mazen or marvis is hacking me and request money

Nuke Cadet Joined: Mar 03, 2008 Posts: 6

Hi
someone is hacking my web 7.6, 3.3 patch
every day...about two times , he substitutes my index page to his index...and i dont know what to do, i have sentinel last version too..

another thing is he has access to up files somewhere in my ftp like this:

Code:

<?php #--Config--# $login_password='';#Login password $IP=array();#Allowed users [$IP=array('192.168.100.5','192.168.100.9');] #----------# error_reporting(0); ignore_user_abort(true); set_time_limit(0);

etc...etc...[/url]

Site Admin Joined: Aug 17, 2003 Posts: 12344

My guess is that he hacked once - and installed a backdoor to allow continued access.

You'll need to check your error logs to see how he got in. Restore a clean backup if you have them. Delete any old or vulnerable scripts.

Nuke Cadet Joined: Mar 03, 2008 Posts: 6

yes...but...i clean every day malicious scripts ...the date tell me if is new file...
anything more in a solution?

Lieutenant Joined: Sep 13, 2003 Posts: 256

I had earlier problems with hackers that put their own index.php and config.php on my site. I studied the logs and found out that they used a upload program from an addon module to do that. In .htaccess I restricted the use of this upload program to my own ip-address and the hacking stopped completely. Do you use any gallery or chat program that could provide upload function?

Nuke Cadet Joined: Mar 03, 2008 Posts: 6

yes...sexy or not...someone put files there in images directory like this:
name.php.jpg
this are backdoors detected on my antivirus...
put your configuration of htacces please

Lieutenant Joined: Sep 13, 2003 Posts: 256

We can say that the program used for upload is called imageupload.php and situated in modules/Gallery/:

At the top of .htaccess of root (where config.php and index.php is) I have:

<Files "imageupload.php">
Order allow,deny
Allow from XX.XXX.XXX
Deny from all
</Files>

XX.XXX.XXX is the ip-address.

The .htaccess is valid for all subfolders, but not if a .htaccess is present in a folder or a subfolder.

Nuke Cadet Joined: Mar 03, 2008 Posts: 6

I discovered another thing, one of the files he upload is based on script named "PhpJackal"...I used this like chain.php and executed in my web :
www.dgirones.com/chain.php
and its incredible, the hacker can do anything...rename, delete, upload...etc...scan ftp , brute force...anything!
If someone wants the php give me your mail...

Lieutenant Joined: Sep 13, 2003 Posts: 256

On my site similar scripts were also uploaded and in fact more frequently than I was hacked, but this also stopped after I added this in .htaccess.

Nuke Cadet Joined: Mar 03, 2008 Posts: 6

now, i try the htaccess file

I found this...
http://hack-x.net/vb/showthread.php?p=938#post938

see it!

Lieutenant Joined: Sep 13, 2003 Posts: 256

He seems to come from an Arabic country and I would guess Iran, as it is the biggest also. I have had problems with Iranian hackers earlier. Maybe you could block Iran via .htaccess?

http://blockacountry.com/index.php

It is also good to block proxy servers in .htaccess, because hackers often use them:

RewriteEngine On

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^.* - [F]

Nuke Cadet Joined: Mar 03, 2008 Posts: 6

no way
i put all in htaccess and nothing...always have access
and now i cannot enter to my index page...you can see it
www.dgirones.com

Lieutenant Joined: Sep 13, 2003 Posts: 256

Something must have been wrong, as all IP:s seems to be denied from your site. I suggest that you remove this .htaccess and put back the previous one. Your site will work then. Copy the text of your malfunctioning .htaccess in a Private message to me and I will try to see, what is wrong in it.