Help: My website gets hacked DAILY

  • Mythos
  • Novice
  • Novice
  • Mythos
  • Posts: 31

Post 3+ Months Ago

Hello,
First of all, thanks for reading this.
I'm running a website, http://www.halo-center.com
It was running great for months but now some basterd desided to hack it.

I lost all my admin rights on the geeklog system and the fuetured news was: "Hacked, hacked by the unfurnate happy."

My forums wre hacked the day before, but upgraded them to a higher version.
I can't upgrade my geeklog system since then the template won't work anymore on it.

What can I do? I'm desperate.

This was his request:
Code: [ Select ]
//removed - - [04/Mar/2005:19:31:21 +0100] "GET
//moderator removed for your safety
HTTP/1.1" 404 45402 "-" "LWP::Simple/5.76"
  1. //removed - - [04/Mar/2005:19:31:21 +0100] "GET
  2. //moderator removed for your safety
  3. HTTP/1.1" 404 45402 "-" "LWP::Simple/5.76"


I don't have a clue how to slove this.
What must I do?
I have accs log and error log, I can also post that is that need to help me?

Thanks in so much advannce,
- Myth
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Looks like an sql injection.

What is it you want? Just to come back up? Drop it, clean it, reload OS, reload newest version, rebuild.

You really have no idea, without ao forensics investigation how far people got into your system. Hacks are like cockroaches, if you see one, chances are more exist.

The IP you provided is an ISP called ipowerweb out of CA. However, I would bet it's a compromised IP.

In the meantime,

Code: [ Select ]
# block IP addresses of PHP/phpBB vulnerability attempts
    RewriteCond %{REQUEST_URI} ^(.*)\&rush=(.*) [NC]
    RewriteRule ^.*$ /z/blk_php_worm.cgi
    RewriteCond %{QUERY_STRING} ^(.*)\&rush=(.*) [NC]
    RewriteRule ^.*$ /z/blk_php_worm.cgi
    RewriteCond %{QUERY_STRING} ^(.*)echr\((.*) [NC]
    RewriteRule ^.*$ /z/blk_php_worm.cgi
    RewriteCond %{QUERY_STRING} ^(.*)wget%20(.*) [NC]
    RewriteRule ^.*$ /z/blk_php_worm.cgi
    RewriteCond %{QUERY_STRING} ^(.*)perl%20(.*) [NC]
    RewriteRule ^.*$ /z/blk_php_worm.cgi
    RewriteCond %{QUERY_STRING} ^(.*)system\((.*) [NC]
    RewriteRule ^.*$ /z/blk_php_worm.cgi
  1. # block IP addresses of PHP/phpBB vulnerability attempts
  2.     RewriteCond %{REQUEST_URI} ^(.*)\&rush=(.*) [NC]
  3.     RewriteRule ^.*$ /z/blk_php_worm.cgi
  4.     RewriteCond %{QUERY_STRING} ^(.*)\&rush=(.*) [NC]
  5.     RewriteRule ^.*$ /z/blk_php_worm.cgi
  6.     RewriteCond %{QUERY_STRING} ^(.*)echr\((.*) [NC]
  7.     RewriteRule ^.*$ /z/blk_php_worm.cgi
  8.     RewriteCond %{QUERY_STRING} ^(.*)wget%20(.*) [NC]
  9.     RewriteRule ^.*$ /z/blk_php_worm.cgi
  10.     RewriteCond %{QUERY_STRING} ^(.*)perl%20(.*) [NC]
  11.     RewriteRule ^.*$ /z/blk_php_worm.cgi
  12.     RewriteCond %{QUERY_STRING} ^(.*)system\((.*) [NC]
  13.     RewriteRule ^.*$ /z/blk_php_worm.cgi


Add to your httpd configs.
[from: http://voidmain.is-a-geek.net/forums/vi ... c&start=15]
  • Mythos
  • Novice
  • Novice
  • Mythos
  • Posts: 31

Post 3+ Months Ago

I wan't to disable the sql injection actually.
I just want to fix the bug.
I do not own the server maybe the host will add it I dont think so.
Does it disable proxy or anything?
And what is a comphrosed IP? ( A fake one, via proxy?)

I've done some investigation though, he hacked the theme settings like theme color and all things in mysql databases, he also hacked the visits data of the topsite list.

Thanks you,
- Myth
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I'm assuming your forums were phpBB. The hacker probably took advantage of a known sql injection vulnerability on phpBB forums versions prior to 2.0.11 Which I believe is what I saw before I edited your post. The fact that you upgraded after the first hack is pointless..the damage was already done.

What your best course of action now is to get your host to restore both your forum files, etc and your database to a point in time prior to the first hack.

That should restore you to a "pre-hack" state. Then immediately change all your admin passwords (including your database user access password (You'll need to modify your config.php file to reflect the database password change).

Then immediately after upgrade to the current version 2.0.13

Getting your host to restore you prior to the hack date is probably your only option at this point unless you yourself have good backups of your files and database prior to the hack.
  • Mythos
  • Novice
  • Novice
  • Mythos
  • Posts: 31

Post 3+ Months Ago

No, after the first hack I restored a full backup (from a state that nothing was hacked ever) and then upgraded my forum. But then after that the hacker hacked my geeklog site system.
And yes I use phpbb.

Is there a way not to lose all members and posts?

Thanks in advance,
- Myth
  • Mythos
  • Novice
  • Novice
  • Mythos
  • Posts: 31

Post 3+ Months Ago

Sorry for double post..
If Ill do a fresh install and change passwords as you say and use newest version of everything then that would be save?
  • Mythos
  • Novice
  • Novice
  • Mythos
  • Posts: 31

Post 3+ Months Ago

Ok I updated my forum and changed passwords.
And guess what?
http://www.halo-center.com Hacked AGAIN.
He stole my admin account myth.

Now what?
  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

As I said, without a proper forensics investigation, the detail of assistance provided herein may be lacking.

I would delete the 'myth' account, as well as all super user accounts.

Create new ones. Provided you have patched the application(s) and verified the system is clean, you should be ok then.

Cheers.

Post Information

  • Total Posts in this topic: 8 posts
  • Users browsing this forum: No registered users and 11 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.