Script Pulse

Trade Pulse => Trade Pulse Support => Topic started by: ip0li on March 05, 2012, 08:00:30 AM

Title: How to deal with TP hack
Post by: ip0li on March 05, 2012, 08:00:30 AM
Ok guys, today we release new update.

First of all, check that tp/tpupdater.php is 14722 bytes. If it's not download http://www.scriptpulse.com/tpupdater.zip , upload it to your site and update your script!

Next, follow instructions here:
http://forum.scriptpulse.com/index.php/topic,1483.msg5755.html#msg5755

and LOCK your TP!

When all that is done please ask your host to scan your server and clear all shell exec scripts!

I hope now finally, we solved hacks on couple of infected clients servers :)
Title: Re: How to deal with TP hack
Post by: ideaworx on March 09, 2012, 01:48:49 PM
Not doing it, I have the hack on my server, after it has now been cleaned 2x by killdoozer. Fuck me, fuck my biz, and fuck this script!

Contact me on icq to resolve this.

Shane
Title: Re: How to deal with TP hack
Post by: ip0li on March 09, 2012, 02:14:01 PM
Shane thank you for your nice words after all discounts I gave you and helped you many times with $$$ (seems like U forgot we are buddies now huh)...

Anyway not to make drama out of this, use another script. Yes, kildoozer DID clean your server 2x, which other script company would do that for you(I really wonder)? We posted solution how to solve hack, we told 500x it was not our fault but hoster and except working 12+hrs each day for last 2 months(both me and kildoozer) to help our clients and give away free feed traffic + we posted solution how to solve it, what else should we do? We said we are sorry, did all we could. If fuck this script is all you can say, if you think we didn't do our best, if you think we as a company + people deserve your attitude, well "buddy" - go somewhere else.
Title: Re: How to deal with TP hack
Post by: ideaworx on March 09, 2012, 02:28:28 PM
I didn't say fuck you did I? I said fuck the script, and the problems it has caused. I am changing scripts, as fast as I can, but because of this script, I lost so much traffic, i am having to do 3x the work to recover (that is IF I recover).You do realize I have this script installed on over 180 sites, on 8 servers? And 4 out of the 8 got this hack, and it has been consistently plaguing me. As soon as I think it is over, it is back, I am still using the script(s) that doozer installed to fix the hack, but it is beyond that, ioncube files that are encoded popping up, etc, the shit has hit the fan. I appreciate the few hundred dollars in feeder you guys provided, I probably sent that much in free script traffic, so I guess that is a wash. Do everyone a favor though, stop posting this shit about how you showed everyone how to remove the hack, if it was that easy, how did doozer get on my server 2x and NOT remove the hack completely??? Means you dont even know how to remove the hack. I know you are sorry, and sometimes sorry does not cut it, this is one of those times. I respect you, but the error of your host (which regardless how you put it, is YOUR FAULT, you picked the host, and allowed this shit to happen), is on you, and you are doing pretty good to fix it, but know that me, and at least 10 friends, have been fucked up and down by this hack. And my attitude? My family is losing money because of this hack, so I apologize if I am coming off pissed or rude, but don't confuse my anger for something other than just that, I am fucking angry as shit, and keep losing my ass here.

Shane
Title: Re: How to deal with TP hack
Post by: ip0li on March 09, 2012, 03:11:03 PM
Shane, did you read solution for hack at all?

Did you notice how we said LOCK files? After files are locked, there is no way to change them except if someone has your ftp/root password(not possible with TP HACK!)?

Before kildoozer cleaned servers, and if 1 file staid, hacker could still change script files. Now with lock.php, if U lock files, he cant change them! If he can change them then its FOR OTHER REASON AND NOT TP HACK!!!

So solution is not to just clean box, no! Solution is 1) check tpupdater.php size, if wrong download/upload tpupdater as explained, if correct make sure U have latest build and run lock.php to SECURE files. After that is done, hacker can't any longer change php files because only your ftp account or server root can change it!

Process itself takes 2 minutes per install(if done manually) or host can build ssh script in cpl minutes and do it on all sites on server in 1 run.

Regarding hosting, they are VERY reputable and no idea WTF is going on in that company but obviously instead of them loosing clients, we are loosing them.

Regarding me saying shit, I never speak shit...I always stay behind my words. Kildoozer did clean all what he could find on your and other servers, obviously that is not enough. Thats why we made lock.php. After all, we had cpl clients with hack who's hosters cleaned hack and problem solved...

I interpreted your anger as direct attack to my company/product, because it sounded so. It hurts when someone you are good with say such words and I am working my ass off last 2+ months to deal with this hack together with KD, it's midnight here and instead of being with family I am here writing to clients and helping them solve issues.

