I was hacked - how do I fix it?

Solutions for other phpList version 2 users
Forum rules
Please do not ask questions here, this is for Solutions you have discovered or come across.

I was hacked - how do I fix it?

Postby FatGuyinAZ » 4:23am, Sat 23 Aug, 2008

Hello,
I went to log into my admin area so I could send out a weekly email and I was greeted with a hacked page. The page that I point people to in order to signup for my weekly email is at: http://www.values-galore.com/phplist/?p=subscribe&id=2 and it is hacked as well.

Can somebody look at the above link and tell me how to fix this?

Thank you,
Steve
FatGuyinAZ
phpLister
 
Posts: 6
Joined: 6:56am, Wed 27 Feb, 2008
Location: Safford, AZ

Postby Dragonrider » 6:49am, Sat 23 Aug, 2008

No can do, access is denied to all your phplist pages.

I would image however that you have left some files set with permissions greater than 644, and possible folders with permissions greater than 755.

If you have done so, then these are most likely your security holes.
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Postby FatGuyinAZ » 5:47pm, Sat 23 Aug, 2008

I just got an email back from my hosting service. They say somebody put a Shell Script designed to disrupt server operations on my site. They disabled it by changing permissions on the entire folder to 000. I have gone ahead and changed permissions back to 755 for now just so you can see this - link above will show you.

That is why you were not able to see anything by clicking on the link I gave. Okay now I know what it is on my site. How did it get there and how do I get rid of it? I guess I just need to reinstall PHPlist. What a pain-in-the-butt these people are that do this to others.

I will go check the database and make sure all the email addresses are still there and I will make a backup of it. Then start the work (yes work for me because I am not good at this) of installing the PHPlist again.

I wish there was a person that could do the install for a cheep fee.
FatGuyinAZ
phpLister
 
Posts: 6
Joined: 6:56am, Wed 27 Feb, 2008
Location: Safford, AZ

Postby Dragonrider » 6:26pm, Sat 23 Aug, 2008

Bloddy hell!

Right first thing you need to do is try to remove all the phplist folder and files!

Two files you should probably get rid off, but double check with your host first, just in case, are sayko-bind and shbd as they are Nothing to do with phpList and both have full 777 permissions and the second file seems to contain the hacker's header.

All the files in the phplist folder are set to 755, which you did so I could see, these should never be more than 644.

Oh yes, you also should change your passwords asap for your whole site as I could read your config file, so anyone can and this shell thing that is running would allow anyone access to your server!

Basically Steve, delete the phplist installation entirely, backup your database, change your passwords and start afresh.

How customised was your phplist install? If it was standard phpList get back to me and I'll be happy to reinstall for you, but you'll have to reload your DB and any customisation.

David
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Postby FatGuyinAZ » 6:51pm, Sat 23 Aug, 2008

Holy Crap! I didn't know how to read that stuff and I started looking and clicking and I was able to navigate UP to within my Values Galore store installation and I could see all the configuration files, admin folders, etc. I have deleted the phplist folder and all it's contents! I will go and start backing up databases to all my other stuff and backing up files.

I have downloaded the latest version of PHPlist and I will give the installation a try. If I run into problems I will let you know. Thank you for the offer of help. I just might need it. Also, thank you for assisting me with this!!

Steve
FatGuyinAZ
phpLister
 
Posts: 6
Joined: 6:56am, Wed 27 Feb, 2008
Location: Safford, AZ

Postby FatGuyinAZ » 2:45am, Sun 24 Aug, 2008

I was able to get PHPlist reinstalled and it's connected again to a new database (that I imported my old data). I am back up and running. However, I need to do something to prevent this from happening again. What is suggested to keep from being hacked? I am not sure how this happened in the 1st place so I am assuming it could happen again.

My installation is at:
http://values-galore.com/phplist

My store (see my signature) has a link to subscribe to the weekly email, could a hacker have gained access through that?

Should I make the /admin/ folder password protected by adjusting the .htaccess file?

Thank you,
Steve
FatGuyinAZ
phpLister
 
Posts: 6
Joined: 6:56am, Wed 27 Feb, 2008
Location: Safford, AZ

Postby Dragonrider » 5:52am, Sun 24 Aug, 2008

Glad you got things sorted Steve.

I don't know if you can actually make the admin folder and files unavailable to other users as a lot of the files are actually used within phpList.

The key is ensure that no one else can access the files to change them, or the folders to add files within them.

Make sure all folders are set to 755 and all files are set to 644 permission wise.
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Postby FatGuyinAZ » 6:11am, Sun 24 Aug, 2008

Thank you David for your help. I have gone through the entire file structure and made sure all permissions are set as you said, which they already were. Makes me wonder how the hacker did what they did in the 1st place? Oh well ... the other installation I had was done by Fantastico and I then just started using it. Maybe Fanstastico didn't have file permissions set right. Yea that must be it. :D

At any rate, I am done and it's working. I just need to do a little customizing, which I hadn't done before. I will do a little reading on how that's done and get things setup.

Thanks again,
Steve
FatGuyinAZ
phpLister
 
Posts: 6
Joined: 6:56am, Wed 27 Feb, 2008
Location: Safford, AZ

Postby Dragonrider » 7:57am, Sun 24 Aug, 2008

I'll be surprised if Fantastico didn't set permissions correctly but who knows. There may be another folder on your site, or on the server itself that allowed the hacker on, who knows.

I don't know how the b'st'rds do what they do, but so far (touch wood) I've managed to limit their access and block most attempts. One of my sites is under almost continual attack which hundreds of attempts to access strange/non-existent files, so far, all blocked by my server settings. So far! No rest for wicked and don't get overconfident!
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom


Return to Answers, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests