Page 1 of 2
HELP! I WAS HACKED!
Posted: Thu 20. Sep 2007, 21:28
by rosemckay
I'm using version 1.3.3 and there's no current info about security alerts for this version. How do I prevent being hacked again???!!!???
This is what I know:
They added a index.html page to supercede the index.php and in the config folder they added an images folder and a hacker.htm file. The site said "YOU HAVE BEEN HACKED BY DRACULA" with a picture of a skull and cross bones then "Hacked by dracula hacker."
I don't know enough about php to prevent this from happening agian but I'd think others would want to know so it can be prevented for everyone else.
Please help me fix it and if you need more information let me know what.
Thanks!
Posted: Thu 20. Sep 2007, 21:45
by flip-flop
Hi,
I don´t know about a sec. hole in V1.3.3.
- All setup folders are gone? (and e.g. /include/inc_module/mod_glossary/setup/* too?).
- If you use plesk8.x, have you inserted the last sec. patch?
- Is this a virtual server? (Cross scripting)
- Other script running on this account?
- safe_mode ON? (Only for using ImageMagick to Off)
- register_globals Off?
Posted: Thu 20. Sep 2007, 21:52
by rosemckay
Set up folder is gone
Is plesk8.x a module? I don't think I am using it.
The hosting is a shared hosting with lunarpages
There are no other scripts running
Where do I check safemode?
Where do i check register globals?
Posted: Thu 20. Sep 2007, 22:02
by Nordlicht
rosemckay wrote:
Where do I check safemode?
Where do i check register globals?
<?php phpinfo(); ?>
Posted: Thu 20. Sep 2007, 22:04
by flip-flop
Where do I check safemode?
Where do i check register globals?
cms backend -> phpinfo
I don´t know "lunarpages".
plesk is a provider backend software.
Have a look into the apache log files if you can.
Posted: Thu 20. Sep 2007, 22:09
by rosemckay
http://www.lunarpages.com
i'll check phpinfo
i can look at raw logs. is this right? what am i looking for in the log files?
Posted: Thu 20. Sep 2007, 23:42
by rosemckay
OK I found a file called act_phpinfo.php it has this:
Code: Select all
// session_name('hashID');
session_start();
$phpwcms = array();
require_once ('../../config/phpwcms/conf.inc.php');
require_once ('../inc_lib/default.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/general.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/backend.functions.inc.php');
require_once (PHPWCMS_ROOT.'/include/inc_lib/checklogin.inc.php');
if($_SESSION["wcs_user_admin"] == 1) { //Wenn Benutzer Admin-Rechte hat
phpinfo();
}
Then I thought maybe you meant PHP info as part of my hosting so I looked for something there but didn't see anything that looked right.
Posted: Fri 21. Sep 2007, 00:15
by flip-flop
phpinfo()
-> login cms backend -> admin -> phpinfo() (At the lower-left corner of the page).
Or use this in a file at your cms root
<?php phpinfo(); ?>
Posted: Fri 21. Sep 2007, 06:26
by rosemckay
OK, thanks for the point in the right direction. Looks like safe mode and register globals are off.
Posted: Fri 21. Sep 2007, 06:50
by flip-flop
- Please switch safe mode to On if you don´t use ImageMagick.
- Please reorganize your passwords (FTP, cms, provider backend ....)
Don´t use firstnames, birthdays .... - better use a combination like e.g. xZ33-be08
- http folder listing at your account is switched to off?
- Did you use a contact form?
-
http://25yearsofprogramming.com/blog/20070705.htm
I think it isn´t a cms problem.
Knut
Posted: Fri 21. Sep 2007, 07:26
by Oliver Georgi
It seems Lunarpages has problems in general:
Have a look at this
Normally phpwcms is (should be) safe - and I have not heard of any other hacked 1.3.3.
Oliver
Posted: Fri 21. Sep 2007, 07:58
by rosemckay
Unfortunately when I contacted LunarPages about the problem they just wanted to say there was a vulnerability in PHPWCMS and didn't offer any help beyond that.
My first thought was that if there were a problem with the hosting security they'd never admit it to me and I'd have no way to prove it.
Where do I set the safemode to on?
I'll change all my passwords
http folder listing switched to off is something i'm not knowledgeable about. How do I know and how do I switch it?
Yes there is a contact form
THANK YOU!
Posted: Fri 21. Sep 2007, 08:27
by Oliver Georgi
If they say phpwcms has vulnerability problems - ask them which exactly.
If they offer Fantastico - hey - this might be the case. phpwcms in Fantastico is not supported. But phpwcms 1.3.3 is - as far I know - not part of Fantastico.
I think you have no chance to change safe_mode or directory listing - ask your admin how to do that. Because these are general things - try Google.
Oliver
Posted: Fri 21. Sep 2007, 15:13
by StudioZ
Oliver Georgi wrote:... If they offer Fantastico - hey - this might be the case. phpwcms in Fantastico is not supported. But phpwcms 1.3.3 is - as far I know - not part of Fantastico ...
@ Oliver: I still don't understand ...
why Netenberg.com (Fantastico) stills offer this old PhpWCMS version (1.1-RC4 Rev. A)
This sure not helps verymuch
Cheers,
Yves
Posted: Fri 21. Sep 2007, 15:21
by Oliver Georgi
ask them - it's a stupid company...
I was never contacted by them.
Oliver