Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2010-08-20 00:38:31

kevinpotts
Member
From: Ghost Coast
Registered: 2004-12-07
Posts: 370

Site Hacked / Link Hijacking - Need PHP Expert

So pages of my site have been hacked. Example: http://graphicpush.com/sincerity-clarity-brevity-in-that-order (Click on any link and it takes you to a canadian pharma site.) I have combed through all of my forms and PHP files on the server and cannot find anything. Here’s what I have determined:

1.) .htaccess file is clean. Nothing wonky there.
2.) It is not JavaScript. I both disabled JS AND removed all JS from my pages and it’s still hijacked.
3.) It is not a plugin. I disabled them all and the behavior remains.
4.) It is not on every page of my site, but it is consistently on the one I referenced above.

This is clearly being done server-side. I don’t know how. This is the most interesting diagnostic I could find. All other code traces in Firebug and Chrome come up as “clean”.

Any clues? I will give access to server and TXP if necessary. I’d like to learn how this was done to help others in the future.


Kevin
(graphicpush)

Offline

#2 2010-08-20 01:39:08

kevinpotts
Member
From: Ghost Coast
Registered: 2004-12-07
Posts: 370

Re: Site Hacked / Link Hijacking - Need PHP Expert

OK, update …

On my server, for a different site, I found a nasty .bin file wrapped up in base64 at the very end of publish.php. Obviously deleted that, but it didn’t help. I never found the reason for the above affected site, but I did a wholesale overwrite of the /textpattern/ directory and that fixed it. So that code was in there somewhere.

Also, I changed my FTP passwords. Good times.


Kevin
(graphicpush)

Offline

#3 2010-08-20 01:55:29

maniqui
Member
From: Buenos Aires, Argentina
Registered: 2004-10-10
Posts: 3,070
Website

Re: Site Hacked / Link Hijacking - Need PHP Expert

The Admin -> Diagnostics tabs didn’t say anything interesting? no modified files?


La música ideas portará y siempre continuará

TXP Builders – finely-crafted code, design and txp

Offline

#4 2010-08-20 01:56:56

kevinpotts
Member
From: Ghost Coast
Registered: 2004-12-07
Posts: 370

Re: Site Hacked / Link Hijacking - Need PHP Expert

maniqui wrote:

The Admin -> Diagnostics tabs didn’t say anything interesting? no modified files?

That was the first thing I checked after I determined it wasn’t JS. Nothing. Weird, right?


Kevin
(graphicpush)

Offline

#5 2010-08-20 02:11:51

wolfcry911
Member
From: MA, USA
Registered: 2006-06-30
Posts: 51

Re: Site Hacked / Link Hijacking - Need PHP Expert

You might want to read this post of noah stokes
http://esbueno.noahstokes.com/post/759171096/my-server-was-hacked

Offline

#6 2010-08-20 08:13:29

the_ghost
Plugin Author
From: Minsk, The Republic of Belarus
Registered: 2007-07-26
Posts: 907
Website

Re: Site Hacked / Link Hijacking - Need PHP Expert

Download all files from server to your computer ad serach throught files for strange includes. I had similliar hack – in the end of all php/html files was inserted include().


Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?

Offline

#7 2010-08-20 11:36:05

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Site Hacked / Link Hijacking - Need PHP Expert

Which version of TXP was installed?

Offline

#8 2010-08-20 12:28:32

kevinpotts
Member
From: Ghost Coast
Registered: 2004-12-07
Posts: 370

Re: Site Hacked / Link Hijacking - Need PHP Expert

Download all files from server to your computer ad serach throught files for strange includes. I had similliar hack – in the end of all php/html files was inserted include().

Yes, that is my next step. I used a few grep searches across all of my domains, but it’s not as conclusive as I want.

Which version of TXP was installed?

4.2.0. But Textpattern itself was not compromised, just the PHP files on the server.


Kevin
(graphicpush)

Offline

#9 2010-08-20 17:39:57

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Site Hacked / Link Hijacking - Need PHP Expert

It only redirects if the HTTP request contains a Referer: and User-agent: header and both of these have to pass certain minimum requirements otherwise the redirect doesn’t happen. The referrer has to a be one of the pages that shows these symptoms and the user-agent can’t be as simple as “mozilla/5.0”, but has to be longer. The target URL doesn’t seem to matter as long as it’s in the same domain… the redirect happens even if the target URL doesn’t exist, like http://graphicpush.com/doesntexist.

To check if some TXP file is involved, you could temporarily remove the .htaccess file, so textpattern doesn’t handle requests for files that don’t actually exist on the server, and then manually do a HTTP request and see if it still redirects. (check before and after removing the .htaccess so you know you’re not doing it wrong).

You can do the test manually from the command line:

telnet graphicpush.com 80
GET /doesntexist HTTP/1.1
Host: graphicpush.com
Connection: close
User-Agent: Mozilla/5.0 (something)
Referer: http://graphicpush.com/sincerity-clarity-brevity-in-that-order

Offline

#10 2010-08-22 12:12:16

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Site Hacked / Link Hijacking - Need PHP Expert

How did it end?

Offline

#11 2010-08-27 02:29:07

kevinpotts
Member
From: Ghost Coast
Registered: 2004-12-07
Posts: 370

Re: Site Hacked / Link Hijacking - Need PHP Expert

It’s not over. I overwrote the TXP files but the shit was back the next day. So with the help of Dreamhost’s tech support I tracked down a rogue .php file (cleverly named too) that was destroying graphicpush.com. I also found a nasty leach base64 script appended to index.php in the root of another site that was sticking about 100 pharma spam links to my HTML files. The amazing bit about this is that all of this cruft is completely invisible to the end user — but if you view the site as Google (this helped), it was like looking at a completely different site — like looking at a hotel room with infrared glasses and seeing all of the bacteria and insects crawling over the walls.

So now I am looking for a script that can monitor file activity across my sites. Any recommendations?


Kevin
(graphicpush)

Offline

#12 2010-08-27 04:16:10

joebaich
Member
From: DC Metro Area and elsewhere
Registered: 2006-09-24
Posts: 507
Website

Re: Site Hacked / Link Hijacking - Need PHP Expert

I don’t know of a such a script that runs on the web server. After a similar situation to the one you experienced, we downloaded a copy of our sites to a local Mac (a PC would do just as well) and let NOD32 AV do its thing in the background. This uncovered some rogue files we hadn’t found. We keep this up, syncing the sites every now and again and also looking at the sync logs to see if any .php files update when they shouldn’t.

This is good stuff from Google, you likely have seen it already but the Monitoring your site health is sound advice and refers to the ‘Fetch as Googlebot’ facility you used.

Last edited by joebaich (2010-08-27 14:38:48)

Offline

Board footer

Powered by FluxBB