Website has been hacked

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
koolsamule
Forum Contributor
Posts: 130
Joined: Fri Sep 25, 2009 10:03 am

Website has been hacked

Post by koolsamule »

Hi chaps,

Bit of an URGENT one here, i have a php mysql website on a shared server with 123-reg.co.uk.

The site has been hacked somehow/somewhere.

If you enter the site in google, it appears as:
HackeD By PCH Crew {PakCyberHaxors.com}

But if you enter the site into the browser address, it shows fine.

The index.php file in the root of the site is a redirect, but as mentioned above, it seems to be working fine.

Is there anything I can do from my end, or is this a server issue?

Many thanks

Samuel
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Website has been hacked

Post by John Cartwright »

You probably need to plug the security hole in the code, not in the server configuration (although that may have been a part of it).

This is a very broad question though, and nearly impossible to answer without getting ones hands on it, as there could be many, many ways for a poorly written application to be hacked.

A couple things off the top of my head,

1) Change all your passwords immediately to something VERY strong.
2) Do you allow your users to upload files?
3) Do you implement some kind of front controller? If so, do you have allow_url_fopen enabled? If so, are you filtering properly?
4) What version of PHP are you running?
5) Do you have register globals enabled
6) Do you have a backup of your site prior to being hacked? If so, I would recommend immediately uploading the backup to restore your site. If you have had development on your site since the last backup, run a DIFF tool to determine what exactly has changed and to identify code that needs to be removed.

This list could go on for hours.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Website has been hacked

Post by pickle »

See if any files have been changed recently. There might be some modifications done to .htaccess to have bots go one place (and therefore have the Google results be nerfed but usual users not). There might also be code doing similar work in your index file.

If you can do an `ls` on that directory, that should give you a good clue where to look.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Website has been hacked

Post by Mordred »

1. You are seeing an old, cached by your browser, version of the site, and the site is really defaced.
2. The hackers show a different page to google than to the people, or - more sinister - they show the "old" site to you specifically, but the defaced one to everyone else. I doubt this is the case though.

Giving us the URL of the site might help.
koolsamule
Forum Contributor
Posts: 130
Joined: Fri Sep 25, 2009 10:03 am

Re: Website has been hacked

Post by koolsamule »

OK chaps, thanks for the replies.

I did recently change the majority of the sites 'front-end' PHP scripts.

Most of the content stayed the same, I did though use require_once() to check for cookie validation, rather than having the actual php on each page, this wouldn't effect the site security though, would it?

The site was defaced, but after editing/updating the index file, the correct redirect worked again.

I don't seem to have an .htaccess file in the site root, this was never in place from the start..
koolsamule
Forum Contributor
Posts: 130
Joined: Fri Sep 25, 2009 10:03 am

Re: Website has been hacked

Post by koolsamule »

OK, I have checked all PHP scripts and they look fine.
Also changed by MySQL password to something very strong.
Checked all user inputs and used mysql_real_escape_string() and strip_tags() where appropriate.
I've resubmitted the url to Google, so hopefully that will help.
If there is something else that will help, please let me know!
Many thanks
Post Reply