index page code changed/hacked, please help . . . . .

[impossib]

M using a free x10Hosting.com account and install a 'Apps Installer' script under "iwsn" folder.
Few days ago someone change my site's index page under "http://MYSITE.x10.mx/", I change password, reset index page and redirect my site URL form "http://MYSITE.x10.mx/" to "http://MYSITE.x10.mx/iwsn/". But today, someone again change my index pages or index pages code of "http://MYSITE.x10.mx/" and "http://MYSITE.x10.mx/iwsn/", both.
I can reset both cause I have backup but I just want to know HOW and from WHERE they doing this; what wrong I did ......
----- anybody any idea, please help ????

 

[Dead-i]

Hi,

Here are some things you should do in this kind of situation:
1) Change your account password, and any passwords for any additional FTP users you created.
2) Change your database passwords.
3) Ensure that there are no vulnerabilities in software you are running. You should always ensure that any CMSs, blogs, etc that you have installed are always running the latest version of the software, to patch any possible security issues in previous versions.

Thank you,

 

[impossib]

Hi,

Here are some things you should do in this kind of situation:
1) Change your account password, and any passwords for any additional FTP users you created.
2) Change your database passwords.
3) Ensure that there are no vulnerabilities in software you are running. You should always ensure that any CMSs, blogs, etc that you have installed are always running the latest version of the software, to patch any possible security issues in previous versions.

Thank you,

Hi Dead-i,

Thanks for the reply, Sir.
But I would like to inform U that I already changed my account password and I have no extra FTP user beside the default login details FTP but still after that, they again able to change my index page 2nd time (They only change my index page, other pages are intact and OK; even database are OK).
I only used to install a script of 'Softaculous Apps Installer' provide by default x10hosting control panel, nothing else. So there is no chance of vulnerabilities in software or old version software as this script is use by million of users for years.
Is there any other chances, any idea how they change my index page or index page code, Sir ????

 

[leafypiggy]

Hi,

I'm running a malware scan on your account.

 

[impossib]

Hi,

I'm running a malware scan on your account.

Thanks leafypiggy

.... m eager to know the result. Do U find any thing, Sir ??

 

[leafypiggy]

You had two files on your account that were infected, and were causing this.

Jun 13 13:36:48 xo3 maldet(982349): {hexstring} malware hit {HEX}gzbase64.inject.unclassed.15 on public_html/upload/files/404.php
Jun 13 13:36:49 xo3 maldet(982349): {hexstring} malware hit {HEX}gzbase64.inject.unclassed.15 on public_html/404.php

I've removed the files. This is most likely from a bad upload script. you should not allow people to upload php files...

EDIT: Yeah... I can upload any PHP file I want onto the server from your script.

As a precaution, I've moved the entire upload folder out of public_html. You need to fix your script.

 

[impossib]

You had two files on your account that were infected, and were causing this.

Jun 13 13:36:48 xo3 maldet(982349): {hexstring} malware hit {HEX}gzbase64.inject.unclassed.15 on public_html/upload/files/404.php
Jun 13 13:36:49 xo3 maldet(982349): {hexstring} malware hit {HEX}gzbase64.inject.unclassed.15 on public_html/404.php

I've removed the files. This is most likely from a bad upload script. you should not allow people to upload php files...

Thanks leafypiggy

Lots of thanks for finding the root of problems, Sir. But I need little more help .... I just install the script (by auto installation) and do nothing, then how do I change the permission of upload 'PHP in my account's folder', (This script has permission to install only image, music and video files, then how do they upload PHP) any idea .... please guide, Sir.

One more thing Sir, I install script under 'public_html/iwsn/...' folder, so if they upload this PHP file(s) through the script then this PHP file(s) must be under 'iwsn' folder or it's sub-folder; then how do they upload 404.php under 'public_html/upload/files/...' and 'public_html/...' Please help, I have no idea ???

 

[leafypiggy]

Well first of all, the script allows them to upload anything they want. So that's what's wrong with the script.

Secondly, uploading images, music, and videos is strictly against our terms of service.

 

[impossib]

Well first of all, the script allows them to upload anything they want. So that's what's wrong with the script.

Secondly, uploading images, music, and videos is strictly against our terms of service.

Thanks for the reply, leafypiggy.

Sir, x10hosting control panel provide 'Softaculous Apps Installer', 'Softaculous Apps Installer' provide 'The script', 'The script' provide the permission 'uploading images, music, and videos', I do nothing externally then how do I can go against the 'terms of service' of x10hosting and break the 'terms of service' of x10hosting, Sir ???

Sir, I like to inform that I install script under 'public_html/iwsn/...' folder, so if they upload this PHP file(s) through the script then this PHP file(s) must be under 'iwsn' folder or it's sub-folder, only; then how do they upload 404.php under 'public_html/upload/files/...' and 'public_html/...' Please help, I have no idea ???

 

[leafypiggy]

I'm not talking about that script. I'm talking about the script that was in /public_htmll/upload.

In addition, if you're having the iwsn script to upload those sort of files (images, music, videos) then that's still against our ToS. We do not allow file hosting. Especially not copyrighted files.

