*
./celebrateexageration/*
./celebrateexagerationbrianedwards/*
./disapprovalcough/*
./disapprovalcoughshaunarmstrong/*
./creditcardcentimetre/*
./creditcardcentimetregarymurray/*
./LijHgs3_4826624.php
./cookiebrave/*
./cookiebravematthewlewis/*
./bad-temperedattention/*
./bad-temperedattentionmartinmitchell/*
./corechop/*
./corechopshaunwallace/*
./busycore/*
./busycorejonathanwilliams/*
./candidatedictionary/*
./candidatedictionaryanthonystewart/*
./deafargue/*
./deafarguegarywatson/*
./anniversaryarmed/*
./anniversaryarmedcraigturner/*
./barrierbuyer/*
./barrierbuyeralanrichardson/*
./bubblecurly/*
./bubblecurlystuartgreen/*
./backcent/*
./backcentianmorris/*
./congratulationscloth/*
./congratulationsclothkevinyoung/*
./LijHgs3_6220339.php
./coldcarrot/*
./coldcarrotmichaelmoore/*
./analysischemistry/*
./analysischemistrystuartphillips/*
./accountask/*
./accountaskkevinmoore/*
./bardancer/*
./bardancerrobertwallace/*
./candyconfuse/*
./candyconfusecraigbrown/*
./badlyarticle/*
./badlyarticlepaulroberts/*
./draftbowl/*
./draftbowldeanjones/*
./earnbetween/*
./earnbetweenjamesclark/*
./chemicalemphasize/*
./chemicalemphasizeneilbennett/*
./accessentertaining/*
./accessentertaininggeoffreylewis/*
./LijHgs3_9507865.php
./equivalentchop/*
./equivalentchopjustinmurphy/*
./elegantenergy/*
./elegantenergydeanjames/*
./drawerbrick/*
./drawerbricktimothywilson/*
./accidentcheat/*
./accidentcheatgarywatson/*
./entertainmentcost/*
./entertainmentcostsimonalien/*
./approvalchart/*
./approvalchartpeteredwards/*
./LijHgs3_8071897.php
./atomcountryside/*
./atomcountrysidepeterwhite/*
./evidencecourt/*
./evidencecourtcolintaylor/*
./evenbaby/*
./evenbabyjasonscott/*
./eggcaptain/*
./eggcaptainkevinjones/*
./barchart/*
./barchartjasondavies/*
./dollarchart/*
./cyclingburnt/*
./.z/*
./cyclingburntadrianalien/*
./backgroundcapitalandrewlee/*
./encounterienvironmentrichardwilliams/*
./commandbearpetermurphy/*
./danceeditorpaulgreen/*
./235-functoins.php
./wp-includes.php
./wp-xkiwap.php
./wp-tvofwh.php
./wp-lppgth.php
./wp-kwqjkme.php
./wp-rqjqpem.php
./wp-olzgzk.php
./wp-vvghko.php
./wp-biptkv.php
./abortd_bbb.html
./htaccess

let me guess, the first time you didnt find the code inserted in "./newforum/administration/index.php" and deleted it, or didnt make a backup from before the first hack?
if you dont get everything deleted he has inserted/changed then he will still have access to your site, in this process after you have removed everything you gotta remember to change logins and passwords since its most likely he has this now.

in administrator folder new file malicius

all my files are infected with this virus ... I had to restore everything .. how do I solve the problem of these constant attacks?

A small script which will help in time to learn about hacking: the names of new or infected files, folders. This script scans the directory of your site, and if there were changes to existing files or added new files and folders, you will receive a message on the email. Put on a cron.
Fchecker v2.1

(I'm just following the thread)



Hi,

Is there an English version of the file or at least of the read-me instructions?
Thank you.

I came across this site that discusses hashing passwords. It is way over my head, but perhaps some of the gurus that frequent this site can understand it and perhaps merge it into the registration process? Of course it is also possible that I have misunderstood the content of the site and it has no relevance to this.

http://www.martinstoeckli.ch/php/php....tml#bcrypt

It does have some meaning, if an attacker successfully uploaded such files into your website then their is a lot of things they could do.

One being that they could read the config.php file and get your database login information and have full access to your website.

Passwords are currently safe in a sense of encryption, there really is no need in alteration for safety. However, their are still methods that an attacker can bypass to get your username and password in plain text without the need to decrypt information.

Hi. This auto translate:

Thank you.
:) I'll try it but I'm not very confident in auto translations ;)

It's simple. Set the path for the file /list, specify the email, which will receive the notification. Script working. It will not protect against hacking, but at least you will know about it in time. Put on cron, so called about once an hour. A better way to specify the full, for example $filelist = '/var/www/data/login/www/';

Thank you.

Hello. Here's another great script to find malicious code on your website. The script really good, worker. Translation yourselves. The script can scan all files, without exception, and then present the full details of existing malicious code or parts of them. AI-Bolit

UPDATE
Especially for you added a translator from google translate for convenience. I recommend to anyone who was version 7.02.01 - 05 check out the site for malicious code. This script has a patent and copyright protected.

My site is receiving a completely different set of attacks. I am currently running v7.02.05 and will update to v7.02.06 this weekend.

Today I was able to track down and delete just over 72000 forum posts by user 65535. The strange thing is that this user does not exist and other spam users are constantly registering, which every one of them seems to have a post however when viewing the SQL database, the same user ID of 65535 appears. How is he doing this and where can I cut off his access. He has a different email address and IP for every registration.

Another big problem: For some reason, under Admin Panel --> Settings; The following are completely unresponsive [nothing saves when clicking 'save']
Forum Settings --> "Attachments max size: Maximum file size in bytes" does not save when I click save.
Items per Page --> "News per page:" does not save value when I click save.
Miscellaneous Settings --> "Display render time (in footer)?" does not change to yes when I click save.
Photo Gallery Settings --> No changes will save at all.
Registration Settings --> "Use email verification for registration?" Does not save.
Registration Settings --> "New members activated by admin?" Does not save.
Registration Settings --> "Display validation code?" Does not save.
Registration Settings --> "Enable terms of agreement?" Does not save.
Registration Settings --> "Terms of Agreement" Does not save.
Security --> Flood interval (seconds):" Value does not save.
Security --> "Bad words list:" Value does not save.
Security --> "Bad word replacement:" Value does not save.

On a final note; I am still receiving the following error and have no idea of how to fix it.
"WARNING: An error occurred while parsing the page. Please see PHPFusion's error log for more details."

Any assistance would be appreciated.

[olist=1]Remove all your site contend + db
Restore backup
Update[/olist]

@PolarFox:
If your solution was is that simple, then why were the same spammers attacking this website this morning as well. I saw the same messages posted here just a few hours ago. I mean I do appreciate your answer however, what you suggest has already been done.