HELP! I WAS HACKED!

Get help with installation and running phpwcms here. Please do not post bug reports or feature requests here.
rosemckay
Posts: 54
Joined: Thu 13. Oct 2005, 00:59

HELP! I WAS HACKED!

Post by rosemckay »

I'm using version 1.3.3 and there's no current info about security alerts for this version. How do I prevent being hacked again???!!!???

This is what I know:
They added a index.html page to supercede the index.php and in the config folder they added an images folder and a hacker.htm file. The site said "YOU HAVE BEEN HACKED BY DRACULA" with a picture of a skull and cross bones then "Hacked by dracula hacker."

I don't know enough about php to prevent this from happening agian but I'd think others would want to know so it can be prevented for everyone else.

Please help me fix it and if you need more information let me know what.

Thanks!
User avatar
flip-flop
Moderator
Posts: 8178
Joined: Sat 21. May 2005, 21:25
Location: HAMM (Germany)
Contact:

Post by flip-flop »

Hi,

I don´t know about a sec. hole in V1.3.3.
- All setup folders are gone? (and e.g. /include/inc_module/mod_glossary/setup/* too?).

- If you use plesk8.x, have you inserted the last sec. patch?
- Is this a virtual server? (Cross scripting)
- Other script running on this account?
- safe_mode ON? (Only for using ImageMagick to Off)
- register_globals Off?
>> HowTo | DOCU | FAQ | TEMPLATES/DOCS << ( SITE )
rosemckay
Posts: 54
Joined: Thu 13. Oct 2005, 00:59

Post by rosemckay »

Set up folder is gone
Is plesk8.x a module? I don't think I am using it.
The hosting is a shared hosting with lunarpages
There are no other scripts running
Where do I check safemode?
Where do i check register globals?
Nordlicht
Posts: 160
Joined: Wed 12. Apr 2006, 08:16
Location: Germany, near Hamburg
Contact:

Post by Nordlicht »

rosemckay wrote: Where do I check safemode?
Where do i check register globals?
<?php phpinfo(); ?>
User avatar
flip-flop
Moderator
Posts: 8178
Joined: Sat 21. May 2005, 21:25
Location: HAMM (Germany)
Contact:

Post by flip-flop »

Where do I check safemode?
Where do i check register globals?
cms backend -> phpinfo

I don´t know "lunarpages".

plesk is a provider backend software.

Have a look into the apache log files if you can.
>> HowTo | DOCU | FAQ | TEMPLATES/DOCS << ( SITE )
rosemckay
Posts: 54
Joined: Thu 13. Oct 2005, 00:59

Post by rosemckay »

http://www.lunarpages.com

i'll check phpinfo

i can look at raw logs. is this right? what am i looking for in the log files?
rosemckay
Posts: 54
Joined: Thu 13. Oct 2005, 00:59

Post by rosemckay »

OK I found a file called act_phpinfo.php it has this:

Code: Select all

// session_name('hashID');
session_start();
$phpwcms = array();

require_once ('../../config/phpwcms/conf.inc.php');
require_once ('../inc_lib/default.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php');

require_once (PHPWCMS_ROOT.'/include/inc_lib/general.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/backend.functions.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/checklogin.inc.php');

if($_SESSION["wcs_user_admin"] == 1) { //Wenn Benutzer Admin-Rechte hat

	phpinfo();

}
Then I thought maybe you meant PHP info as part of my hosting so I looked for something there but didn't see anything that looked right.
User avatar
flip-flop
Moderator
Posts: 8178
Joined: Sat 21. May 2005, 21:25
Location: HAMM (Germany)
Contact:

Post by flip-flop »

phpinfo()

-> login cms backend -> admin -> phpinfo() (At the lower-left corner of the page).

Or use this in a file at your cms root
<?php phpinfo(); ?>
>> HowTo | DOCU | FAQ | TEMPLATES/DOCS << ( SITE )
rosemckay
Posts: 54
Joined: Thu 13. Oct 2005, 00:59

Post by rosemckay »

OK, thanks for the point in the right direction. Looks like safe mode and register globals are off.
User avatar
flip-flop
Moderator
Posts: 8178
Joined: Sat 21. May 2005, 21:25
Location: HAMM (Germany)
Contact:

Post by flip-flop »

- Please switch safe mode to On if you don´t use ImageMagick.
- Please reorganize your passwords (FTP, cms, provider backend ....)
Don´t use firstnames, birthdays .... - better use a combination like e.g. xZ33-be08
- http folder listing at your account is switched to off?
- Did you use a contact form?

- http://25yearsofprogramming.com/blog/20070705.htm

I think it isn´t a cms problem.

Knut
Last edited by flip-flop on Fri 21. Sep 2007, 07:32, edited 2 times in total.
>> HowTo | DOCU | FAQ | TEMPLATES/DOCS << ( SITE )
User avatar
Oliver Georgi
Site Admin
Posts: 9906
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

It seems Lunarpages has problems in general: Have a look at this

Normally phpwcms is (should be) safe - and I have not heard of any other hacked 1.3.3.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
rosemckay
Posts: 54
Joined: Thu 13. Oct 2005, 00:59

Post by rosemckay »

Unfortunately when I contacted LunarPages about the problem they just wanted to say there was a vulnerability in PHPWCMS and didn't offer any help beyond that.

My first thought was that if there were a problem with the hosting security they'd never admit it to me and I'd have no way to prove it.


Where do I set the safemode to on?
I'll change all my passwords
http folder listing switched to off is something i'm not knowledgeable about. How do I know and how do I switch it?
Yes there is a contact form

THANK YOU!
User avatar
Oliver Georgi
Site Admin
Posts: 9906
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

If they say phpwcms has vulnerability problems - ask them which exactly.

If they offer Fantastico - hey - this might be the case. phpwcms in Fantastico is not supported. But phpwcms 1.3.3 is - as far I know - not part of Fantastico.

I think you have no chance to change safe_mode or directory listing - ask your admin how to do that. Because these are general things - try Google.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
User avatar
StudioZ
Posts: 802
Joined: Fri 28. May 2004, 19:57
Location: Québec, Canada
Contact:

Post by StudioZ »

Oliver Georgi wrote:... If they offer Fantastico - hey - this might be the case. phpwcms in Fantastico is not supported. But phpwcms 1.3.3 is - as far I know - not part of Fantastico ...
@ Oliver: I still don't understand ...
why Netenberg.com (Fantastico) stills offer this old PhpWCMS version (1.1-RC4 Rev. A) :?: :roll:
This sure not helps verymuch :?

Cheers,

Yves
Image
PhpWCMS Evangelist, -- iRoutier.com Running phpWCMS 1.4.2, r354 -> Great Version!!!!
User avatar
Oliver Georgi
Site Admin
Posts: 9906
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

ask them - it's a stupid company...

I was never contacted by them.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply