Author Topic: How to deal with TP hack  (Read 36119 times)

0 Members and 1 Guest are viewing this topic.

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
How to deal with TP hack
« on: March 05, 2012, 08:00:30 AM »
Ok guys, today we release new update.

First of all, check that tp/tpupdater.php is 14722 bytes. If it's not download http://www.scriptpulse.com/tpupdater.zip , upload it to your site and update your script!

Next, follow instructions here:
http://forum.scriptpulse.com/index.php/topic,1483.msg5755.html#msg5755

and LOCK your TP!

When all that is done please ask your host to scan your server and clear all shell exec scripts!

I hope now finally, we solved hacks on couple of infected clients servers :)

Offline ideaworx

  • Newbie
  • *
  • Posts: 21
    • View Profile
    • AdultXL
Re: How to deal with TP hack
« Reply #1 on: March 09, 2012, 01:48:49 PM »
Not doing it, I have the hack on my server, after it has now been cleaned 2x by killdoozer. Fuck me, fuck my biz, and fuck this script!

Contact me on icq to resolve this.

Shane

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
Re: How to deal with TP hack
« Reply #2 on: March 09, 2012, 02:14:01 PM »
Shane thank you for your nice words after all discounts I gave you and helped you many times with $$$ (seems like U forgot we are buddies now huh)...

Anyway not to make drama out of this, use another script. Yes, kildoozer DID clean your server 2x, which other script company would do that for you(I really wonder)? We posted solution how to solve hack, we told 500x it was not our fault but hoster and except working 12+hrs each day for last 2 months(both me and kildoozer) to help our clients and give away free feed traffic + we posted solution how to solve it, what else should we do? We said we are sorry, did all we could. If fuck this script is all you can say, if you think we didn't do our best, if you think we as a company + people deserve your attitude, well "buddy" - go somewhere else.

Offline ideaworx

  • Newbie
  • *
  • Posts: 21
    • View Profile
    • AdultXL
Re: How to deal with TP hack
« Reply #3 on: March 09, 2012, 02:28:28 PM »
I didn't say fuck you did I? I said fuck the script, and the problems it has caused. I am changing scripts, as fast as I can, but because of this script, I lost so much traffic, i am having to do 3x the work to recover (that is IF I recover).You do realize I have this script installed on over 180 sites, on 8 servers? And 4 out of the 8 got this hack, and it has been consistently plaguing me. As soon as I think it is over, it is back, I am still using the script(s) that doozer installed to fix the hack, but it is beyond that, ioncube files that are encoded popping up, etc, the shit has hit the fan. I appreciate the few hundred dollars in feeder you guys provided, I probably sent that much in free script traffic, so I guess that is a wash. Do everyone a favor though, stop posting this shit about how you showed everyone how to remove the hack, if it was that easy, how did doozer get on my server 2x and NOT remove the hack completely??? Means you dont even know how to remove the hack. I know you are sorry, and sometimes sorry does not cut it, this is one of those times. I respect you, but the error of your host (which regardless how you put it, is YOUR FAULT, you picked the host, and allowed this shit to happen), is on you, and you are doing pretty good to fix it, but know that me, and at least 10 friends, have been fucked up and down by this hack. And my attitude? My family is losing money because of this hack, so I apologize if I am coming off pissed or rude, but don't confuse my anger for something other than just that, I am fucking angry as shit, and keep losing my ass here.

Shane

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
Re: How to deal with TP hack
« Reply #4 on: March 09, 2012, 03:11:03 PM »
Shane, did you read solution for hack at all?

Did you notice how we said LOCK files? After files are locked, there is no way to change them except if someone has your ftp/root password(not possible with TP HACK!)?

Before kildoozer cleaned servers, and if 1 file staid, hacker could still change script files. Now with lock.php, if U lock files, he cant change them! If he can change them then its FOR OTHER REASON AND NOT TP HACK!!!

So solution is not to just clean box, no! Solution is 1) check tpupdater.php size, if wrong download/upload tpupdater as explained, if correct make sure U have latest build and run lock.php to SECURE files. After that is done, hacker can't any longer change php files because only your ftp account or server root can change it!

