my website is hacked

How about reading the server log files or did they get to them as well?

What framework? Custom built? What services do you use? What type of server is it running on?

Some more information regarding the used technology: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.kuromanga.com Port 80

Frontpage extentions…. hmmz :|

Were you using scripts like WordPress, Joomla, Drupal. WordPress. They had recently publicised “TimThumb” vulnerability. Your log files like mentioned by OxDC - Check out your admin logs. You can get random IPs POSTing to the file manager and logging in and out without authentication? Without more information from you we are all fumbling in the dark a little.

ok thanks i will follow above mentoined steps thanks :D

Hey, i might be able to help with this, but as who participated in this thread above, will need a lot of info before even being able to do anything.

ADIGA i know waht you mean !! other members of site (kuromanga )are gathering info about it

we don’t actually use wordpress, joomla or drupal.. but i think the might have gained access through some premade module we used on the site

well, the info your are providing is not that much of a help.
for a start
1- you will need to provide the correct time of when the exploitation happened (within 1 hour).
2- provide Apache access + error logs for that time + & - 1 hour
3- upon what can be found on the logs, some pages/scripts sources maybe needed.
4- even though all of those are provided, if the site is on shared hosting plan, the exploitation could be through another website through which the attacker gained root access to the server it self.

ok adiga !! i will try to scoop more info as this website is in california USA (where our main admin is ) and i am in india so it is difficult for me to get all info cuz of time difference but i will try to get all
and thanks for the advice :D

jayssj11 why don’t you use wordpress, joomla or drupal tools I heard that these are excellent CMS tools for creating the design of the software applications.

read ANONRA above

Hello,

I am one of the team members for this website. I will try to answer all questions above as well as provide as much details about the attacks and server specs as possible.

Firstly, this is a linux based server which runs apache, has cpanel and whm. It is also a dedicated server which has a few other websites, but none of them are using any open source cms (drupal, joomla, magento, wordpress, etc). They are all pure html / css3 except for one which uses php, ajax, jquery and javascript. We do not suspect that this website could have any type of security flaws.

The website that was hacked (now for the 3rd time), is a php project created with the ZEND Framework. There are a few developers who worked on this, so it’s not just one person’s code, which makes it a bit harder to pin point what and who.

During the hacker’s first attack:
They have gained access exclusively to the area of this website (or so it seems, as no other websites were affected). The database is also still intact. They have also uploaded couple of files that advertise their hacking team.

Our hosting team have suggested changing all passwords on the server as they suspect they gained access through ftp. We have done this and re-uploaded the website.

Second hacker’s attack:
Occurred only a few hours after we finished uploading the website. It also seems like it was automated? Not certain. In any case, they again deleted all the files (with out affecting the DB or any other websites on the server)… and have left as the index page, a page advertising their hacking team.

We have once again changed the passwords as well as ran a virus scan. The virus scan located a file called bn.php which seems to have a decoding algorithm. Contained a whole bunch of alphanumeric characters
(ex: $code = “7T37sW+O2sr/f77v/g+vDKaGEPHmFQLpJSWCC8AklIgN1+HMd2YhxO/sJ3n3v7vVyPJ5tuw4Abbb9pzT
0i7Y0mhGGs2MXqPx//6POkiojiO7iY……)
and ended with :
@eval(gzinflate(base64_decode($code)));

So upon deleting that file and re-uploading the website to the server, we assumed we were now in the clear. The website was up and running for a few days, this morning, we have noticed once again that all the files on the server were wiped again. This time they HAVE NOT uploaded a page to advertise their hacking team. Perhaps they were too lazy to upload it? or perhaps they weren’t able since we deleted that file.

What are your thoughts? Any idea how we can permanently put a stop to these hacking attempts?

Thank you for your insight.

What version of cpanel is used? Have a look at:
http://www.cvedetails.com/vulnerability-list/vendor_id-1766/Cpanel.html

man it is really going out of control . try acuntix

well, lets start with some basic stuff…
1- look for any cron jobs that might be running that would delete files, run commands or excute scripts that you did not place or for a service you are not running.

2- check all open ports, this way will you can be sure that the attackers has no back connect script running and that they have no access to command line.
lsof -i netstat -lptu netstat -tulpn

if no ports other than the services you are running are opened you are half way through

3- list all users on the server and make sure no new users are added that does not belong to a service/an account you added
cat /etc/passwd

install clamav and freshclam, update its database and do a scan, any backdoors/shell scripts should be found through it.

if after doing all this the hack still happen ….
its 99% a php script exploit.

to solve it
1- logs of apache
2- upon logs you might find something / some url that you can inspect.

Have you ran some automated exploit scanning tools against it just as a quick look see.

close the website and open it after some days :) i think this mite work