Ask MetaFilter questions tagged with hacked

They HaX0r3D my PHP!

yellowbkpk — Mon, 11 May 2009 17:34:27 -0800

I discovered that my DreamHost account appears to have been "hacked". What does this PHP code do and what's a good way to get rid of it? When I was playing around with my websites tonight I noticed tons of PHP files that weren't there before. This link is an example of one of the files that I found.

In general, it appears that it takes any file matching *.(php|html|phps), renames it to filename<random alpha in A-Za-z>.php and sticks something similar to the above-linked PHP doc in it.

I notified Dreamhost of the problem, hoping that they could dig through my backups and let me know when these files were created, but I'm not holding my breath.

1. Has anyone seen these before? They're quite hard to search Google for since it's almost completely random data.
2. What does it do? I'm assuming it's some sort of bot net drone code of some sort.
3. It appears to have only created copies of files that are accessible from a Google search. e.g. I have a few "private" web pages that have obscure directory names that only I know. These files were not modified (but are clearly read/writeable with PHP).
4. How do I clean it up nicely? I don't see any modifications to existing files, so I think I can just delete the files that were created. File sizes, names, etc. are all different.

Thanks in advance!
Sorry for the meta-question. I'd be able to narrow it down to one more specific question if I could Google it.

Can I use htaccess to deny certain non-existent directories to avoid going through my Drupal site?

kosmonaut — Fri, 02 Jan 2009 12:12:00 -0800

Can I use htaccess to deny certain non-existent directories in order to avoid going through my Drupal site (which requires connecting to my database)? My Drupal site was hacked, though my content was not touched (which is why it went unnoticed for a while). I eventually noticed and cleaned up several extra directories that had had thousands of subdirectories with spammer linking content. The whole site is fresh and fixed but now I am getting a huge amount of 404 errors from all over the world, with people trying to access these old spam directories. In Drupal, each time this happens, the 404 page is generated and the 404 error is logged, which means accessing the database, which means my database is straining just to issue all of these 404 denials.

I just want a simple apache 404 page instead (but only for these spammer urls!).

The former pages and subdirectories were all contained within three base directories (I'll call them spam1, spam2, spam3), and so I would like to use htaccess to simply deny any request for (e.g.):

mysite.com/spam1/
mysite.com/spam1/item34/spam.php
mysite.com/spam2/item23/item5/anotherspam.php
...

And any other permutation.

I don't know how to do this when the directories don't actually exist. That is, I can recreate an empty folder called "spam1" and deny mysite.com/spam1/ requests with Apache, but this wouldn't deny any of the thousands of subdirectories -- as I said, Drupal steps in and takes over the 404 duties when the directory does not exist.

Is there some way to do the kind of denial I want, to pre-empt Drupal and the database connections? I do not control the server so htaccess may be my most powerful option.

(Otherwise, maybe I have to reconfigure Drupal in some way?)

SEO word salad pornography?

jepler — Thu, 18 Dec 2008 19:49:39 -0800

What in the world is going on with this website (subject of a recent askme)? Have a look at these google results: site:carolscookies.com inurl:locator. Is this an indication that the website's been hacked, or is this the kind of disgusting behavior that passes for SEO these days? I tried to google the site for nutrition information to answer the original question, but my query turned up all these pages. Rather than derail the original thread, I'm asking a fresh question.

They hacked our Joomla, help!

wile e — Thu, 04 Sep 2008 00:43:42 -0800

We've been hacked! We were just about to upgrade the Joomla version, and then we get this. Looks to be a ransom page, but we obviously want to reverse the hack. How do we do this? We can still access the administrative panel, but obviously our user/pass doesn't work. They were able to manipulate the hole in the older version 1.0.x (I forget the exact version it was, and can't check now) so can we do this as well? I don't want to publish the site name here, but if someone has valid reasons for requiring it, I can PM it.

Not sure what other info is relevant, but I will be watching all day so ask away.

Thanks.

Someone hacked my… something... somehow

studentbaker — Tue, 05 Aug 2008 11:05:14 -0800

What do you do when you think you've been hacked, but don't know how? This morning, when I tried to check my gmail with my iPhone, I got an error that the username/password combination was wrong. I was connected to my home network at the time. I re-entered the password in the iPhone settings and tried check it again. I got the error that the connection to the server “imap.gmail.com” failed. Feeling funny, I went to my Macbook and changed my gmail password in the google account settings.