So, do as U wish, move to another script or lock files and problem solved.
Title: Re: How to deal with TP hack
Post by: Shoplifter on March 14, 2012, 11:27:48 AM
geoip.inc is now being hacked on my servers. I see that this one is not locked down.

I wonder if they can modify this to send certain coded traffic somewhere else. 

This is just silly now. 
Title: Re: How to deal with TP hack
Post by: ip0li on March 14, 2012, 12:09:20 PM
Just lock it down manually to user:group and permissions 644. We will include lock for that file also in next update.

As over icq msg me if U need anything else and I can send you feed to compensate for lost traffic!
Title: Re: How to deal with TP hack
Post by: Cristian on April 02, 2012, 06:59:49 AM
How do i know if im hacked?
Title: Re: How to deal with TP hack
Post by: ip0li on April 02, 2012, 08:43:39 AM
check that tp/tpupdater.php is 14722 bytes.
Title: Re: How to deal with TP hack
Post by: Cristian on April 02, 2012, 03:53:16 PM
looks like im fine
Title: Re: How to deal with TP hack
Post by: EonBlue on April 03, 2012, 08:57:25 AM
The geoip.inc file keeps getting hacked on my sites - even after permissions are changed to 644 and all of my TP copies are locked. They keep adding this line:

Code: [Select]
@include_once('geoip.php_');
The geoip.php_ file is Zend encoded.

So how are they doing this even after everything is locked?
Title: Re: How to deal with TP hack
Post by: ip0li on April 04, 2012, 03:08:00 AM
Did you check if permissions are changed to 644 via ftp? If they can still change your php files after you changed to ftp user:group and 644, your HOST MUST SOLVE IT! It must be some wrong server setting somewhere or suphp!
Title: Re: How to deal with TP hack
Post by: EonBlue on April 04, 2012, 03:54:31 AM
Yep, permissions were changed to 644. I did have my host look into it and they found an exploit on my server and removed it. They also removed all of the geoip.php_ files and did a complete scan of my sites. Hopefully it is all taken care of now.
Title: Re: How to deal with TP hack
Post by: EonBlue on April 04, 2012, 04:07:33 AM
Spoke too soon. I just checked and it is back already. The geoip.inc files are modified again and geoip.php_ is reappearing. Host found and removed another exploit overnight so hopefully they won't be able to get back in any more.
Title: Re: How to deal with TP hack
Post by: ip0li on April 04, 2012, 05:00:21 AM
Exploit does NOT matter, since exploit works on APACHE level, and ftp files shouldn't be editable by apache when U changed their user and permissions(lock.php)...so ask your host to take more detailed look into it. I repeat, if they use suphp, ask them to remove it...
Title: Re: How to deal with TP hack
Post by: EonBlue on April 04, 2012, 12:32:55 PM
Okay, there is no suphp on my server. All files are locked and owner/group changed. All sites appear to be clear for now. I will keep an eye on everything and let you know if anything comes back.
Title: Re: How to deal with TP hack
Post by: ip0li on April 04, 2012, 01:10:50 PM
ok, cheers bud!
Title: Re: How to deal with TP hack
Post by: Le Petit Prince on June 05, 2012, 07:36:30 AM
HI,

I still got problems with my sites. Can you find some time to have a look at our servers?
Title: Re: How to deal with TP hack
Post by: ip0li on June 05, 2012, 07:41:36 AM
Hi, please contact http://www.soft-com.biz guys, they solved issues for many of our clients since its ended up as not just TP but other scripts exploits were involved also :).

Cheers
Title: Re: How to deal with TP hack
Post by: donedeal on June 06, 2012, 12:32:11 AM
Hi, please contact http://www.soft-com.biz guys, they solved issues for many of our clients since its ended up as not just TP but other scripts exploits were involved also .

Cheers


This statement makes me sick. THIS WAS YOU GUYS. now your sluffing it off on other expoits. your so full of shit. I have servers from scratch without a problem. This hacker got in and he started leaving his hacker files so he could log in and root your server outside of the accounts. It really makes me sick to see you start saying theres other reasons. it was YOU no one else. YOU should be paying the soft-com guys to fix who got hacked. once this guy got in he started fucking up every other script on the server. YOUR UPDATE DID THIS. no its not smart thumbs, its not any other script but TRADE PULSE that got this guy in. YOU GUYS could not clean it up, now some guys are making money over YOUR lack of responsibility or know how how to clean it up. Even your lock was unable to stop this guy once he was in.