 

[impossib]

I'm not talking about that script. I'm talking about the script that was in /public_htmll/upload.

In addition, if you're having the iwsn script to upload those sort of files (images, music, videos) then that's still against our ToS. We do not allow file hosting. Especially not copyrighted files.

Sir,
We will talking about the 2nd issue (ToS) later and I must listen it form U but now I need some little help and guidance about the 1st problem.
I don't upload '404.php' under '/public_html/upload/...' neither my install script can do it (because as I inform "if my install script allow the infected script '404.php' to upload then it must be under '/public_html/iwsn/...' folder or it's sub-folder not out side of it"). Then how do they upload it. U find the problem and remove it; please help me to
find and stop the way 'how do they did it', Sir ???

 

[Livewire]

I'm jumping in to try and clarify one part on this; I'm going to make it as clear as I can. If your file upload script allows PHP files to be uploaded, that is your problem. If you're trying to figure out how the Dolphin install is being compromised, that's simple - you're allowing PHP files to be uploaded.

When you allow PHP files to be uploaded, you're enabling a direct path for PHP Shells to be uploaded through. These shells are extremely malicious, and extremely powerful - so powerful, in fact, that they can access files OUTSIDE the folder they started in. While we ensure files in one account cannot access files outside of that account, what this means is that if a shell is put into public_html/upload, it can go into your public_html and see what's there. It can ALSO go into public_html/iwsn, and modify/delete/upload files there.

To put it as simply as I can, allowing PHP file uploads is literally as bad as giving the hacker your username and password (and in some cases far worse). It enables the shells to be uploaded with absolutely no restraint, and instantly dissolves any security you may have had in place. Having direct-file access also means everything on your account is at risk, including your MySQL username/password since those are often stored in plain-text in a normally inaccessible file.

So, as leafy has stated above, the file uploader is the problem. As long as it allows PHP file uploads, you will be repeatedly compromised by the shells people will upload using it.

 

[impossib]

I'm jumping in to try and clarify one part on this; I'm going to make it as clear as I can. If your file upload script allows PHP files to be uploaded, that is your problem. If you're trying to figure out how the Dolphin install is being compromised, that's simple - you're allowing PHP files to be uploaded.

When you allow PHP files to be uploaded, you're enabling a direct path for PHP Shells to be uploaded through. These shells are extremely malicious, and extremely powerful - so powerful, in fact, that they can access files OUTSIDE the folder they started in. While we ensure files in one account cannot access files outside of that account, what this means is that if a shell is put into public_html/upload, it can go into your public_html and see what's there. It can ALSO go into public_html/iwsn, and modify/delete/upload files there.

To put it as simply as I can, allowing PHP file uploads is literally as bad as giving the hacker your username and password (and in some cases far worse). It enables the shells to be uploaded with absolutely no restraint, and instantly dissolves any security you may have had in place. Having direct-file access also means everything on your account is at risk, including your MySQL username/password since those are often stored in plain-text in a normally inaccessible file.

So, as leafy has stated above, the file uploader is the problem. As long as it allows PHP file uploads, you will be repeatedly compromised by the shells people will upload using it.

Thanks for the clarification, Livewire.

I am extremely grateful to all of U for helping and guiding me.
"leafypiggy" help me to find the root of problems and remove it.
You - "Livewire" help me to understand that as they can upload php, they can do anything in any folder or file, that doesn matter where the php file is ....
But Sir, still I don't understand how they upload PHP script because
a> as U said "If your file upload script allows PHP files to be uploaded, that is your problem." if my script really allows PHP upload and anyone (except Dolphin admin) can upload php files, then all Dolphin user may get same problems (as I told that I use default auto installation and do nothing extra).
b> as it is a test/demo site so there is few fake members (6 members only). So, important thing is, all 6 members is me and guest (non member) can't upload any files.
c> as U said "......... the file uploader is the problem." but Dolphin script allow only definite extensions files as 'jpg png gif bmp jpeg' for photo, 'mp3 wav wma' for sound and 'avi flv mpg wmv mp4 m4v mov divx xvid mpeg 3gp' for video. No one can upload other extension file like php.

Sir, please don't take it otherwise; I just want to explain logic from my side, nothing else. I just trying to find and stop the way 'how do they did it', please help me???

 

[Livewire]

The way Dolphin and most other scripts work is they check what's being uploaded by filename; if it doesn't end in an allowed extension, it either denies the upload or never actually saves the file. As near as I can tell from yours, your upload script does -not- do any form of checking on filename (or if it does, I'm not seeing it), hence why it was possible to upload a malicious file.

Assuming that Dolphin is indeed allowing PHP file uploads, then I would recommend abandoning it altogether or patching it to check the filetype of what's being uploaded.


Edit: I just want to make clear that the only script I was looking at is now in /home/YOURCPANELNAME/upload since it was moved by leafy to enable account security. If this script is doing any kind of filename testing, I can't see it. This was previously in /home/YOURCPANELNAME/public_html/upload and was effectively "public," which explains why one of the malicious files was originally in /home/YOURCPANELNAME/public_html/upload/files/404.php - this would have been uploaded through the public uploader you had, not through Dolphin.