At lunch, I checked gmail from my work PC and noticed a spam message that got through which I found strange since gmail has been very good lately at blocking spam. The spam was sent from my account. I know that it’s easy enough to spoof this, but I did check my sent mail and there it was. Someone sent the email from me, to me. The email subject was: “Anjelina Jolie Free Video”. The content was: “The password on archive anjelina”. There was an attachment: Angelina_Jolie.rar which I did not open. It was sent at 12:32 pm. I was definitely at my desk during that time.

I quickly changed my password again, and I made sure the new one was very strong. But, what now? Check my home and work machines for keystroke programs? Check to see if my home network has been hacked? How would I go about doing this, anyway? I feel like I need to change all my passwords now – bank, social networks, etc. – but what if they are watching me… Right Now!?!

Mr. All-knowing Super-hacker/psychologist Mefite, I need your help securing our IRC conversations...

Anonymous — Wed, 16 Jul 2008 23:47:24 -0800

Some really important info was leaked from our private IRC channel on our own server. Luckily, it was something that most people wouldn't believe without real proof, which the leaker didn't really have. So we're glad to have not been in a real shit-hit-the-fan situation yet. Can you find the weak link, or atleast offer suggestions on how to stop this from happening again? A little bit of info about our setup... We own our own dedicated server which runs a public IRCD (UnrealIRCD latest stable version if you're curious). On this network, we have our own invite-only private channel which only about 10-14 people have access to. The channel is +i and +k with a large enough key that cannot be bruteforced. On top of that, we use FiSH encryption (blowfish) inside the channel. The key for the channel is exchanged/given to others after initiating a PM session which is also blowfish encrypted after a Diffie-Hellman 1080 key-exchange. So we're pretty sure that our encryption key hasn't been sniffed at any point. Plus, even having the dedicated server rootkitted/trojanned wouldn't compromise our encrypted talk since it's only forwarding encrypted packets. All of us connect using one of the two clients - mirc and xchat.

The only way to get something from this channel that I can think of is either someone leaking the info by mistake or on purpose, or people with trojans or keyloggers. We're pretty sure none of us are infected after running multiple scans for rootkits, viruses/trojans and checking outgoing/incoming connections and processes. But it obviously cannot be ruled out since none of the tools are 100% trustworthy when it comes to detection. About someone leaking info from here, well, I'd like to think it's impossible. All of us have been a part of this channel for upwards of a year now, would trust each other, and have had access to a lot more important stuff than what was leaked. If someone wanted to make a profit off it, they could have done so quite a long time ago... Again, not ruling it out, but if there is another explanation for this leak, I'd put my faith in it being that one instead of the theory of a leaker.

The info was posted on a bunch of public forums. We're friends with the admins of all those public forums and had access to the poster's ip. Unfortunately, all of them were known TOR ips, so we cannot really find out who it was.

So, super-hacker mefites, find our weak link, and offer me suggestions on how I/we can make it even more secure. If you're a super psychologist (or is it psychiatrist?), you can even offer suggestions on how I could find the leaker by observing behavior patterns. Thanks!

anonymous throwaway mail for this question: mefitempmailacc@gmail.com

What happened with my cell phone Saturday night?

palegirl — Mon, 30 Jun 2008 14:05:33 -0800

Did someone hack my cell phone or somehow use my number? Do I need to worry about my phone being compromised or something? Someone left a voicemail for my friend and there's no outgoing call on my phone nor would anyone have had access to it (it was at my house, we were asleep.) When I checked my phone log, I found that a few minutes earlier I had a missed call from someone who does not have my number and denies having called me. Both of these calls happened just after 2:30am saturday night/sunday morning. Our entire social group was at a party Saturday night including the girl who got a message from me and the guy who I have a missed call from. My girlfriend and I went home around midnight. My phone was locked in our car while we were at the bar, and was in a semi-private room (although anyone could have access to it) while at the earlier event.

The girl's voicemail message says starts out "I'm calling you from [palegirl]'s phone..." and goes on to talk about how "I know you've never liked me but I don't know why!" drama-drama. It's a female voice that we can't identify, but they used nicknames and clearly are members of our social group.

The missed call I got is from my current girlfriend's ex-boyfriend. My girlfriend recognized his number when we were investigating the voicemail my friend got. He was at the party too. He and I aren't friends, and my gf and I don't even know if he knows the nature of our relationship. My girlfriend called him today and asked him if he called me and he denies it and she believes him.

We think someone is messing around with us. Is this possible?

It's a true fact that no one made a call from my phone to leave my friend that voicemail, but her phone shows my phone number as the received call, and the voicemailer explicitly says she's calling from my phone.

