Any web geeks on?

[dave u]

The online shop is fucked. It keeps getting hacked by some cunt in Indonesia who is putting php scripts into some of the directories and then sending out loads of spam mails linking back to the pages.

 

Anyway, he got in the other day, and I removed the files he'd put in, but then the shop stopped working. This is what was happening, if you scroll down you can see everything is still there, but there's a load of shite at the top. I googled the thing that shows up in the page title, and there are thousands of sites with the same issue but I can't find any pages explaining what it is or saying how to fix it.

 

:: b374k m1n1 1.01 ::

 

So, I re-uploaded everything from the back up I have, but now I have a different problem, as you can see here:

 

http://www.liverpoolway.co.uk/shop.new/

 

A blank page, and when you look at the source code for the page, it's blank too. I've checked the index.php page and it seems to be fine, so why is it not showing up when the address is typed in?

 

So, anyone know what the solution is?

 

(first person to say have you tried rebooting gets a weeks ban).

[llego]

Careful, this is what the Indonesian hacker has been waiting for. Now he will give you advice and before you know it TLW will be a money laundering operation for a southeast asian sex slavery ring.

 

His username will be something like Code72.

[Monkeywool]

If you give us his IP address, we'll Oli the fireman his ass and send the boys around.

 

That's all I got.

[RedIsTheColour]

This might help you

 

http: //forums.oscommerce.com/topic/367336-i-think-i-was-hacked/

 

Had to space the address as I havent made 15 posts

[s(k)aturation]

Maybe it's because there's still a photo of Torres on the banner.

[cwoods]

It's the shite at the top thats the problem.

 

Its a backdoor file manager for your server, providing anyone who wants to, full access to browse and look at all your files.

 

You are seriously hacked. This chap will have gone in originally, possibly a quite a while ago and set this up, then continues to use it each time to do his emailing. would suggest that when you do your cleanup each time he goes in and leaves his files, you are not getting rid of the root causes of the problem.

 

It might have to be a full reformat and setup to get rid of this.

[dave u]

It's the shite at the top thats the problem.

 

Its a backdoor file manager for your server, providing anyone who wants to, full access to browse and look at all your files.

 

You are seriously hacked. This chap will have gone in originally, possibly a quite a while ago and set this up, then continues to use it each time to do his emailing. would suggest that when you do your cleanup each time he goes in and leaves his files, you are not getting rid of the root causes of the problem.

 

It might have to be a full reformat and setup to get rid of this.

 

Where would the root cause be? I'm assuming it's somewhere in the 'old' shop directory, as when you look at the new install none of that crap is there, it's just completely blank?

[cwoods]

it could be anything, and it could be in any folder on the entire server, not just the shop folders, but these scripts normally have a filename consisting of a large string of letters and numbers.

 

The contents of it will be encoded into continuous gibberish.

 

if you google b374k shell, you'll see the sort of thing i mean

[dave u]

So basically I'm fucked, as it's a needle in a haystack, and even if I get the hosts to reload the whole thing from my backs ups, it won't get rid of it as it will be in my back ups?

[a stoner]

Have a quick look through your backups dave you might spot something there and just keep going back and have a peek at older and older back ups. Have a look 3 or 4 months back if you spot some thing.

As long as he hasn't hidden it in the directory it should be find able.

Get the IP address blocked first though.

[cwoods]

try and clear off old backup folders too. You can cause confusion by having too many copies of the same file in multiple folders on the server. Move them off the server onto a pc or ftp folders. The less stuff on the live server, the less places for nasties to hide and the easier it is to identify files which shouldn't be there.

[a stoner]

Delete and recreate the shop directory might help too.

[dave u]

Have a quick look through your backups dave you might spot something there and just keep going back and have a peek at older and older back ups. Have a look 3 or 4 months back if you spot some thing.

As long as he hasn't hidden it in the directory it should be find able.

Get the IP address blocked first though.

 

Chances are whatever it is isn't actually in any of the files I back up. More likely to be hidden away in the server somewhere. How do I find his ip address to block it?

