FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Please help me recover from apparently being hacked.





_ocalhoun_
Symptom: A user of my site brought to my attention that it is not working right now. An error in a particular php file occurs in my phpbb installation. I have changed nothing in that installation for over a year, and now it has syntax errors!

Diagnosis:
I notice that the particular file that contains the error was edited just two days ago, though I know I didn't touch it at all. Other files were edited at the same time. I might have been hacked.

Solution: Restore files from backup copy

Problem with solution: both files have permissions of 644 (common to most of the original files), but they also have ownership of 'root', which makes those files unique. This means that I cannot change the permissions of those files, or delete them so they can be replaced. I have tried deleting them both by FTP and by directadmin, neither will allow it.

Solution to problem: Please go into the files of onet.frih.net using root privileges and delete these files:
/domains/onet.frih.net/public_html/community/includes/functions.php
/domains/onet.frih.net/public_html/community/includes/index.htm
/domains/onet.frih.net/public_html/community/language/index.htm
/domains/onet.frih.net/public_html/community/language/lang_english/index.htm
/domains/onet.frih.net/public_html/community/language/lang_english/email/index.htm
/domains/onet.frih.net/public_html/community/templates/index.htm
/domains/onet.frih.net/public_html/community/templates/subSilver/index.htm
/domains/onet.frih.net/public_html/community/templates/subSilver/images/index.htm
/domains/onet.frih.net/public_html/community/templates/subSilver/admin/index.htm
/domains/onet.frih.net/public_html/community/templates/subSilver/admin/index_frameset.tpl
/domains/onet.frih.net/public_html/community/templates/subSilver/admin/page_footer.tpl
/domains/onet.frih.net/public_html/community/images/index.htm
/domains/onet.frih.net/public_html/community/images/avatars/index.htm
/domains/onet.frih.net/public_html/community/images/avatars/gallery/index.htm
/domains/onet.frih.net/public_html/community/templates/digiTech/index.htm
/domains/onet.frih.net/public_html/community/templates/digiTech/admin/index.htm
/domains/onet.frih.net/public_html/community/templates/digiTech/admin/index_frameset.tpl
/domains/onet.frih.net/public_html/community/templates/digiTech/admin/page_footer.tpl
/domains/onet.frih.net/public_html/community/templates/digiTech/images/
/domains/onet.frih.net/public_html/community/docs/codingstandards.htm
/domains/onet.frih.net/public_html/community/docs/README.htm
/domains/onet.frih.net/public_html/community/docs/INSTALL.htm
/domains/onet.frih.net/public_html/community/docs/FAQ.htm
/domains/onet.frih.net/public_html/community/docs/CHANGELOG.htm
/domains/onet.frih.net/public_html/community/db/index.htm
/domains/onet.frih.net/public_html/community/cache/index.htm

Then tell me that they've been deleted (preferably by e-mail: equinedream@lavabit.com) so that I can replace them with correct backup files. I realize that this is a lot of trouble, to delete so many files, but it is very important to me, and could even perhaps be a security risk to the whole server. All of these files could contain malicious code, and I can't delete them.


I'm posting this as a guest because my current internet connection is intermittent. So, if I did log on, I might soon be logged off and back on again, which would erase the history of what threads I've read, which could cause me to miss things.
To prove that I actually am ocalhoun, and not an impostor trying to get some files deleted for sheer mischief, I'll give you something only I could get, that you can verify, and that is safe for everyone to see:
Line number 50 in /domains/equinedream.org/public_html/stories/c_auth_edit.php is:
Code:
   if ($ad_type == "custom") //only try to get the ad file if there actually is one.

Nobody else worked on those files, and nobody else could download the php file and read it.

Thank you!
mOrpheuS
If the files are owned by root, they can only be modified/deleted by Bondings.

However, in the meantime, you could rename the top level "community" folder to something else and re-upload the "community" folder from a backup.
Bondings
I removed the files in question.

I also removed a few other files.

digiTech/images/index.htm (I guess that's what you wanted, it was root)
digiTech/simple_header.tpl
digiTech/overall_header.tpl

I'm still investigating this issue. The best thing to do is to restore everything from backups I guess since there are a lot of other files owned by root and probably infected.
ocalhoun_
Thank you!
My forum is back on line now, though I'll need to re-do some changes I made (the backups were a little old)

Oh, and it looks like a few of the files were missed:
Quote:

550 index.htm: Permission denied :
/domains/onet.frih.net/public_html/community/templates/index.htm
550 index.htm: Permission denied : /domains/onet.frih.net/public_html/community/templates/subSilver/index.htm
550 overall_footer.tpl: Permission denied : /domains/onet.frih.net/public_html/community/templates/subSilver/overall_footer.tpl
550 simple_footer.tpl: Permission denied : /domains/onet.frih.net/public_html/community/templates/subSilver/simple_footer.tpl
550 index.htm: Permission denied : /domains/onet.frih.net/public_html/community/admin/mods/easymod/em_includes/index.htm
550 page_footer.tpl: Permission denied : /domains/onet.frih.net/public_html/community/admin/mods/easymod/templates/page_footer.tpl

Also, most of the files in the /docs folder were not deleted; you could delete that whole folder if you wanted to, to save time.
Luckily, none of the files in the new list there are used in the normal operation of the forum, so you can leave them there if you like, or, if you think they are still a security risk, delete them.

Thank you for helping me out! I'll be back posting logged in as soon as I can manage to snag a reliable connection.
Bondings
I removed the 5 files.
Bondings
I checked it a bit and it seems like there are still a lot of infected files on your account, maybe 100 or so. I think it would be better to completely remove all files and restore them from a backup.
rvec
have you checked any of the files to see what was modified ?
Maybe something in the system just went wrong and you can do a chown -R?
ocalhoun
Bondings wrote:
I checked it a bit and it seems like there are still a lot of infected files on your account, maybe 100 or so. I think it would be better to completely remove all files and restore them from a backup.

I'll have to look and see what else is changed... It seemed like that forum was the only part affected, but I guess I was wrong. Besides a few other things, thats the only thing I actually use on it, so I may be deleting quite a lot (or coming back for help to delete them, when the ownership is somehow root).

@rvec
No, I didn't check what exactly was changed... I suppose some malfunction could have caused the change in permissions (if it lost track somehow of who owned the file, defaulting it to root would be safest, yes?), but what could have changed the one php file to suddenly make it have syntax errors?
Related topics
simple php problem, please help...
Yahoo EMail Accounts Being Hacked (NOT SURE)
A good website idea.........Please help PPL
Please help Me
phpBB2 ERROR PLEASE HELP
Please help. I have a problem with installing FreeBSD
problems with my comp....something strange, please help me
please help me, i don't know anything here...
Please help me!!!! HTML/Flash help needed!
Problem with MySQL Server Please Help!!
Please Help me to configure Outlook Through Proxy
mysql base error please help
I have been banned please help.
Please help me
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Guests

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.