dscotese

My files were hacked again at about 4:10am Pacific time.

I believe the hack being discussed here involves the addition of code that looks like this: // #(a hex code)# Some actual injected malicious code (I think it's part of a DOS attack) // #(that hex code again)# This gets inserted into HTML pages just after the body tag. It gets inserted to the end of php files, or perhaps just before the first code closure (?>). This happened to my files today (6/14, around 1pm Pacific time), but I have repaired it. I mention it because the theory seems to be that the hole has been plugged. Perhaps they found another one, or perhaps the hack on my account is different from the one being discussed. I detect these changes using a cron job that does an ls of my entire account to a file and compares it to the one generated the previous day. It's a nice simple review of any changes made to my files. If anyone wants it, contact me. Makes it easy to find and repair the damage (using my local copy of my account).

I found this problem on my server (tyson) several weeks ago. I use a cron job to run a diff between the previous day's dir listing (of everything) and the current dir listing, and that's how I caught the problem. I worried that my own laptop had been compromised and they got my password. I'm glad this thread showed up, so now I know it's unlikely that my password is compromised. Database passwords are nearly always stored in code, which I believe was accessible to the hacker, so I'd recommend changing them. There were files other than index.php in my account that I had to restore from my local copy. I also created a self-healing mechanism so that if the write time on my main index.php file changed, it would restore itself from a backup. I can post more info about these two solutions if anyone is interested. Oh, and I'm also available if anyone needs a good software guy. Dave.

Suggestion!! Hey TCH, I bet you have at least one spare server. Build it with PHP5, and then ask for volunteers to set their sites up on it. You could make these very limited accounts, subject to deletion and re-creation at any time (yeah, the lawyers are gonna love writing the TOS for the beta server!). This would allow the industrious among your customers to help work out the kinks that will come along. Your staff could also choose a few accounts to duplicate onto the/a PHP 5 server, and then just let those account holders know that their site is available on a second URL and that it shows them how things will change (if they change at all) when you move to PHP5. Pick a cut-off date, and then encourage customers to fully commit to the PHP5 platform by either offering a temporary price break or demanding a higher fee for continued use of PHP4. Oh crap, what did I just say? Forget that last bit Dave.

I know that a lot of "free" services out there are only monetarily free. They charge you nothing, but they offer something that requires you to provide an email address that you'll check regularly. That way, they can sell the email address as a valuable connection to your attention. If you pay for the service, however, it is likely that the provider will be making more money by keeping you as a customer than by allowing spam to come to you because of them. I just checked ipcheck.com and got a page that says "site closed". I consider my $4/month to TCH extemely well spent, and I trust them to keep my email address private. Of course, if you were paying a service fee to ipcheck.com, then none of this applies :-). Dave.

><?php /* Put the following into your .htaccess file. * If you already have order and deny lines, * simply add a new deny line for badip. * ----------------------------------------------- ## Prevent web clients from accessing any .ht* file. <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> ##Start Bad IPs - The script uses the End line, so ## DO NOT ALTER IT ##End Bad IPs order deny,allow deny from env=badip * ----------------------------------------------- * Save this file under any name that only hackers will * access. */ // Note that this is the .htaccess file in the same directory. // You can place it in a parent directory to block access to // subdirectories other than this one. That means you'll // have to put in the correct path for $file. // Make sure permissions on .htaccess allow it to be written. // --------------------------------------------------------------- $file = "./.htaccess"; $fp = fopen($file, rb) or die; // Read the file. flock($fp, LOCK_SH); $data = fread($fp, filesize($file)); flock($fp, LOCK_UN); fclose($fp); // Modify $data here. // Add new Bad IP above the line ##End Bad IPs // Note this code will add the bad IP above every occurrence of that line. $badIp = $_SERVER['REMOTE_ADDR']; $data = preg_replace( '/^##End Bad IPs$/m', "SetEnvIf REMOTE_ADDR \"^$badIp\$\" badip ##End Bad IPs", $data ); echo "<br /><br />"; echo "New file:<br />$data"; // Write the modified file. $fp = fopen($file, wb) or die; flock($fp, LOCK_EX); fwrite($fp, $data); flock($fp, LOCK_UN); fclose($fp); ?> -Dave Scotese.

Yep, 403 it is. Thanks.

Thanks guys, I placed a hash (#) in front of the SetEnfIf Host line to comment it out. The requests still show up in the list, but "size" is '-' so I guess that means it was blocked right? I guess I'll see my bandwidth go down a lot now. Thanks!

I've whittled my .htaccess file down to this: ># -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* #<Limit GET POST> #order deny,allow #deny from all #allow from all #</Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> #AuthName www.consensusseekers.com #AuthUserFile /home/consens/public_html/_vti_pvt/service.pwd #AuthGroupFile /home/consens/public_html/_vti_pvt/service.grp DirectoryIndex index.php index.html index.htm default.htm ##EE Spam Block SetEnvIfNoCase Referer .*adrugsforyoubabe.* BadRef SetEnvIf Referer ".*(www\.litmocracy\.com).*" GoodHost SetEnvIf Host ".*(www\.litmocracy\.com).*" GoodHost order deny,allow deny from env=BadRef deny from env=BadIP allow from env=GoodHost ##End EE Spam Block However, cPanel last 300 visitors still shows hits from referers with adrugsforyoubabe in the URL. TCH's Jessica Jose suggested that something was wrong with my file before I whittled it down. Is there something wrong with this new version? Any help would be appreciated.