Sub Menu
Links Menu
Online Users

In total there are 311 users online :: 1 registered, 0 hidden and 310 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Google [Bot] based on users active over the past 60 minutes

[RESOLVED] Hacked site shows path in logs that I can't find

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

[RESOLVED] Hacked site shows path in logs that I can't find

PostAuthor: hornakapopolis » Sat Oct 07, 2006 10:09 am

I'm helping out with a site that was hacked (because I've used IntegraMod a lot, not because I know what I'm doing <img>). Here's a quick run down of the situation.

The site was hacked, so the current webmaster went through looking for files that didn't belong. He thinks he got them all.
A couple of days later, he got an e-mail saying that his site had been hacked and giving this address:

.../images/avatars/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_Secured152388884&Update/index.htm

That page didn't load.

This morning, this URL was in his logs..

.../images/avatars/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_Secured15

He doesn't remember deleting anything out of the avatars directory, but he might have just forgotten.

We have FTP access and File Manager access through cPanel. If we're not seeing it, it's not there, right? I'd rather hear from a knowledgable person's mouth rather than rely on my common sense. I realize that doesn't mean it's not comign back, but as for right now...
Last edited by hornakapopolis on Mon Oct 30, 2006 10:55 am, edited 1 time in total.

hornakapopolis
Members
Members
 
Posts: 45
Likes: 0 post
Liked in: 0 post
Joined: Fri Apr 14, 2006 6:03 pm
Cash on hand: 0.00

PostAuthor: suicico » Sat Oct 07, 2006 1:11 pm

i answer only cause my sense is not common :D
anyhow good luck solving this
Last edited by suicico on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http]The World Of iPods In Greek[/url]
[url=http]Home Of yetileague[/url]

suicico
Newbie
Newbie
 
Posts: 23
Likes: 0 post
Liked in: 0 post
Joined: Sat Jun 10, 2006 9:47 pm
Cash on hand: 0.00

PostAuthor: computerz » Sat Oct 07, 2006 2:39 pm

check all files and subdirectories in the images/avatars and compare it with a clean install. For example, download a clean version of integramod and compare its images/avatar directory.

Sometimes the hacker will include a file that doesn't look suspicious but which is actually a script. For example, a .jpg file may not actually be a picture but a script. They may also do stuff like put a .htacess file in there that doesn't belong, etc.

So just double check the folder and look for stuff that doesn't belong.

Also you should download putty co you can see your files from the command line. You should have somekind of shell access to your server because in some cases a hacker will upload bits which can't be deleted through FTP, you will need shell access to see and delete the files.
Last edited by computerz on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

computerz
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Sun Aug 27, 2006 1:21 pm
Cash on hand: 0.00

PostAuthor: hornakapopolis » Mon Oct 30, 2006 10:55 am

Thanks for the help, all.
Last edited by hornakapopolis on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

hornakapopolis
Members
Members
 
Posts: 45
Likes: 0 post
Liked in: 0 post
Joined: Fri Apr 14, 2006 6:03 pm
Cash on hand: 0.00


Return to Forum Security

Who is online

Registered users: Google [Bot]

cron