Site Hacked by Vn Truehack

fuzzybuster · 03.09.2004, 16:22

Hi everyone. Need some help here, please.

Someone has hacked one of my Mambo sites. They left a calling card, Vn Truehack. I haven't restored this as I guess they'll come back and do the same if I don't set Mambo up more securely.

The version I was running was Sinatra 1.0.7. How best should I restore this without too much pain and without loosing too much time and data?

Any advice gratefully received.

Hacked by VnTrueHack
Warning: main(/version.php): failed to open stream: No such file or directory in /home/xxxxxx/public_html/classes/mambo.php on line 28

Warning: main(): Failed opening '/version.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxxxxx/public_html/classes/mambo.php on line 28

Warning: main(/classes/database.php): failed to open stream: No such file or directory in /home/xxxxxx/public_html/classes/mambo.php on line 30

Fatal error: main(): Failed opening required '/classes/database.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxxxxx/public_html/classes/mambo.php on line 30

fuzzyfree · 03.09.2004, 16:43

what i would do is just put the stable and secure Mambo 1.0.9 in your public_html directory and decompress it. That should overwrite all the old insecure files (except configuration.php) and replace the files that were deleted. It will not affect your database and I don't believe there are any changes to the database structure (someone correct me if I'm wrong) so your site should come back up with no problem. I would however take a look and see that VnTrueHack has not left himself a user account in your mos_users table. Look at all the admins, managers, etc...

BTW: Nice name

EpicJason · 03.09.2004, 17:13

I would follow the above suggestions, change your database password, and contact your hosting provider to make sure its not just a single incedent.

I would also recommend doing a search online (google) and you may find the location the hacker resides. A lot of hackers will actually tell you how they got into your site and ways to fix it.

Just make sure to take their words with a grain of salt.

fuzzybuster · 03.09.2004, 18:34

Thank you very much chaps.

Your help is appreciated.

I've discovered what he/she/it has done and am now taking steps to fix.

Again, it's nice to be in a community that is not-only intelligent, it cares about fellow members.

Thanks.

rober · 04.09.2004, 06:38

Quote:

Originally Posted by EpicJason

I would also recommend doing a search online (google) and you may find the location the hacker resides. A lot of hackers will actually tell you how they got into your site and ways to fix it.

Just make sure to take their words with a grain of salt.

To add to your statement, hackers are proud to show off what sites they have hacked. Here is one such site that keeps scores for the hackers.

Click here

Look around the site, I am amazed that this is allowed to continue, but then again.... I am surprised at a lot of things that are happening around this world of ours...

I have written more about this in my post called "Core Protection" in this same forum should you care to view it.

Quote:

Originally Posted by fuzzybuster

Thank you very much chaps.

Your help is appreciated.

I've discovered what he/she/it has done and am now taking steps to fix.

Again, it's nice to be in a community that is not-only intelligent, it cares about fellow members.

Thanks.

Your "fix information" could be useful to other mambers should you care to share it. Just a thought

Best of luck!

fuzzybuster · 05.09.2004, 04:34

It gets worse. Though I'd found what they've done, they moved on and have hacked five sites now.

I hope they read this because this is my living and I'm on a razor edge at the moment. My clients are going to be really angry and I'm likely to lose a few of them because of this catastrophe.

To make things worse, my father (who lives on the other side of the world) has had a stroke and I need to be with him.

I'm really, really angry about this and sad too. I'm generally a fairly upbeat type of person and look for the good in every eventuality. This time, however, I don't see anything but darkness.

Sorry to unburden my troubles in here but, I guess, I'm being tested.

rober · 06.09.2004, 05:29

Quote:

Originally Posted by fuzzybuster

It gets worse. Though I'd found what they've done, they moved on and have hacked five sites now.

Sorry to hear about yout father but your message is a bit confusing here.

Did you manage to fix the first site you mentioned in your first post? Are the hacks for the new sites the same?

Can you share a bit information on what/how your sites were hacked?

Don't mean to ask allot of questions but it is hard to answer or assist if we do not have a clear understanding of the precise issues.

Good luck.

fuzzybuster · 06.09.2004, 21:30

Quote:

Originally Posted by rober

Don't mean to ask allot of questions but it is hard to answer or assist if we do not have a clear understanding of the precise issues.

Good luck.

It seems they did some sort of javascript sniffing and extracted passwords to the 2082.

That's as much as I know at the moment. Will keep you posted. Happy to say a bit more later, once things have calmed down.

Thanks for your thoughts Rober

jascha · 07.09.2004, 02:22

I would suggest using SSL where passwords are involved as well as .htaccess and other means of security. A read of Securing Mambo OS mightbe of some help from MOS Forge. You may wantto also insurethe server itself was not compromised since many times a mailcious user can escalate privilages once in a system. . .

-Jascha