Process itself takes 2 minutes per install(if done manually) or host can build ssh script in cpl minutes and do it on all sites on server in 1 run.

Regarding hosting, they are VERY reputable and no idea WTF is going on in that company but obviously instead of them loosing clients, we are loosing them.

Regarding me saying shit, I never speak shit...I always stay behind my words. Kildoozer did clean all what he could find on your and other servers, obviously that is not enough. Thats why we made lock.php. After all, we had cpl clients with hack who's hosters cleaned hack and problem solved...

I interpreted your anger as direct attack to my company/product, because it sounded so. It hurts when someone you are good with say such words and I am working my ass off last 2+ months to deal with this hack together with KD, it's midnight here and instead of being with family I am here writing to clients and helping them solve issues.

So, do as U wish, move to another script or lock files and problem solved.
« Last Edit: March 09, 2012, 03:14:17 PM by ip0li »

Offline Shoplifter

  • Newbie
  • *
  • Posts: 48
    • View Profile
Re: How to deal with TP hack
« Reply #5 on: March 14, 2012, 11:27:48 AM »
geoip.inc is now being hacked on my servers. I see that this one is not locked down.

I wonder if they can modify this to send certain coded traffic somewhere else. 

This is just silly now. 

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
Re: How to deal with TP hack
« Reply #6 on: March 14, 2012, 12:09:20 PM »
Just lock it down manually to user:group and permissions 644. We will include lock for that file also in next update.

As over icq msg me if U need anything else and I can send you feed to compensate for lost traffic!

Offline Cristian

  • Newbie
  • *
  • Posts: 30
    • View Profile
Re: How to deal with TP hack
« Reply #7 on: April 02, 2012, 06:59:49 AM »
How do i know if im hacked?
Regards
Cristian

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
Re: How to deal with TP hack
« Reply #8 on: April 02, 2012, 08:43:39 AM »
check that tp/tpupdater.php is 14722 bytes.

Offline Cristian

  • Newbie
  • *
  • Posts: 30
    • View Profile
Re: How to deal with TP hack
« Reply #9 on: April 02, 2012, 03:53:16 PM »
looks like im fine
Regards
Cristian

Offline EonBlue

  • Newbie
  • *
  • Posts: 33
    • View Profile
Re: How to deal with TP hack
« Reply #10 on: April 03, 2012, 08:57:25 AM »
The geoip.inc file keeps getting hacked on my sites - even after permissions are changed to 644 and all of my TP copies are locked. They keep adding this line:

Code: [Select]
@include_once('geoip.php_');
The geoip.php_ file is Zend encoded.

So how are they doing this even after everything is locked?

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
Re: How to deal with TP hack
« Reply #11 on: April 04, 2012, 03:08:00 AM »
Did you check if permissions are changed to 644 via ftp? If they can still change your php files after you changed to ftp user:group and 644, your HOST MUST SOLVE IT! It must be some wrong server setting somewhere or suphp!

Offline EonBlue

  • Newbie
  • *
  • Posts: 33
    • View Profile
Re: How to deal with TP hack
« Reply #12 on: April 04, 2012, 03:54:31 AM »
Yep, permissions were changed to 644. I did have my host look into it and they found an exploit on my server and removed it. They also removed all of the geoip.php_ files and did a complete scan of my sites. Hopefully it is all taken care of now.

Offline EonBlue

  • Newbie
  • *
  • Posts: 33
    • View Profile
Re: How to deal with TP hack
« Reply #13 on: April 04, 2012, 04:07:33 AM »
Spoke too soon. I just checked and it is back already. The geoip.inc files are modified again and geoip.php_ is reappearing. Host found and removed another exploit overnight so hopefully they won't be able to get back in any more.

Offline ip0li

  • Administrator
  • Hero Member
  • *****
  • Posts: 1950
    • View Profile
Re: How to deal with TP hack
« Reply #14 on: April 04, 2012, 05:00:21 AM »
Exploit does NOT matter, since exploit works on APACHE level, and ftp files shouldn't be editable by apache when U changed their user and permissions(lock.php)...so ask your host to take more detailed look into it. I repeat, if they use suphp, ask them to remove it...