Do I need to change my number and or get a new phone or anything else?

The website got hacked. What now?

Anonymous — Fri, 30 May 2008 08:57:14 -0800

A website I programmed got hacked. Credit card numbers were compromised. What do I do now? I found the security hole and plugged it up, but at least one or two credit cards have already been stolen. There are a few hundred orders (less than 300) in the system. According to the error logs there were hits to the backend from the UK and Africa.

Obviously, I will recommend that all of the customers be notified. I don't suppose there's any way to do this in a classy manner that won't make our client look bad.

The worst of all is that the client will obviously suffer -- who knows how many of their customers will stop buying from them -- when it was not their fault. I feel like there is nothing I can do to resolve this problem...it's like a nightmare I can't wake up from. Please, please help.

Why'd my reliable mac crash so violently?

thecaddy — Thu, 15 May 2008 15:31:31 -0800

My 15" Powerbook from 2003, running OS X.3, just froze up and demanded that I restart my computer. Why? The screen grayed out and a message popped up telling me to restart my computer in English, German and a couple of other languages, in front of a graphic of the apple power logo.

Was it some kind of kernel crash? I've gone through my logs and don't see anything out of the ordinary.

I've never seen anything like this. Has my computer been hacked, or was it just running so long that a serious crash was bound to happen? (Disclosure: I've been using OS9 support recently.)

Yahoo Email Hacked! Help!

blueplasticfish — Thu, 08 May 2008 11:09:02 -0800

My Yahoo! email was hacked. What can I do? My Yahoo! email address was hacked and now I can't get in. They sent email to my friends and family saying I was stranded in Canada and that I needed money. Obviously, this isn't true. The hacker has changed my acct information and I cannot retrieve or change my password thru yahoo's forgot password mechanism. What can I do? Who can I contact? Is there some one I can call at Yahoo? I searched their help pages and cannot find any info related to my situation.

I need to get this acct back, as it is tied to my flickr and countless other online accts!

Please help. Thanks.

hacked again

sailormouth — Mon, 05 May 2008 20:43:45 -0800

Site hacked again 4 years later. I need some advice. So about 4 years I asked this question. Nothing much happened to my site then other than a index.html file was created which defaced my site.
Then today I get a not too official email from paypal telling me my site has been compromised. The email looked weird and had a url in it within my site. I open a new tab hand type the url and it exists.
I ssh into my site ls -alt to find most recent changes. I had not done anything in 2008 so it was really obvious what was new and modified. So I clean up the mess and change login info.
I renamed and moved the new files so I could look at them and find r57shell was used. mail logs have tons of out going.
The oldest file that was changed was from end of Jan 08. My logs only go back to mid March, so I can not see what got through. I had changed my old code to ignore variables with www or http. I do have awstats which I perused through pages/urls to see if anything in Jan stuck out. Nothing did.
I'm going to redo the site completely, but wonder how they got in.
And paypal/ebay asked me to help by giving them any logs that might help them.

My blog has become a playground for filthy pornmongers!

Drohan — Fri, 11 Apr 2008 12:54:37 -0800

How can I restore my totally disgustingly porn-hacked Wordpress blog to its former pristine state? Ugh. My Wordpress blog, hosted by phpwebhosting, has been invaded by the grossest spammer on earth.

Every individual post has been altered, with hundreds of lines unspeakably filthy links, enclosed in div tags.

In addition, comments are continuously being posted to every post, which appear to be coming from me (the blog name as the commenter).

I am locked out Wordpress, insofar as I cannot edit posts, post new ones, or make any security changes (I tried turning off comments, putting my spam blockers at their highest security levels, etc.

I have been using MarsEdit (as once recommended to me by AskMe users--thank you!) to make new posts and go in to each post and delete the horrifying spam. But there are hundreds if not thousands of posts.

1. Help!
2. Is there a way to batch edit all the affected posts? It seems that there are a handful every 10 or 12 or so that have not been touched.
3. How do I get back into Wordpress and regain control of my blog?
4. Has this happened before? What is going on?

I am using Wordpress 2.04 but cannot update. I emailed the abuse line of the spammer's IP address but that won't help me with the situation on my end, but might get the spammer(s) to stop the madness.

Thank you so much.

Is there anything I can do? I contacted Wordpress & phpwebhosting and posted on the Wordpress support forums.

