Index.php keeps getting hacked. Please help

wowheaded posted 2nd of October 2008 in Community Voice. 13 comments.

Hi guys and girls,

 

Thanks for all the help with the previous problem. I did as suggested and the site is now working as it should again.

 

Just got one other little problem now. I've been hacked twice in the space of 2 weeks. It's not really a bad hack as such, but some idiots are getting in and replacing my index.php file with their stupid little "U Been Haxed By...." rubbish. Obviously, it's easy to fix the initial hack, but how do I stop this from happening again and again?

 

I've changed the PW's to my admin and hosting account, and will have to do that again today.

 

Is there any inclusions I need to make into the files to stop this again? Do I need to alter any permissions? Any ideas what to do?

 

Thanks in advance!

 
Comments
·Oldest
·Top
Please login to post a comment.
wowheaded
wowheaded2nd of October 2008
 
I've just added the code:
if (isset($_REQUEST['dir']))
die ('Hacking attempt');
to the files Sammie suggested in another post. I'm hoping this will help some.

Is there anything else I should do?
PermalinkReplyPlus0 pluses
wowheaded
wowheaded2nd of October 2008
 
Just to let you know, this is the hacker's name: Arianom De HackeR

This is the IP it came from: 193.67.33.2

You might want to block it.

Also, what's with the /ray/crossdomain.xml file? Could this be a potential security issue?
PermalinkReplyPlus0 pluses
sammie
sammie2nd of October 2008
 
that fix will stop them, the crossdomain file is just a file to allow flash to be used from one domain to another, without it you cant see flash from other sites.

get hosted on more safer servers
PermalinkReplyPlus0 pluses
AndreyP
AndreyP2nd of October 2008
 
Again and again: php_flag register_globals Off :-)
better if not just via .htaccess - at host level.
second - disable all possible script of flash includes (better any html).
Third, was good solution too:

#RewriteCond %{QUERY_STRING} ^http [OR]
#RewriteCond %{QUERY_STRING} ^.+www\. [OR]
#RewriteCond %{QUERY_STRING} ^.+https [OR]
#RewriteCond %{QUERY_STRING} ^.+ftp
#RewriteRule .* - [L,F]
#RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
#RewriteCond %{HTTP_USER_AGENT} ^Wget
#RewriteRule see more .* - [F]

#RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
#RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
#RewriteRule ^(.*) - [F]

and even php_value allow_url_fopen 0 :-)
PermalinkReplyPlus0 pluses
wowheaded
wowheaded2nd of October 2008
 
Thanks for the feedback. I seem to have a lot of trouble with my hosting at the moment, which is bad seens it is linked to a number of other sites I own. Being evasive about what and why, but as nothing seems to be safe right now, it's best to say little.

I'm actually considering adding sites to an additional hosting company, even though the one we currently use is listed on the boonex server page here. I noticed today that a number of functions over all the websites are messed up from the cPanel see more access, and according to the company, it's a corruption their end.
PermalinkReplyPlus0 pluses
wowheaded
wowheaded2nd of October 2008
 
Also, with :

php_flag register_globals Off

Where do I change this specifically?

This is my first major dabble with php and mysql, so I'm not sure. CSS/XHTML/XML, I'm fine...PHP...you've lost me:D
PermalinkReplyPlus0 pluses
LeonidS
LeonidS3rd of October 2008to wowheaded
 
Thi scommand should be placed to .htaccess file in root Dolphin directory.
PermalinkReplyPlus0 pluses
sammie
sammie3rd of October 2008
 
If you are on shared hosting and Register_globals are on by default at the server level. and your php is 4.3.2 or later,. then you hosting provider has broken php.net's recommended settings of register_globals off and has even changed the default setting to On.

this allows any site on that server to be exploited and gain full access to all sites and accounts on that server. this is your hosting companies fault, and their blatent abuse of their customers trust in not providing safe secure hosting see more by following php.net's recommended settings for Register_globals
PermalinkReplyPlus0 pluses
Tallyplayer
Tallyplayer3rd of October 2008
 
Also wowhead, look in your cache and backup directories specifically. All this security you are setting up may be locking the door after the thief is already in the store. When my sites were hacked they did pretty much what you described, I guess to stop me from loking deeper. If they were in then they probably already have set up the scripts somewhere to let them keep coming back. Although DosDawg helped me lock the door on my old hosting, they already had a key to the backdoor. End solution, see more I had to completely move off my poor hosting environment, moved in with Dos, and Sammie, and they keep all the door to door salesmen away!
PermalinkReplyPlus0 pluses
wowheaded
wowheaded3rd of October 2008
 
Hi both,

I've just looked at my cache and backup directories. Both of those are absolutely fine, from what I can see. They both seem to have the relevant files included and no abnormalities in there. That's one big relief.

