Site is being hacked as we speak

Kimmie · December 26, 2013, 12:03:17 PM

Yeah I looked at htaccess and though it looked really weird and was going to be the next thing I had you look at

Kindred · December 26, 2013, 12:05:43 PM

from this, I assume that your site is patriotgames2.info?

if so, I don't see anything wrong with that file

Kimmie · December 26, 2013, 12:06:12 PM

yes - I have it in main mode now, but I can turn that off so you can see what they did

kat · December 26, 2013, 12:08:18 PM

I wonder...

ipntreas.php makes me think there's a FlashChat installation, on-site.

Just how secure is that thing?

Kimmie · December 26, 2013, 12:08:28 PM

ok I turned the site back on... go check it out

Kimmie · December 26, 2013, 12:09:44 PM

Quote from: K@ on December 26, 2013, 12:08:18 PM
I wonder...

ipntreas.php makes me think there's a FlashChat installation, on-site.

Just how secure is that thing?

The date on that file is 5/16/2013. Not sure what it is.

Kimmie · December 26, 2013, 12:10:43 PM

Its legit...Its from my treasury mod

kat · December 26, 2013, 12:11:59 PM

Dunno if this is a clue... But, that image is here:

http://img02.arabsh.com/uploads/image/2013/12/26/0c32434b62fb0c.jpg

Illori · December 26, 2013, 12:18:45 PM

Code Select

<div class="sp_content_padding">
							<a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&amp;action=profile;u=1"><img src="http://patriotgames2.info/avatars/Various/misc11.gif" alt="kjb0007" width="30" class="sp_float_right" /></a>
							<div class="middletext">December 22, 2013, 12:32:44 PM by <a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&amp;action=profile;u=1" style="color: #99CCFF;">kjb0007</a><br />Views: 44 | Comments: 8</div>
							<div class="post"><hr /><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css &nbsp;type=text/css rel=stylesheet></head></div>

that seems to be causing part of your issue.

Kindred · December 26, 2013, 12:23:10 PM

looks like something was added ot the end of index.php or index.template.php

Kimmie · December 26, 2013, 12:24:24 PM

Quote from: Illori on December 26, 2013, 12:18:45 PM
Code Select Expand
<div class="sp_content_padding"> <a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&action=profile;u=1"><img src="http://patriotgames2.info/avatars/Various/misc11.gif" alt="kjb0007" width="30" class="sp_float_right" /></a> <div class="middletext">December 22, 2013, 12:32:44 PM by <a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&action=profile;u=1" style="color: #99CCFF;">kjb0007</a><br />Views: 44 | Comments: 8</div> <div class="post"><hr /><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css  type=text/css rel=stylesheet></head></div>

that seems to be causing part of your issue.

That is the av I use on the site (kjb is me)

Kimmie · December 26, 2013, 12:26:34 PM

Quote from: Kindred on December 26, 2013, 12:23:10 PM
looks like something was added ot the end of index.php or index.template.php

Index.php from inside root is attached

Kindred · December 26, 2013, 12:29:56 PM

so.. not there...

Rather than throwing out suggestions, one by one, your host really needs to do a SERVER scan for matching strings and recently added files --- as well as look at the server logs form 3AM onward.

Kimmie · December 26, 2013, 12:33:03 PM

Yeah I gave them the time frame it happened in and told them they had 12 hours to figure out what the heck happened and get it resolved or I was looking for a new host.

In the meantime.. I have a publichtml backup from Dec 1st. In lamens terms (hehe), give me the steps I need to do to rectify this on my end. What would "you"do?

Illori · December 26, 2013, 12:36:22 PM

if you look at http://patriotgames2.info/index.php?topic=85549.0 the code i posted above is in that topic in the first post it seems

Kimmie · December 26, 2013, 12:42:27 PM

Quote from: Illori on December 26, 2013, 12:36:22 PM
if you look at http://patriotgames2.info/index.php?topic=85549.0 the code i posted above is in that topic in the first post it seems

Should I go into the DB and delete that thread?

Illori · December 26, 2013, 12:45:53 PM

http://patriotgames2.info/index.php?action=post;msg=256089;topic=85549.0

see if that works to modify the post and remove the call to the css in the head tag

Kimmie · December 26, 2013, 12:48:03 PM

Quote from: Illori on December 26, 2013, 12:45:53 PM
http://patriotgames2.info/index.php?action=post;msg=256089;topic=85549.0

see if that works to modify the post and remove the call to the css in the head tag

I am a semi-noobie.. what does that mean? :/

Illori · December 26, 2013, 12:50:24 PM

can you click the link? can you remove the content of the post that includes a <head> tag and the link to the css i quoted before?

Kimmie · December 26, 2013, 12:53:07 PM

Quote from: Illori on December 26, 2013, 12:50:24 PM
can you click the link? can you remove the content of the post that includes a <head> tag and the link to the css i quoted before?

When I clicked the link you give me, all I see is that big purple image not the actual post itself so I cannot do any editing on that front.

In the DB when I edit that post, this is what I get. Is there something here I can change?

News:

Site is being hacked as we speak

kat

kat