I understand shit happens, but now youve stopped taking responsibility. Very dissapointed. I have lost all respect from you over this now. and now your posting happy faces that its "not because of you guys" now, god i cant believe this shit coming from your mouth now

Title: Re: How to deal with TP hack
Post by: donedeal on June 06, 2012, 12:36:39 AM
Why dont you just say the truth? Once this guy is in your server:

1. you are ROOTED
2. we just cant fix it
3. sorry

if you just did this, people could take this alot better


People, if you dont want to pay someone you dont know to fix your server, just get a new server and install everything from scratch. Best time saver you can ever do. My old server is still hooped. the new ones are doing just fine.
Title: Re: How to deal with TP hack
Post by: ip0li on June 06, 2012, 04:39:06 AM
Hi, first of all thank you for nice post about us.

Actually it is not truth that just our update did this, after speaking with clients/their hosters etc it ended up in not being just our update, it looks like other scripts had issues also with exploits. Our UPDATE did PROBLEM, PERIOD, I NEVER SAY IT WAS NOT OUR FAULT!

I AM NOT SLUFFING IT TO ANYONE, IT WAS OUR UPDATE, OUR PROBLEM, OUR SCRIPT.

1. You are ROOTED->Not true since hacker can't get ROOT privileges from shell scripts
2. We just cant fix it->This is true since we are not your hosting support, that swhy I started recommending soft-com.biz guys
3. Sorry si said numerous times already and here it is once again: I AM SORRY, WE ARE SORRY!

I hope this thread won't become major drama since we both probably have smarter things to do in our life.

Cheers
Title: Re: How to deal with TP hack
Post by: Marko on June 06, 2012, 05:01:35 AM
Why dont you just say the truth? Once this guy is in your server:

1. you are ROOTED

Do you know what exactly term "rooted" means?
Title: Re: How to deal with TP hack
Post by: Shawn on June 06, 2012, 08:52:15 AM
I'm not real impressed with soft-com guys.  so far they seem to have done exactly what my host already does and then try and upsell me 'optimization' services.  and it took them 8 hours to clean my server at $25/hour that seems steep to just run a scanner.  I thought they had some specific knowledge about how to find this guys shells scripts but doesn't look that way.
Title: Re: How to deal with TP hack
Post by: donedeal on June 06, 2012, 09:14:59 AM
Ive finally got some sleep and realized I vented on the wrong person.

ipOLi, i owe you an apology. Last night I was up a long time working against this guy again, and I took my frustration out on you when its really him i am mad at. You have done great work for me and alot of people. I know you didnt mean for this to happen.

This guy has stole from us and has caused many many days of our time.

I hope you can accept my apology, I lost my temper last night, and i took that message the wrong way.
Title: Re: How to deal with TP hack
Post by: ip0li on June 06, 2012, 10:24:15 AM
I'm not real impressed with soft-com guys.  so far they seem to have done exactly what my host already does and then try and upsell me 'optimization' services.  and it took them 8 hours to clean my server at $25/hour that seems steep to just run a scanner.  I thought they had some specific knowledge about how to find this guys shells scripts but doesn't look that way.

Ok SHawn, U are first negative feedback about them, icq me 169397168 maybe I have eprson who can help U!
Title: Re: How to deal with TP hack
Post by: ip0li on June 06, 2012, 10:24:52 AM
Ive finally got some sleep and realized I vented on the wrong person.

ipOLi, i owe you an apology. Last night I was up a long time working against this guy again, and I took my frustration out on you when its really him i am mad at. You have done great work for me and alot of people. I know you didnt mean for this to happen.

This guy has stole from us and has caused many many days of our time.

I hope you can accept my apology, I lost my temper last night, and i took that message the wrong way.

No problem, all fine....I hope U solve it soon...also feel free to icq me 169397168 I have person who can offer some paid help(server tech).
Title: Re: How to deal with TP hack
Post by: Shawn on June 06, 2012, 11:30:31 AM
I'm not real interested in paying yet more money for someone to just run a scanner unless they've got some real insight into how to remove all this hackers files.
I moved to mojohost awhile ago and they've managed to create custom signatures for the scanners that automatically stop this guy so they've been pretty good except for a week or two ago he used something new that took them a day to figure out which is why I figured these soft-com guys would be worth a try but so far all I've seen is their scanners find the same files and then email them rather then auto fixing stuff.
Title: Re: How to deal with TP hack
Post by: ip0li on June 07, 2012, 03:24:23 AM
Ok, I just wanted to let U know that there are more options other then soft-com.biz guys.