Right now, I'm going through all the files and folders in my hosting and comparing them to the dolphin/ray/orc unzipped files. I'll post if I find something odd that I just can't figure out :).

With regards to my hosting, I actually have a reseller account with this see more company listed within the boonex site. I'll email them again today and ask them what the deal is with the Register_globals issue. I noticed that even though we're supposed to have access to a number of additional features with them to control our hosting plan, we actually don't.
PermalinkReplyPlus0 pluses
gameutopia
gameutopia5th of October 2008
 
as andreyp mentions these are good ideas, however the commands to add to .htaccess he specifies will do abosolutely no good because the are commented out with the #

Basically if you add a # to your .htaccess each line with the # means to ignore it and do no good. So I don't know why this was even posted or why it wasn't clarified that you need to remove the # to do any good and to take affect. Guess everyone is supposed to know that by default.

#RewriteCond %{QUERY_STRING} ^http [OR]
#RewriteCond see more %{QUERY_STRING} ^.+www\. [OR]
#RewriteCond %{QUERY_STRING} ^.+https [OR]
#RewriteCond %{QUERY_STRING} ^.+ftp
#RewriteRule .* - [L,F]
#RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
#RewriteCond %{HTTP_USER_AGENT} ^Wget
#RewriteRule .* - [F]

#RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
#RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
#RewriteRule ^(.*) - [F]

and even php_value allow_url_fopen 0 :-)

I haven't tested it fully you will havet to remove the:
and even php_value allow_url_fopen 0 :-)

And all #'s to work at all. If you were to use this command in .htaccess it would be more like:
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]

all your other dolphin .htaccess code would follow here!!

I wouldn't be surprised if some of this made certain thing not work specifically your share files in your media locations such as:
when you click on your share link in photo, music, and video gallery in the actions menu. The above code will block it. Is this all bad I don't know. But it will piss some off. Either that if you use the above code you will have to remove the share link to do away with it.

The code I use is similar to boonex guys except mine already has the #'s removed so they do work:
Options -MultiViews
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+\.txt [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]


I also block a number of things such as .htaccess, so you can't view my .htacess files, I also block certain countries. I do block peridic file, I also block file types that can be uploaded to audio video like php, txt, vbs, cgi, pl, etc. you name it. Anything that is out of the ordinary can't even be uploaded to dolphin/ray folders to begin with.

Good luck.
Gameutopia
I will post my boonex profile until I am told not too? Seem legit to me since it is hosted on boonex right?
http://www.boonex.com/unity/gameutopia
PermalinkReplyPlus0 pluses
billabongrob
billabongrob26th of November 2008
 
Sammie, you do realize that you can turn off register globals in the .htaccess file, right?
PermalinkReplyPlus0 pluses
robertsearle
robertsearle3rd of June 2009to billabongrob
 
Yes you can, however, that only turns it off on that one website in a shared hosting enviroment.

I believe the server can be configured as to what is allowed in the local .htaccess files.

As mentioned, once a site is hacked all sites on the server are accessible. Even if your hostheader website is protected it is accessible from another website on the same server. It really needs turned off at the server level or you should consider changing your hosting provider.

If register globals can see more be turned off, it is reasonable to assume register globals can be turned on. So one hostheader/virtual website can compromise security for the rest of the shared hosting server.

I just left my last hosting company because a poorly written ComDEV photo album application kept getting exploited. It turned out my clients competitor signed up for multiple accounts until they landed on the same server their site was on.
PermalinkReplyPlus0 pluses
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Custom Jobs
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd
SSL
© BoonEx
Home
Features
Pricing
Support
Hosting
About
Demo
PET:0.062041997909546