All index.php files hacked..

Plasma · New Member Joined: May 17, 2005 Posts: 10

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.

ToolBox · Regular Joined: Mar 16, 2005 Posts: 74

That hacking happens in system level not phpnuke level.
Very recently, those types of hackings are full across the planet.

First off, such types of hacking is not possible to change your files directly from php engine but it happens in /tmp/ files and SSH hack.

Similar hacking is online casino spams. This online casino spmmers are really and deadly cirtical. If your server or hosting directory has some odd php file names in hidden mode such as cas.t.ph, p.ost.php etc, they are all parasited spammers and your hosting or your email ccounts exposed within your site will be reported as abusive spmmers.

Primarily, your hosting services are in charge.
Secondly, you may change 644 permission on all index.html file. (if your server account got hacked, this does not work).
Thirdly, put .htaccess.

Now, I would like you to open raw logs of your apache or any types of web-server engine. Find ips that scratched your files. and put C class IPs in your .htaccess.

I wrote under an assumption that you are running *NIX mahines. Windows servers are more or less different.

ToolBox · Regular Joined: Mar 16, 2005 Posts: 74

online casino IPs are captured and reported in security sites.
So, find them and add blocking IPs in your web-server engine. That is not related with your nuke.

evaders99 · Posted: Tue Jun 09, 2009 7:07 pm

Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in

Plasma · New Member Joined: May 17, 2005 Posts: 10

evaders99 wrote:

Looks like someone tried to put their Google Analytics code all over your pages. You'll need to go through your server access logs to determine how this guy got in

how do I find this out using the logs?

my index.php file always has 644 permissions. can I change that to 444?

Plasma · New Member Joined: May 17, 2005 Posts: 10

okay, found this in one file:

HackeD By ChaLLenGer

anyone know this guy so I can ram my foot down his throat Wink

nuken · Posted: Wed Jun 10, 2009 3:23 pm

I had a similar situation a while back on a server that was not well protected. They uploaded the files through

Only registered users can see links on this board!
Get registered or login to the forums!

Before I switched servers, I changed all my control panel and ftp usernames and passwords using random combinations of numbers and letters changing to uppercase and lowercase. I did not get hacked again.

montego · Posted: Wed Jun 10, 2009 7:19 pm

yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad

Unit1 · Worker Joined: Oct 26, 2004 Posts: 134 Location: Boston

montego wrote:

yeah, sounds like you may need some help from your host too to find out how they got in and how to secure the server. I know that I am not supposed to "hate", but I sure wish these jokers would find something good to do with their skills. Sad

I agree

Plasma · New Member Joined: May 17, 2005 Posts: 10

server host won't do anything (lunarpages.com)..

also, the hacker has changed the script:

isn't there anything I can do to track who is doing this?

also, it looks like it's some sort of script that does all the index.php files at the same time. he also hacked into a auth.php file

nuken · Posted: Sat Jun 20, 2009 9:50 am

Do you have a folder in your root file system that is not a part of RavenNuke? One that was put there by the hacker? Compare your directory and see if that is how they are attacking your site.

bdmdesign · Posted: Tue Oct 13, 2009 3:35 am

Plasma wrote:

Woke up this morning with a website that didn't work. After investigating, somehow someone added code to every index.php file. The code is:

after removing that code, the site worked fine.

so my questions are: what is it and what will it do and more importantly, how do I find out who did it?

thx for any ideas.

Change ALL your Passwords on your Server (root, user, database and the RN) like this:

N%gt638Dmls!hDrg645mlH

or this:

Ngt638DmlshDrg645mlH

DONT use Names and Names Numbers Combinations !!!!!

Best Regards

Peter

Raven · Posted: Tue Oct 13, 2009 2:31 pm

bdmdesign,

Great advice Wink

!

bdmdesign · Posted: Tue Oct 13, 2009 5:07 pm

@ Raven:

thanx, the most People use unsafely Passwords like this:

cabonara, cabo1856nara, 45cabonara56

Best Regards

Peter

slackervaara · Worker Joined: Aug 26, 2007 Posts: 234

Read about how hackers with spyware on your PC, can find out your ftp-password and then introduce scripts on your site that modifies index.php:

Only registered users can see links on this board!
Get registered or login to the forums!

I have stopped this possibility by using KeePass Professional to encrypt my usernames and passwords and I don't use FileZilla anylonger, but instead the web hotels Ftp-program from the controlpanel that is secured.