My site was HACKED BY EHSAN!

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

Went to my site today to see a number of new news articles on the front page showing this:

www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk

HACKED BY EHSAN!

It appears he has done no other damage, admin password still ok, and no new admin passwords etc, I can login to admin etc and delete those new news articles.

How did he do this and what can I do to prevent it happening again.

Can anyone help me.

I have tried to install Sentinel before but it kept locking me out, is there anything else I can do.

Please help, I am worried he will take my complete ite down and I do not have a current back up

Thanks in advance.

Captain Joined: Sep 13, 2003 Posts: 314

Do you have access logs, so you can see how the hacker did hack your site?

Another way than Sentinel to secure the site is to use the latest patches.
I have this in my .htaccess, which protects against hacks against admin.php and cross-scripting. Most hackers and hacker robots use cross-scripting it seems to me.:

<Files "admin.php">
Order allow,deny
Allow from XX.XXX.XX.XX
</Files>

RewriteEngine On

RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteRule ^.* - [F]

XX.XXX.XX.XX is your ip-address.

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

Hi yes I do have access logs but i wouldnt know what to look for.

I am a bit warey of updating with the latest patches as I have made so many modifications to my site.

If I use this:

<Files "admin.php">
Order allow,deny
Allow from XX.XXX.XX.XX
</Files>

How could I allow one of my admins to access it who is not on a fixed IP address.

Thanks for your help.

I have now backed up my database and I am in thye process of backing up my complete site which is just short of 1GB !!!

Is he likely to return and try to do more damage?

Don't these sad c**ts have anything better to do!?!?

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

I notice he also entered data into nuke messages.

Captain Joined: Sep 13, 2003 Posts: 314

If your admin has a dynamic address, but the first part is constant you can use the constant part. Like Allow from 132.28.103.

If you know the exact date and time, when the hacking occured it is just to check the logs for unusual or abnormal activity that time. If they use cross-scripting you could search the log for =http:// and you will find the attempt very easy.

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

I have checked the logs and there is nothing in them with =http, in fact there doesn;t appear to be anything unusual in them. Any ideas?

Thanks Mark.

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

OK, I found this:

38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "POST /admin.php HTTP/1.0" 302 213 "http://www.quadheaven.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"
38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "GET /admin.php?op=adminMain HTTP/1.0" 200 104261 "http://www.quadheaven.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"

When I go to the link i get this:

Dear Webmaster:

If you followed referrer in your web log and found this link, please be ensured that we are not trying to mirror your site.

We are running an intelligent caching proxy network DynaWeb to help Interent users in China to get around Internet censorship in China. We try to block usage beyond this purpose. However, there are always few visits we missed.

If those visits to your websites through our network casue any further concern, please feel free to email to contact@dit-inc.us and we will be happy to make sure that your site can't be visited through our network.

You can find more links about our DynaWeb projects from here: http://www.dit-inc.us/

Sorry for any confusion this may caused.

But why would their spider etc try to login to my admin page?

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

makuks wrote:

OK, I found this:

38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "POST /admin.php HTTP/1.0" 302 213 "http://www.myurl.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"
38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "GET /admin.php?op=adminMain HTTP/1.0" 200 104261 "http://www.myurl.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"

When I go to the link i get this:

Dear Webmaster:

If you followed referrer in your web log and found this link, please be ensured that we are not trying to mirror your site.

We are running an intelligent caching proxy network DynaWeb to help Interent users in China to get around Internet censorship in China. We try to block usage beyond this purpose. However, there are always few visits we missed.

If those visits to your websites through our network casue any further concern, please feel free to email to contact@dit-inc.us and we will be happy to make sure that your site can't be visited through our network.

You can find more links about our DynaWeb projects from here: http://www.dit-inc.us/

Sorry for any confusion this may caused.

But why would their spider etc try to login to my admin page?

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

And this one goes to my delete admins

38.105.86.202 - - [26/Aug/2008:12:38:53 +0100] "GET /admin.php?op=deladmin&del_aid=admin HTTP/1.0" 200 92056 "http://www.myurl.co.uk/admin.php?op=mod_authors" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

ANd this one actually trys to edit one of my admin usernames:

38.105.86.202 - - [26/Aug/2008:12:39:20 +0100] "GET /admin.php?op=modifyadmin&chng_aid=bansheeeee HTTP/1.0" 200 94544 "http://www.myurl.co.uk/admin.php?op=mod_authors" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

Those are the only dodgy parts i can find in a complete log of 40,000 rows.

Any thoughts please?

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

My admin now states that he is unable to login on his account with his username of admin and his password, he has been trying all day without success.

Interstingly his account is not a super user account which may suggest why they only placed messages on the front page of the site as his account does not allow him to do any more than this.

What would you suggest I do to stop this happening again.

Thanks

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

By the way, I put this in my .htaccess and I got a server error:

RewriteEngine On

RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteRule ^.* - [F]

Nuke Soldier Joined: Aug 26, 2008 Posts: 14

I guess I picked a bad day for support !!

Site Admin Joined: Aug 17, 2003 Posts: 12397

No one is available always immediately to answer your questions. So please be patient.

That IP address could be involved with DynaWeb (dit-inc.us), as they are hosted on "Performance Systems International Inc"
Then again, it is easy to fake such referrers

Your best bet is to install NukeSentinel to stop further hacks - http://www.nukescripts.net