 

try and clear off old backup folders too. You can cause confusion by having too many copies of the same file in multiple folders on the server. Move them off the server onto a pc or ftp folders. The less stuff on the live server, the less places for nasties to hide and the easier it is to identify files which shouldn't be there.

 

There's shitloads of old back ups on there to be honest. I need to wipe a load of them off, as they're mostly sql files and are pretty big. Correct me if I'm wrong though, but whatever it is he's using to get in is not going to be hidden in an sql back up is it?

[Red Phoenix]

So THIS is the cunt that's screwed the avatars up.

 

How are those files normally protected? Maybe you need a better security program to protect them? Because like has already been said, even if you find it he'll just do it again.

[Red Phoenix]

Correct me if I'm wrong though, but whatever it is he's using to get in is not going to be hidden in an sql back up is it?

 

It might be like windows and system restore. The restore points are only backups, but a virus or spyware can still manage to either work from there, or re-assemble itself to get back onto the main files. Think that's how they can work anyway.

[a stoner]

What internet security package you using dave?

[dave u]

What internet security package you using dave?

 

No idea. Barry Wom will know more about that than me. Basically, I rent a server from a hosting company, and whatever security packages come with the server, that's what I have.

 

Pretty sure the exploit is in the shop software, but I can't upgrade it to the newest version as the version I'm using is now completely fucked. It was working up until saturday, but it's a mess now.

[a stoner]

Contact them dave as they should have the info on their package. This shouldn't be your problem really mate as you rent the server space off them.

[studsup]

If you had vulnerabilities in your initial scripts (just that they hadn't been exploited and compromised yet at the time you took your backups), then restoring from backup is just wiping away the layer of dirt that's in production right now, and putting back the holes. The chances are he'll just come back, find the same vulnerabilities, and exploit them again.

[Heinze]

Sounds like it could be an sql injection exploit. I'm not a security expert I'm afraid.

[razor]

 

if you google b374k shell, you'll see the sort of thing i mean

 

I did "Google" it out of interest, and under "Images" there's a picture from the TLW shop!

[dennis tooth]

The online shop is fucked. It keeps getting hacked by some cunt in Indonesia who is putting php scripts into some of the directories and then sending out loads of spam mails linking back to the pages.

 

Anyway, he got in the other day, and I removed the files he'd put in, but then the shop stopped working. This is what was happening, if you scroll down you can see everything is still there, but there's a load of shite at the top. I googled the thing that shows up in the page title, and there are thousands of sites with the same issue but I can't find any pages explaining what it is or saying how to fix it.

 

:: b374k m1n1 1.01 ::

 

So, I re-uploaded everything from the back up I have, but now I have a different problem, as you can see here:

 

http://www.liverpoolway.co.uk/shop.new/

 

A blank page, and when you look at the source code for the page, it's blank too. I've checked the index.php page and it seems to be fine, so why is it not showing up when the address is typed in?

 

So, anyone know what the solution is?

 

(first person to say have you tried rebooting gets a weeks ban).

 

 

 

What set up do you have? How many servers, where and what kind. Are all your servers hosted?

[Afrodude]

Is this your own dedicated server?

 

Once you have been hacked - its always best to request a reinstall (you never know what those f**kers have put on).

 

Any hacker that wants to get in will, but we can make there lives much harder, by securing the server best we can. Have a look at this guide for a quick overview of some of the stuff you could try: webhostingresourcekit.com/109.html. Also make sure you are using the latest script for your Shop.

[DJLJ]

Pussies, not a single reboot joke yet. Sooo tempting.

[dave u]

First thing I'm going to do is move. I've needed to move anyway as I need more RAM but can't afford it unless I move.

 

I pay just under £200 a month for a dedicated server with 4GB of RAM, but I can get double that for the same price if I switch to 1and1.co.uk

 

My fear is that even when I move, once I restore all my files I'll just be restoring the hackers stuff too. I'm going to get rid of the shop completely though, just had a look on their forums and loads of other people have had this happen, even with the most up to date version of the shop software.

 

CRE Loaded - View topic - 6.2 sites getting hacked repeatedly !

 

The stuff in that thread is exactly what has happened to me.