Any web geeks on?

[Einch]

First thing I'm going to do is move. I've needed to move anyway as I need more RAM but can't afford it unless I move.

 

I pay just under £200 a month for a dedicated server with 4GB of RAM, but I can get double that for the same price if I switch to 1and1.co.uk

 

My fear is that even when I move, once I restore all my files I'll just be restoring the hackers stuff too. I'm going to get rid of the shop completely though, just had a look on their forums and loads of other people have had this happen, even with the most up to date version of the shop software.

 

CRE Loaded - View topic - 6.2 sites getting hacked repeatedly !

 

The stuff in that thread is exactly what has happened to me.

 

I'm afraid this is the likely outcome of using a back-up based on the assumption that you don't have one that predates the original hack. I think the guy who is doing this may indeed be using a multi-vector approach and the SQL injection component mentioned above is a candidate in addition to the scripted shit in the shop. I agree that moving shop is the best way to go since the source code is not something that could be patched with any certainty by one of us and still maintain the functionality and contractual elements with your hosting service or the shop software provider.

[Albertini]

Dave

 

Get a zencart shop instead. It's open source (free!!) and i have built around 20 and never had a shop hacked (although we had a dedicated server hacked it didnt do any damage to our stores.

 

I am no programmer or web designer but i have put together 20 stores now and i have no problem in helping you setting it up for you and installing it if you're interested.

 

Seems extreme to fuck a shop off for some fucking twat in Indonesia who needs to get a life.

 

As i say if you're interested just let me know i have no problem in helping you out in building it.

[dave u]

I'm afraid this is the likely outcome of using a back-up based on the assumption that you don't have one that predates the original hack. I think the guy who is doing this may indeed be using a multi-vector approach and the SQL injection component mentioned above is a candidate in addition to the scripted shit in the shop. I agree that moving shop is the best way to go since the source code is not something that could be patched with any certainty by one of us and still maintain the functionality and contractual elements with your hosting service or the shop software provider.

 

It depends what part has been hacked.

 

I can see via my ftp client that no files have been dropped into the other main directories other than 'shop'. However, those files aren't the problem from what I'm reading on this thread. It's whatever has been uploaded that is allowing them to get in. I still think it's to do with the shop, and if I remove it from the system they won't be able to get in. I'm going to do it today and see how it goes for the next couple of days.

 

Albertini, I've pm'd you.

[Antynwa]

And there I was thinking Dave was in the viagra selling business.

[cwoods]

How are you getting on ??

 

Reading up on this, it looks like its a SQL injection attack (running code in a form) originally, which then places the hack files on the server and then they get run from their. It's not just limited to CRE sites either, other sites have been done too. But careful configuration of a shop and some lockdown should stop it.

[RoboRiise]

If he's getting in through the shop, make sure you try to flog the cunt some Torres memorabilia before you fuck him off.

 

 

Careful, this is what the Indonesian hacker has been waiting for. Now he will give you advice and before you know it TLW will be a money laundering operation for a southeast asian sex slavery ring.

 

No!! Not again!

[Guest Scaramanga]

I've sent you the .php shell that you've been hacked with as a text file for your reference. You need to find and delete the rogue .php file, with that content. Restore from a backup and delete any files and folders that aren't familiar.

 

Also, the reason he's able to get in constantly, is the script he's run has added an encrypted username and password.

 

I have never logged onto a webserver control panel, but if you can, log in as root and cat your /etc/passwd and /etc/shadow files to have a look. Remove any items that shouldn't be there. In fact, i'd fucking delete any other accounts but root, and re-add them as you see fit.

 

I'd also recommend having a look at your .htaccess file on your webserver to prevent this happening again. If you don't have one on your shop, you really should.

 

Oh, and have someone with a bit of PHP and/or SQL knowledge have a shufty at it, there might be some DB stuff thats went on that you should take a look a as well. Not my bag that.

 

If that doesn't work, switch your server off and on again....:lol:

 

Totally worth the 1 week.

 

Good luck dude.

[dave u]

I have never logged onto a webserver control panel, but if you can, log in as root and cat your /etc/passwd and /etc/shadow files to have a look. Remove any items that shouldn't be there. In fact, i'd fucking delete any other accounts but root, and re-add them as you see fit.

 

I'd also recommend having a look at your .htaccess file on your webserver to prevent this happening again. If you don't have one on your shop, you really should.

 

Thanks mate. I've completely removed all the files from the shop now, so the htaccess thing isn't relevant at the moment.

 

I will check the htaccess on the server, but I tried doing the part in bold and there doesn't appear to be anything untoward.

 

Also, I think spam mail is still being sent. Not loads of it, but I did find a message in the mail queue that had been sent from the server, and it was phishing.

 

Got your pm's, but I don't know how to do a search to find all that as I only know how to search for file names, not the contents of those files.

 

Anyone know how I can do that?

[Barney_Rubble]

I don't know how to do a search to find all that as I only know how to search for file names, not the contents of those files.

 

Anyone know how I can do that?

Assuming your server OS is Unix/Linux-based from the command shell (either directly or via ssh) execute the following command:

 

grep -r <search_pattern> <base_dir>

 

<search_pattern> is the string you are looking for. Please be careful to 'escape' regular expression symbols (like ".", "-" "'" etc) with the "\" symbol and also use the quote character (") if your search pattern includes spaces.

 

If there are non-printable characters you need to use their corresponding ASCII code encoded using "0x" notation (see example below).

 

<base_dir> indicates the base directory from which to search for the specified pattern.

 

"-r" indicates do a recursive search, in other words look for the specified pattern in all files (and subdirectories) starting from <base_dir>

 

Example:

 

grep -r "0xA9 John\.Doe hacked code" ./

 

The above looks for "© John.Doe hacked code" in all files starting from the current (./) directory.

 

Please note that the copyright symbol (its ASCII value is A9 hex) is non-printable and therefore encoded, the dot (.) symbol is 'escaped' and the whole pattern is enclosed with quotes as it contains spaces.

 

Hope that helps!