Cheers
Title: Re: How to deal with TP hack
Post by: Vas on June 07, 2012, 04:11:11 AM
Hi,

Is there any other way to lock files instead of root access,  I keep getting invalid user.  ANY OTHER WAY  :-[
Title: Re: How to deal with TP hack
Post by: ip0li on June 07, 2012, 04:46:37 AM
You need to ask your server admin then, since we always use root user.
Title: Re: How to deal with TP hack
Post by: Vas on June 07, 2012, 07:51:56 AM
I tried using /usr/bin/php lock.php  on it's own and it seemed to work, the response was:

usage:  lock.php  owner: group

I think that did it.  OR not ??  let me know  :D
Title: Re: How to deal with TP hack
Post by: ip0li on June 07, 2012, 09:00:44 AM
/usr/local/bin/php lock.php user:group

U need to use something similar to that, where user:group is your ftp user and group and /usr/local/bin/php is path to your php

best is to ask hosting support to do it for you!
Title: Re: How to deal with TP hack
Post by: oil on June 10, 2012, 09:50:00 AM
when those hackers got shells on your box, the lock doesnt help either, for me it was they did the ST variables, then the hacked the .htaccess files, well the list is endless you guys MUST cleanout your box first, if you dont do that in the first place you can lock whatever you want - it wont help

i was troubled with this hack more then anybody else, the only, and for me it was after 50+ hacks the only thing which worked permantley is to hire the cleanout package of the soft-com.biz guys, they charge 75$ one time fee for the cleanout and they keep monitoring your box for hacks for some time after it,

Title: Re: How to deal with TP hack
Post by: Vas on June 10, 2012, 12:35:30 PM
Yep, it was via scripts like tp and proton that they managed to get into my boxes - all index.php files had new includes in them, the /tmp folder had a new binary file in it called x11, which added an include <?php @include_once('/tmp/x11'); ?> on all index.php files.  I had Traffic Revenue pop ups coming up on all index files of my sites, it took me 3 days to clean all the shit, I lost $100's .... Permissions are such that it can be easy for hackers to get in. Especially when all files are 777.

Tp has to become much more safe for me to continue using it. 

It's a pity cause it's a good script otherwise.
Title: Re: How to deal with TP hack
Post by: oil on June 10, 2012, 06:37:29 PM
Yep, it was via scripts like tp and proton that they managed to get into my boxes - all index.php files had new includes in them, the /tmp folder had a new binary file in it called x11, which added an include <?php @include_once('/tmp/x11'); ?> on all index.php files.  I had Traffic Revenue pop ups coming up on all index files of my sites, it took me 3 days to clean all the shit, I lost $100's .... Permissions are such that it can be easy for hackers to get in. Especially when all files are 777.

Tp has to become much more safe for me to continue using it. 

It's a pity cause it's a good script otherwise.
true, TP / Proton was the script which caused all the hacks, however unfort. you really need to clean out your servers and it has to be done by proffessionals like the soft-com.biz guys, whenever my host cleaned it, they cleaned the hack but NOT the way they came in, so cleaning the hack does not mean your box is secure after it
Title: Re: How to deal with TP hack
Post by: Shawn on June 11, 2012, 05:20:06 AM
hire the cleanout package of the soft-com.biz guys, they charge 75$ one time fee for the cleanout and they keep monitoring your box for hacks for some time after it,
How'd you get that price?  They are charging me 25/hour
Title: Re: How to deal with TP hack
Post by: oil on June 11, 2012, 06:43:02 AM
i would say its depending on whats needs to be done, in general, for me the cleanout was 75 or for 120 cleanout with whole server tuning, i took the tuning package, and i am glad i did
Title: Re: How to deal with TP hack
Post by: Shoplifter on June 12, 2012, 07:35:09 PM
So I am finding that the geoip.inc in most of my installs has an include in it again.

Was this found to be dangerous or not ?

 :(
Title: Re: How to deal with TP hack
Post by: Vas on June 12, 2012, 11:24:53 PM
What does the include say ... ?  Is it reading from a folder on your server ?   Is it calling up and iframe ? 
Title: Re: How to deal with TP hack
Post by: Shoplifter on June 13, 2012, 06:05:24 PM
What does the include say ... ?  Is it reading from a folder on your server ?   Is it calling up and iframe ? 

It's encoded and I don't know what it says. It seems to cause TP to send about every 4th click to some tube site.
Title: Re: How to deal with TP hack
Post by: oil on June 13, 2012, 06:24:08 PM
he was saying post it so we can see, however most likely when its encoded remove the include, its most likely a hack
Title: Re: How to deal with TP hack
Post by: Adam Crosso on September 13, 2012, 02:35:48 AM
Guys do your job right and correct, we have much script with trade but only this one always hacked, ALWAYS ONLY YOUR SCRIPT! Do your job correct and normally, always when hack your script, the same time we losing our money because you guys playing and nobody pay to us for that, many people who we trade speak only one, stop trade with that script? Then stop write rules what to do if your script hack, do your job like other script who don't have the problem ;)