Topic: TP directory hacked

[Ben]

Hi,

I was informed by my host that the php files within my TP directory had been hacked which ended with the hosts mail server being blacklisted.

So this looks like it was my fault as I didn't CHMOD the folder/files after the install!

The original TP directory has been renamed and most of my access to this folder has been removed. I now have a site with no script running. Some of the php files may have been modified by the hacker so it's too risky to start using these files again. Can I create a new install and copy the original data folder over? Or is it not that simple?

Ben

[ip0li]

U should leave all as it was and simply try to update your script. But if files are hacked its not related to TP, it's some other exploit on your server or other script. Check with your host and check around on forums, there are vulnerable versions of Comus and Wordpress in which as result U get many of your files hacked.

[Ben]

My host seems to think the root of the problem was the ssi_in.php file which I had left with 777 permissions. So you're saying the hacker would have found another way into the server (possibly through a wordpress install i have) and then looked for any files he/she had access to.

My TP directory has been renamed to TP.lock by my host and I can browse to login.php but my username and password do not work. I don't get an error message but the page just refreshes. what usually happens when you input an incorrect password? should I be seeing an error?

Am I correct in assuming I cannot update the script without first logging in?

Ben

[ip0li]

U need to rename directory to original name since now paths are all messed up and then login.

[Ben]

For some reason I don't currently have access to my data folder. Sent another email to my host to sort this one out.

So, at the moment I still can't log into tradepulse. I've looked in my TP directory and there's a file called aca.php which is 39MB in size! I'm guessing this is not a legit file?

Do you have a list of the files I should have in this folder?

Idealy I want to do a clean install of Tradepulse. Will it then be possible for me to copy the old site/trade details accross? ie. which files/folders would i need to copy?

Ben

[ip0li]

do fresh install and copy entire data folder, that will do the trick

[Ben]

I've created the clean install of TP.

Tried copying the entire data folder over from old install but although it worked, it was flagging up various php errors in the tp backend.

I instead copied the 'backup' folder across to the new install and selected tools,backup and performed a restore. This has now got me up and running again. Is there a file within the data folder that holds the information/settings for the toplists?

ben

[ip0li]

/tp/tops

toplist data is stored there.

[Andy]

My tp directory just got hacked and when accessing now /tp via firefox I get the "reported attack site" screen.

Should I make a fresh install or upgrade?

In case of fresh install, copy which files and folders from old installation exactly?

What are the minimum file and folder permissions that tp requires to run effectively after the install? currently all files and folders in tp directory seem 777 

[Andy]

In particular, webmaster central showed this:

Sample pages that may be distributing malware: /tp/out.php?to=sometrade.com&link=top

I removed now sometrade.com from tradelist and blacklisted.

I removed an entry regarding sometrade.com manually from data/stats folder. Are there any other possible entries in other files that could be related to this?

[Kildoozer]

Andy, please send me URL of your site, I have to look what's wrong there.
kildoozer at gmail