:) HaCkEd aGaIn :)

[iogames]

I was reading in the morning that someone was hacked and I thought: I'm gonna find the time to write a good 'Guide for the Hacked' for users not to get hysterical about the problem and ZAZ! my site was hacked :P but I don't get all scare, good thing that I know by memory the structure of my server/files... but must be interesting analyze/dissect the attacks for future references...

I don't know if it's improper to post this, please advise me if so... but here the main file who steals you cP's Password: CONFIGSCAN.PHP

*** Script removed, no need to post a script to hack a site ***
p.s. I fixed very calmly my problem

[SEOvB]

wouldn't they still need a way to get that file on your server?

[Lynne]

Quote:

Originally Posted by FRDS

wouldn't they still need a way to get that file on your server?

This was gonna be my question. That is what I would be freaking out over!

[iogames]

In fact I said: I always take it with calm... not that I'm a expert
I just check head-over-heels, and although I said to my Hosting Service that might my a Shell thing they say is script-related thing... so I don't discuss and go to the logs and clean everything and change passwords...

It came with many 'strange foreign files'

Any idea what that script compromise?

p.s. I consider a tootache more important that a vBulletin's board hacked

--------------- Added [DATE]1221886742[/DATE] at [TIME]1221886742[/TIME] ---------------

and everything start here:

Quote:

212.100.250.218 - - [11/Sep/2008:11:03:48 -0600] "GET /cpanel HTTP/1.0" 301 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:34 -0600] "GET /version.php HTTP/1.0" 200 63599 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:29 -0600] "GET /configscan.php HTTP/1.0" 200 1773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
41.219.229.144 - - [11/Sep/2008:11:09:54 -0600] "GET /configscan.php HTTP/1.1" 200 1813 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
41.219.229.144 - - [11/Sep/2008:11:26:00 -0600] "GET /yomistarz/yomistarz.php HTTP/1.1" 200 3698 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
212.100.250.218 - - [12/Sep/2008:03:24:41 -0600] "POST /GuXnnQshoT.php HTTP/1.0" 200 25610 "http://iogames.com/GuXnnQshoT.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16)

England & Nigeria

[Lynne]

Quote:

Originally Posted by iogames

p.s. I consider a tootache more important that a vBulletin's board hacked

But do your users agree with that!

[iogames]

'Naija Bois Too Much '



Info in the files, I called my Nigerian friend OSUJI, and he told me is a bragging gang term...

[Ziki]

To avoid that this file finds out your password,change the config.php file so that it is not a one-liner,but more lines.Especially the password parts.

[iogames]

The only thing I regret is to lose my SuperSecure password: it was a word I created with Latin & Greek roots, combined with numbers and must be entered sitting over your head singing Jingle bells in Zulu

The only FTP connection I see is on 9/14/2008

Quote:

14 40 7.86% 40 files 153kb

Over .png files

[puertoblack2003]

i remember reading something on how to protect the config.php there's info here to protect your file using htaccess http://www.sitebuddy.com/php/VBullet...with_.htaccess hope that help

[Ziki]

Or CHMOD it to 600 ,this allows the script to be access via your vBulletin/server files,but not via users ,I use this for my products.