Great, just what I needed... a hot HTML injection.

aristan — Tue, 08 Jan 2008 23:18:06 -0800

Pages on my website are getting strange javascript, iframes, & links placed in them... This isn't affecting the other sites I host... what's going on? I have several websites I host from a reseller account, though I don't actually sell any of my space. Most of the sites are just placeholder pages or projects I started and never finished, so they sit alone and unloved most of the time.

Looking around online, I see things about "Injected" Links, and of course the incident with Al Gore's site. But, how is this happening? It doesn't seem to affect the pages that are updated via Moveable Type and it doesn't seem to affect the sites "under" the main one.

I uploaded an HTML file on Monday afternoon for a friend and by Tuesday morning when he went to save it, it had an iframe injected into it.

Please note that this doesn't appear to be a Movable Type problem, as these are files that seem least likely to have the iframe or random links.

It would seem that the webserver is insecure. Is this something that is my own fault or is this the problem of my webhost? What can I do to stop/prevent/fix this?

Help me snatch a hacker/spammer

snsranch — Mon, 31 Dec 2007 16:24:09 -0800

My hotmail acct has been hacked/cracked and is being used to spam people including a few MeFites. I'm pissed and concerned. Please hope me! I've changed my password to something I think is pretty uncrackable but it's still happening.

Ultimately, I know, I should just use a g-mail acct. But in the mean time, what can I do to investigate, complain and secure the info that exists there in my acct?

It's also odd that at least one Mefite has been spammed who I've never had contacted with hotmail. So I believe that this might be MeFi related too.

p.s. Should I post a PSA to MeTa to let folks know that I'm not spamming them?

Has my computer been hacked?

number9dream — Tue, 10 Jul 2007 20:29:34 -0800

There's a brand-new user account showing up on my Windows XP SP2 desktop. Only thing is, I didn't create it, and nobody else has physical access to my machine. This just showed up a couple of days ago. The account is called ASP.NET Machine A... (the ellipsis is part of the name). It is a limited account, password protected.

Has my computer been hacked? If not, then what?

I know I can just delete the account since I'm an administrator. But are there other steps I can/should take? And what can I do to prevent this from happening again?

Can an Oyster Card be hacked?

complience — Fri, 22 Jun 2007 06:45:17 -0800

Can an Oyster Card be hacked? As i was leaving the tube yesterday a security guard scanned my oyster card with a handheld device just before I was about to scan out through the barrier.

This made me wonder why?.. what was it his handheld scanner would show that the normal barrier scanner couldn't pickup. The only thing i could think of was that somehow oyster cards can be faked and he was checking the status of the card against the main central database.

Oyster card?
if your wondering what an oyster card is.. its a new contactles smartcard that you use instead of a normal ticket on the london underground. It uses Philips' MIFARE Standard 1k chips provided by G&D and SchlumbergerSema. It is the same contactless smartcard as Touch 'n Go card in Malaysia which is mainly used for tollway fares.
http://en.wikipedia.org/wiki/Oyster_card

I found a MIFARE card writer on ebay.. could this do it?
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=250134169733

So my question is..
1.) can Oyster cards be hacked and faked?
2.) How would it be done?

Can you help me translate my hacked website from Polish to English?

allthewhile — Thu, 09 Nov 2006 12:33:09 -0800

Can you translate this short paragraph from Polish into English please? It involves some "L33t" speak so it may be challenging. To make a long story short, my wordpress blog was hacked. I just want to make sure it doesn't say anything about my family or anything threatening.
-----------------------------------------------------------
szczegolnie gorace pozdrowka dla KwIaTuSzk'A=) - ktora gdzies tam gleboko sie smuci... :*

witam i pozdrawiam, przykro mi ze macie tak zle zabezpieczona strone ze daje sie zrobic cos takiego ale takie zycie :)

Pozdrowka dla Kasi :*(szkoda ze nie caluje tak jak kiedys :(... ), cherry, ESPI (wymieniam tych co byli na czacie no i cos jesio )

ne0 3mam za Ciebie kciuki :)

respect 4: ETM T34M

http://cssource.info/forum/style_images/1/logo4.gif"

own3d by dar0

ps... badziewne te zdjecia na dole co nie? :D

----------------------------
btw, I took out the link to the picture, as I don't want their servers seeing metafilter

They changed my password and security question.

La Gata — Sun, 01 Oct 2006 17:11:07 -0800

Any ideas on how to retaliate against someone who hacked into my email account and changed my password? Or should I even bother? I got into a quarrel with someone on another board. They had posted a nasty message on that board, and I replied to them directly (off board) asking them what the hell their problem was. They replied directly to me with some name-calling and obscenities. I told them to grow up. The next time I tried to log into my email, I found that both the password and the security question had been changed.

