The self proclaimed Palestinian Cyber Terrorist got my host server a couple of weeks ago. AND took down my dating sites. Ironic it happened when I was in Isreal and I was learning of the hardships they have first hand... this did not really help things...
HOWEVER I have one site almost fixed
In the description of a profile his mark still comes up... can someone please tell me where this file is at so I can replace it?
I would so appreciate that. AFTER this 10 more sites to fix this one is www.adventistdate.com
THANKS
|
I sent you a message with a couple of files to check.. are the words text or is that a picture? If the words are actually text you can use SSH to find the file. Just SSH into the server and type this:
grep -lr 'HACKED BY' *
and it will list the files. If it's a picture just right click and get the file name of the pic, then grep:
grep -lr 'filename.gif' *
Last idea.. if they were REALLY jerks and inserted it in the database in EVERY profile description you might need a well crafted sql statement to delete it and leave the profile intact.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Thanks will look into the more after work today. I believe they are all text.
I am on a mac, and not sure how to SSH in.
|
I use Putty but I guess it's PC only. I think with a MAC you should be able to SSH through "Terminal". BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Thanks, am trying to make that work, I have 60 sites or so on that space, and having trouble isolating this one domain..
I do know that if I make the decription in the profile inactive the problem goes away on the profile, but really need to fix that.
I can not locate where the profile fields are located via ftp, any help would be so appreciated.
|
This is a long shot, and I've never seen it happen before but go into Cpanel and then phpmyadmin and check the "profiles" table in the database itself and see if it's infected. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
I think the data base is clean, I could not see anything there.
So appreciate your help.
|
This is a long shot, and I've never seen it happen before but go into Cpanel and then phpmyadmin and check the "profiles" table in the database itself and see if it's infected.
hi mscott, how would you determine if the "profiles" table has been infected (or corrupted)? Thanks.
http://pkforum.dolphinhelp.com |
hi mscott, how would you determine if the "profiles" table has been infected (or corrupted)? Thanks.
His site is diplaying "hacked by: tn-p****" on all the profiles.. so you would just open the profiles table and see if someone had injected that text into the description.
@StanCA: Did you try using Terminal and the command line search I listed? That is the quickest, easiest way to find all the files that have that text in them.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Should this deviant person hack other sites. This is what I did to fix it.
I installed the current upgrade, and yet that did not fix it. Turns out he added a bunch of index.html files in various places which tends to over ride index.php and other files.
I found and deleted about a dozen of these.
www.adventistdate.com seems to be working now..
Thanks for the help and comments.
|
Should this deviant person hack other sites. This is what I did to fix it.
I installed the current upgrade, and yet that did not fix it. Turns out he added a bunch of index.html files in various places which tends to over ride index.php and other files.
I found and deleted about a dozen of these.
www.adventistdate.com seems to be working now..
Thanks for the help and comments.
Ah! So it was in the html files in the actual template directory.. I didn't think of that.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
I found about a dozen of them. so far..... :) |
Either I missed on, or he has a gizmo to create new ones as they are back under descriptions..
Check it out..
http://adventistdate.com/Pebbleferrer
Can ANYONE help me with finding where this one would be at?
Thanks
|
That was all in the css. I cleared the cache, and that may have solved that problem.
Am sure others will be attacked by this social deviant.
|
The hackers somehow use the caching system to hack into Dolphin sites (including D7.0.9). Clearing the cache fixes the problem. Has anyone figured out how to block this from being done? http://pkforum.dolphinhelp.com |
The hackers somehow use the caching system to hack into Dolphin sites (including D7.0.9). Clearing the cache fixes the problem. Has anyone figured out how to block this from being done?
Not possible. The cache folders and files are world writable. Need to be so the apache web server can create the cache files.
Two Options i can think of.
1) Shut off caching.
OR
2) Switch to a host running suPHP or if you have a dedicated or VPS switch to suPHP. suPHP allows php scrips to be run as the account owner and not as the apache server. Thus the permissions on the files can be more restrictive.
There may be other options. Perhaps DosDawg can jump in here. I am not a server security expert so i am not as up to date on various options.
https://www.deanbassett.com |
#2 from Deano's post is the key. If you actually have to set all those folders to 777 then you know your host has php setup the worst way. On a correctly setup server you should run just fine with the folders set to 755.
What are the "hackers" adding to the cache directory?
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
I don't know how it's done. TMD support quickly dealt with it and told me that's what happened. It's still under investigation. There were actually two instances, on the same day, from the same IP, using the same technique, on two different dev sites... both unpublished... and only a small group of people know about both, only a few with skills to hack it, only one that's miffed at me.
#2 from Deano's post is the key. If you actually have to set all those folders to 777 then you know your host has php setup the worst way. On a correctly setup server you should run just fine with the folders set to 755.
What are the "hackers" adding to the cache directory?
http://pkforum.dolphinhelp.com |
While changing 777 folders to 755... are there any that I should skip... leave them as 777?
TIA
http://pkforum.dolphinhelp.com |
set the folder permission 777 to 700. this batter . and not share any login information other person. use Numeric Character for the password. http://www.mediaworkflow.com.au |
I tried it... JS and CSS caching do not appear to work with 700.
set the folder permission 777 to 700. this batter . and not share any login information other person. use Numeric Character for the password.
http://pkforum.dolphinhelp.com |
The folders should either be 755 or 777... as I mentioned before if the host has PHP setup the insecure way you will have to leave the cache folders set to 777. If it's setup in the secure way you can set them to 755. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
They were set to 777 after the installation. After getting hacked, I tried some "less open" permission settings then left them at 744 for a while... but that was causing problems with some of the caching options so I switched to 755... as you've suggested. The only option *not* turned back on is for JS/CSS compression.
The folders should either be 755 or 777... as I mentioned before if the host has PHP setup the insecure way you will have to leave the cache folders set to 777. If it's setup in the secure way you can set them to 755.
http://pkforum.dolphinhelp.com |
