Topic: build 43 / hacked again

[oil]

one of my traders reported that all my TP sites are hacked again i am on built 43 as of now
so a few things need to be said here:
the Tools - Scanner reports that 10 files have wrong checksums
however -  if they have wrong checksum -  so why in the fucking hell it doesnt show that on main page top, that there is something wrong
and the scanner is not that smart overall or buggy

it says
in the single cols , some are wrong, the summary says

No wrong files found.

Conclusion

10 files are out of date. Please update your script to the latest version.

[oil]

the 10 files where checksums are wrong are>

    tp/admin.php
    tp/auth.php
    tp/c.php
    tp/class.Settings.php
    tp/class.Stats.php
    tp/out.php
    tp/settings.php
    tp/toplist.php
    tp/top_thumb.php
    tp/trade.php

[oil]

.... however those where not the hacked files, we figured out so once again
the scanner doesnt find SHIT and is useless therefore
the hacked files where again, same as last time

filter.php
remote_updater.php
tools.php
tpupdater.php
updater.php
vtop.php

so is there a way to secure those files, seriously was the biggest supporter of TP but its the same hack over and over again,
and i think it should be possible to secure those files in anyway

look... i know you guys say it cant be TP anymore there is some other security hole on this particular box where people get in, and it very well might be possible however killdozer was on my server very often to check for things, put some loggers there and such, and still its the same thing over and over again

[ip0li]

Hi, I just woke up since I saw this on my cell(trying to get sleep after 10 days of 18+hrs/day) of work...tried to reach U over icq no response. Anyway please PM me contact info where I can reach U so we can solve it tomorrow. REally out of top of my head maybe U still running wrong version of tp(hacked)....try downloading scriptpulse.com/tp/tpupdater.zip, unzip, upload to tp dir and then run updater.

Over and out let's solve it tmrow. If U had any traffic loss we will compensate of course with feed.

Cheers

[oil]

heya, i am totally sure i have the latest version cause this /tp/tpupdater.zip i did when built 43 was released, or it was even 42 well when you sent out the mailer i did that on all sites
the hack, the changed files where dated on the 21 so yesterday,
i got the hack removed by now with the old funny method of copying the files
filter.php
remote_updater.php
tools.php
tpupdater.php
updater.php
vtop.php
from a clean install on another box to all /tp/ folders on the infected box,

i ll prepare apache logs for killdozer, since the hack was quite fresh i hope he can find something how the fuckers hacked into it, will shot the download url to killdozer as soon i have the logs
traffic loss was luckily minor since a trade partner had the luck of seeing it pretty soon, unfort. the hack doesnt trigger for me, however the sites where blocked from chrome browser, and since they seem to be clean now, i hope that they wont get FF blocked or even short term removed from google.
so loss over full network was less then 40K as of now, the most bugging part for me is just the fact they are still finding ways to get into it,

as for contact, yep i am lately not much on icq, best and most secure to get ahold of me is email, you know the adress

[Le Petit Prince]

Hi,

same issue over here. I updated all my 50 TGPs manualy. Thank you btw. for the hint with the files.
If you got any information for me I would be glad if you would share it mit me.
Maybe I will rsync a folder with a clean version of TP to all /tp/ folders of my TGPs.

All the best

[oil]

Hi,

same issue over here. I updated all my 50 TGPs manualy. Thank you btw. for the hint with the files.
If you got any information for me I would be glad if you would share it mit me.
Maybe I will rsync a folder with a clean version of TP to all /tp/ folders of my TGPs.

All the best

thats what i do atm, however its not a solution to close a security hole its just a quick fix

[oil]

less then 24h later hacked again, same files again, please guys tell me i can set permissions of them to anything else then 777 and they still work, i have indeed better things to do then replacing those files on 50 tp installs once per day

[ip0li]

Calling kildoozer will get back to you asap.

[oil]

Calling kildoozer will get back to you asap.

oki sent him a few emails with the apache logs to download after each hack, but didnt hear back from him

[Shawn]

I've got similar problems even after kildoozer ran the scan and removed a bunch of php shells.  Now my host is saying
"It is injected through filter.

tp is not sanitizing input, and, since it is ioncube encoded, difficult to say where the injection occurs.

I found a number of iframes and javascripts in pt_request - which appears to be a partner request form. Since they aren't validating info there, I would suspect they aren't validating it anywhere."

[Shawn]

I'm still finding files scattered throughout tp that shouldn't be there, scanner doesn't notice them at all....

[Kildoozer]

Hi to everyone.
1. About 'buggy' scanner. This fuckin kirgizian hacker changed the scanner itself, so it can't find some wrong files, like filter.php or tpupdater.php. Moreover, tpupdater can't update these important files because it's 'fixed' also.
Current file size of tpupdater.php is 14722 bytes (you can check it with the scanner), if this size match with your current -you're able to update the script to latest build. If size doesn't match - you have to use tpupdater.php from the our server and your 'problem' has old 'roots'.

For those who get hacked over and over again - I need your server logs to understand which hole is using, because it seems I left some shit uncleaned. Ifter analizing these logs I'll be know how to protect the servers once and forever.

I found a number of iframes and javascripts in pt_request - which appears to be a partner request form. Since they aren't validating info there, I would suspect they aren't validating it anywhere."

all info from the requests are htmlspecialchars'ed at least, so it can't be run in any case.
Anyway please provide me as much info as you get, both logs and pt_requets. Your help is very appreciated.
Next. I gonna code (done at 95%) external scanner (not for tp's files only). You'll run this scanner and it will scan all directories on the server recursively, seraching for shells and other shit using our signatures DB.

1. Now I'm waiting for logs for analize, only after this step I can clean the shit permanently.
2. If you can't update your copies (tpupdater filesize mismatch) - please use our х    http://www.scriptpulse.com/tpupdater.zip for the quick script repair
My emal is kildoozer@scriptpulse.com

[oil]

sent you the logs from 48h hack and the one from the 24h hack ago, i ll hope you ll find something
if your ip is still the same as last time, you last FTP access still should be working

[allniche]

It might be helpful in the future to provide SHA-2 hashes for various files (File sizes aren't necessarily safe) with each version so that people could manually check them if they have doubts about the integrity of their TP install. 

You might also make a special utility which people must manually download which automatically checks the files upon demand.  This way the cracker cannot just subvert the automatic check.  The special utility could then work for people with no ssh access too.  They would just drop it in place via FTP and then execute it.  This would be a backup for the automatic scanner to help catch the tricky hackers.

edit: for bonus security make the manually downloaded automatic sha-2 hash check utility generate a random filename each time it is downloaded.