Hi chaps,
Bit of an URGENT one here, i have a php mysql website on a shared server with 123-reg.co.uk.
The site has been hacked somehow/somewhere.
If you enter the site in google, it appears as:
HackeD By PCH Crew {PakCyberHaxors.com}
But if you enter the site into the browser address, it shows fine.
The index.php file in the root of the site is a redirect, but as mentioned above, it seems to be working fine.
Is there anything I can do from my end, or is this a server issue?
Many thanks
Samuel
Website has been hacked
Moderator: General Moderators
-
koolsamule
- Forum Contributor
- Posts: 130
- Joined: Fri Sep 25, 2009 10:03 am
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Website has been hacked
You probably need to plug the security hole in the code, not in the server configuration (although that may have been a part of it).
This is a very broad question though, and nearly impossible to answer without getting ones hands on it, as there could be many, many ways for a poorly written application to be hacked.
A couple things off the top of my head,
1) Change all your passwords immediately to something VERY strong.
2) Do you allow your users to upload files?
3) Do you implement some kind of front controller? If so, do you have allow_url_fopen enabled? If so, are you filtering properly?
4) What version of PHP are you running?
5) Do you have register globals enabled
6) Do you have a backup of your site prior to being hacked? If so, I would recommend immediately uploading the backup to restore your site. If you have had development on your site since the last backup, run a DIFF tool to determine what exactly has changed and to identify code that needs to be removed.
This list could go on for hours.
This is a very broad question though, and nearly impossible to answer without getting ones hands on it, as there could be many, many ways for a poorly written application to be hacked.
A couple things off the top of my head,
1) Change all your passwords immediately to something VERY strong.
2) Do you allow your users to upload files?
3) Do you implement some kind of front controller? If so, do you have allow_url_fopen enabled? If so, are you filtering properly?
4) What version of PHP are you running?
5) Do you have register globals enabled
6) Do you have a backup of your site prior to being hacked? If so, I would recommend immediately uploading the backup to restore your site. If you have had development on your site since the last backup, run a DIFF tool to determine what exactly has changed and to identify code that needs to be removed.
This list could go on for hours.
Re: Website has been hacked
See if any files have been changed recently. There might be some modifications done to .htaccess to have bots go one place (and therefore have the Google results be nerfed but usual users not). There might also be code doing similar work in your index file.
If you can do an `ls` on that directory, that should give you a good clue where to look.
If you can do an `ls` on that directory, that should give you a good clue where to look.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: Website has been hacked
1. You are seeing an old, cached by your browser, version of the site, and the site is really defaced.
2. The hackers show a different page to google than to the people, or - more sinister - they show the "old" site to you specifically, but the defaced one to everyone else. I doubt this is the case though.
Giving us the URL of the site might help.
2. The hackers show a different page to google than to the people, or - more sinister - they show the "old" site to you specifically, but the defaced one to everyone else. I doubt this is the case though.
Giving us the URL of the site might help.
-
koolsamule
- Forum Contributor
- Posts: 130
- Joined: Fri Sep 25, 2009 10:03 am
Re: Website has been hacked
OK chaps, thanks for the replies.
I did recently change the majority of the sites 'front-end' PHP scripts.
Most of the content stayed the same, I did though use require_once() to check for cookie validation, rather than having the actual php on each page, this wouldn't effect the site security though, would it?
The site was defaced, but after editing/updating the index file, the correct redirect worked again.
I don't seem to have an .htaccess file in the site root, this was never in place from the start..
I did recently change the majority of the sites 'front-end' PHP scripts.
Most of the content stayed the same, I did though use require_once() to check for cookie validation, rather than having the actual php on each page, this wouldn't effect the site security though, would it?
The site was defaced, but after editing/updating the index file, the correct redirect worked again.
I don't seem to have an .htaccess file in the site root, this was never in place from the start..
-
koolsamule
- Forum Contributor
- Posts: 130
- Joined: Fri Sep 25, 2009 10:03 am
Re: Website has been hacked
OK, I have checked all PHP scripts and they look fine.
Also changed by MySQL password to something very strong.
Checked all user inputs and used mysql_real_escape_string() and strip_tags() where appropriate.
I've resubmitted the url to Google, so hopefully that will help.
If there is something else that will help, please let me know!
Many thanks
Also changed by MySQL password to something very strong.
Checked all user inputs and used mysql_real_escape_string() and strip_tags() where appropriate.
I've resubmitted the url to Google, so hopefully that will help.
If there is something else that will help, please let me know!
Many thanks