Author Topic: build 43 / hacked again  (Read 60612 times)

0 Members and 2 Guests are viewing this topic.

Offline Le Petit Prince

  • Newbie
  • *
  • Posts: 15
    • View Profile
Re: build 43 / hacked again
« Reply #15 on: January 24, 2012, 02:21:20 AM »
Hi,

we are still getting hacked, too. I also found suspicious files in my ST folder now :(

Some code I can read.. the other files are encoded in ioncube
Code: [Select]
<?php //0047b
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');if(function_exists('dl')){@dl($__ln);}if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}if(function_exists('dl')){@dl($__ln);}}else{die('The file '.__FILE__." is corrupted. Ensure that you use binary mode when transferring files with FTP and disable the 'TAR smart cr/lf feature' if using WinZIP\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Your server does not support IonCube-encoded files.<br>Please  run <a href=tpupdater.php?id=versions>tpupdater.php

Should I attach the files I found at this post or sent it to killdozer?

All the best!

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #16 on: January 24, 2012, 07:56:13 AM »
Send to kildoozer please.

Offline oil

  • Sr. Member
  • ****
  • Posts: 288
    • View Profile
Re: build 43 / hacked again
« Reply #17 on: January 24, 2012, 09:12:22 PM »
right after kildozer cleaned out the server yesterday ..... today morning server was hacked again !!!!!!!!!

Offline oil

  • Sr. Member
  • ****
  • Posts: 288
    • View Profile
Re: build 43 / hacked again
« Reply #18 on: January 25, 2012, 07:59:53 AM »
right after kildozer cleaned out the server yesterday ..... today morning server was hacked again !!!!!!!!!

.... wonder when this will end, kildozer i sent you the apache logs to download for the hack right after you cleaned it out

Offline Ska

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: build 43 / hacked again
« Reply #19 on: January 26, 2012, 01:52:49 AM »
any news on this?

Offline oil

  • Sr. Member
  • ****
  • Posts: 288
    • View Profile
Re: build 43 / hacked again
« Reply #20 on: January 26, 2012, 02:00:03 AM »
any news on this?
server has been cleaned out, and so far so good, will prolly know more tommo, cause the last couple of days i had the hack each and every new day

Offline Kildoozer

  • Administrator
  • Sr. Member
  • *****
  • Posts: 420
    • View Profile
Re: build 43 / hacked again
« Reply #21 on: January 26, 2012, 02:31:54 AM »
To everyone who want to check the server for backdoors - please download http://www.scriptpulse.com/scan.zip, unzip and upload to any of your site, provide me a link to kildoozer@scriptpulse.com
I'll analyze results and tell you what to do next.

Offline Kyler

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: build 43 / hacked again
« Reply #22 on: January 26, 2012, 07:36:29 AM »
How do you know if your hacked, I droped that scan on both my servers and it found nothing but how would I know if Ive been hacked

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #23 on: January 26, 2012, 07:40:13 AM »
If it found nothing U are safe :).

U would notice some ads on site, strange TP behaviour, updates wouldn't work, scanner would show wrong files etc. Hack affected less then 1% of our users and we are doing all we can to stop it on their servers.

Offline Shoplifter

  • Newbie
  • *
  • Posts: 48
    • View Profile
Re: build 43 / hacked again
« Reply #24 on: January 26, 2012, 11:40:34 PM »
Running the scanner shows about a third of my sites with the following errors:

tp_in.php 21348 January 22, 18:25:47 Wrong checksum

tp/vtop.php 37235 January 18, 13:49:02 Wrong checksum



Offline Kildoozer

  • Administrator
  • Sr. Member
  • *****
  • Posts: 420
    • View Profile
Re: build 43 / hacked again
« Reply #25 on: January 27, 2012, 01:40:24 AM »
2 Shoplifter: what updater said? I mean all files were updated successfully?

Offline Shawn

  • Newbie
  • *
  • Posts: 40
    • View Profile
Re: build 43 / hacked again
« Reply #26 on: January 30, 2012, 04:22:03 PM »
And the ads are back again.  Ran scanner, No wrong files found.
Ran scan.php Scan was completed 15370 d 0:14:29 ago. No suspicious code found
And yet it's there, google's nice enough to give my sites a virus warning now so no wonder my sales suck.

Once I delete tpupdater.php and rerun the massupdate it downgrades to Version 1.0.6 build 35, reupgrading to current version works then but scanner now finds twilight_loader.php file  I'll send that to kildoozer
« Last Edit: January 30, 2012, 04:41:40 PM by Shawn »

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: build 43 / hacked again
« Reply #27 on: January 31, 2012, 07:21:03 AM »
Shawn check PM please. thnx.

Offline Shoplifter

  • Newbie
  • *
  • Posts: 48
    • View Profile
Re: build 43 / hacked again
« Reply #28 on: January 31, 2012, 12:30:09 PM »
2 Shoplifter: what updater said? I mean all files were updated successfully?

After an update the scan is clear, but I have others saying they are getting safe browsing warnings on my sites. I can't see the warning with Chrome so I am not sure what is up.

Traffic is way down tho so something is wrong that I cannot see.

Offline Shawn

  • Newbie
  • *
  • Posts: 40
    • View Profile
Re: build 43 / hacked again
« Reply #29 on: January 31, 2012, 12:42:19 PM »
I've noticed the newer injected ads seem to only appear for me once but other people get them repeatedly and the search engines and browsers throw warnings, guess the hackers getting smarter.