A talented friend is going to help me hack back into my account (though I certainly won’t be using that account anymore). Now I’m wondering what, if anything, I should do about the person I believe is responsible. I don’t know for certain if this person actually did the hacking, obviously, but because of the tone of the emails, and the timing of the hacking, I strongly suspect they are.

An added wrinkle is that originally I thought I was dealing with an adult. I’ve been thinking about the messages and the hacking itself, and I now wonder if I was actually dealing with a teenager, specifically a script kiddie.

I don’t really want to hassle with someone who may be just a teenager, and honestly, I’ve got better things to do with my time.

On the other hand, they hacked into my account and changed my password, and that ticks me off.

So, any suggestions on how to teach the little snot a lesson – ideally something that would make them think twice before they pulled something like that again?

Or should I just forget about it?

Wuz she hax0r3d?

Shane — Fri, 03 Feb 2006 20:16:28 -0800

Wuz she hax0r3d?
Scenarios that explain this situation, please: Someone (not I) tries to connect to the 'Net on her AOHell account & gets an error message, the gist of which is "Ain't gonna log you on; reppy5 is already logged on to your account at another location." reppy5 is not one of the accounts/screen-names she has ever created. Has she been hacked? Used as a zombie? Hacked by a zombie? A zombie for what, for spam? A few minutes later she logs onto the 'Net and DOES get online, she calls AOL and is told to change her password. That's all she is told & she can barely understand this much from the AOHell CSR. She asks them to investigate reppy5 & they tell her to e-mail the TOS-General.

If she changed her password to something with letters (lower AND upper case) & numbers, it's not likely she'll be hacked again, right? Someone probably set up a program to run a random password generator on a list of confirmed usernames s/he got from AOL, got lucky with my friend, & now it's not likely to happen again? I'm no Techno-God, I'm just spex-you-lating.

Various scenarios? Whahappened? She wants to e-mail reppy5--should she?

Thanks, youse technorati ;-)
BTW, I only added "britney spears" to the list of tags on this post because anybody searching MeFi for info on Britney deserves to be misdirected ;-)

Am I hacked? What now?

jojopizza — Mon, 02 Jan 2006 14:37:53 -0800

If you ran a Debian server and one day noticed that telnet and apt-get were segfaulting, how would you proceed? I'm one of two admins on this server, and neither of us has made any changes in the last couple of months. This morning I noticed telnet and apt-get were wonky. Nothing unusual in the syslogs. It seems likely that someone has done something malicious.

How would you proceed from here?

jojopizza@askme:~$ telnet yahoo.com 80
Segmentation fault
jojopizza@askme:~$ sudo apt-get update
Segmentation fault
jojopizza@askme:~$

XP lite?

signal — Wed, 14 Dec 2005 11:46:39 -0800

Has anyone used one of the hacked windows XP-lite distros? The ones that remove unnecessary stuff and leave you with a faster machine? a- how stable are they, can you use them for resource intensive apps like photoshop, autocad, etc.? b- do they support non-english keyboards? c- is the performance gain worth the hassle of finding and installing them? Yes, I know that they're illegal in some countries. Let's say I have a merely academic interest.

What do I do after a PHP site break-in?

sailormouth — Tue, 14 Sep 2004 22:02:08 -0800

A couple months ago my site was lightly hacked. It happened again on a site for a friend of my father, possibly not as lightly. --> The weakness in both cases for piss poor php coding. I had written the code a few years ago w/o thinking about vulnerability. Basically I had an index page and then index2.php (I know real original) for everything else. Content of other pages were loaded when the filename was passed in the querystring.
One site passed the entire filename. The other site appended the extension on the file.
Well some Brazilian haxors passed their url to a "jpg" with command line commands. Viola they can dink around some. Everything they did is in the logs.
On my site they only wrote an index.html file after trying to get up in the server (unsuccessfully) to get to some config info. I deleted the file, rewrote my php code, and went on with my life.
Well on the other site some files were loaded.
Files include: f3, kmod, mremap, r0nin, telnetd, ptrace, tfmaster, some perl, C, eggdrop (tar), and psyBNC (tar). It mostly seems like they were setting up IRC stuff.
I took all of their files/dirs and moved them. Changed all login info. I reworked my php to close the obvious hole.
So after all of that backstory here is my question: What specifics should I look for in their trail (cmds in logs and actual files) to see if they were able to compromise anything serious?