Keep getting hacked

[kevsnop]

Hello.

I have a simple php based website and for some reason or another, some joker keeps attacking my site.

Either they add a file to my public_html folder called something like 'index.html' (which overrides the default index.php) or goes as far as replacing the index.php file (or even the news.php, the initial page) with there own hacked version.

I've tried changing my ftp password multiple times, and gone through the ftp access with a fine tooth comb and can't find anything obvious.

Any ideas on what to do to prevent this from happening again ?
Cheers
Kevin

[roywoodall]

What are the CHMOD you set to your homedir?

[Wayne R.]

Check file permissions on all your PHP files. Do you have any files with loose permissions that do not need to be?
Think of what types of files you have on your site? Anything that can be easily exploited such as a poorly coded contact page? Gallery? etc.

[Tony]

Check for updates on everything too. A single old script with a vulnerability can be like an open door.

If possible, just ban IPs wholesale. I must have half the rest of the world blocked at this point.

[kevsnop]

My php files are set to 644, which shouldn't mean they can overwrite. It's based on e107.org stuff.

I might just upgrade to the latest version if you think that will help ?

[Wayne R.]

My php files are set to 644, which shouldn't mean they can overwrite. It's based on e107.org stuff.

I might just upgrade to the latest version if you think that will help ?

Yep, 644 is fine for your permissions.

If there is a newer build than you are running currently, I would upgrade. A Google search for 'e107 exploits' yields a few results as new as mid 2007, so depending on your build there are a few documented exploits to the app.

[kevsnop]

I will definately upgrade e107 this weekend thanks.

Someone suggested blocking.... is there any way I can find out the IP address of the hacker?

mysql is 4.1.22

[omniuni]

Can you post a link to your website and perhaps the code of one of the "added pages"? Without more information I can only hazzard a very wild guess as to the reason this would happen.

[kevsnop]

The link is www.thedominion.eu (Warcraft guild site) but every time one of the annoying pages pop up I delete them (they are things like index.htm with a 'hacked' logo on it or a complete replace of the default news.php).

I have one still on site. It replaced my existing index.php with the hacked one. I renamed this to index2.php on the site if you wanted to view the hacked page.

It's www.thedominion.eu/index2.php

Yes it's some radical hacking team, I'm guessing someone in the guild annoyed someone, but I don't really care why I just want it gone!

[Jef S.]

I can assure you you didn't annoy anyone, this reeks of mass-defacement. Most likely, what this R3DH4X()R character is hitting all sites he can find running e107, then using any number of the exploits found here:
http://www.google.com/search?q=e107+exploit

If I were in your position, I would make sure you're running the most recent version of e107, and if you are but continue to get your site defaced, you should really consider a different CMS.

[Thomas T]

Check the file/date stamps on your changed files. Compare these to your RAW Apache logs. You might be able to find the exploit being used, and be able to counter it with a custom mod_security rule.

[kevsnop]

Thanks for the replies guys.

I managed to piece together the puzzle by turning on the archiving of logs.

I found that in the avatar upload bit of the forum that the hacker had uploaded a file called funny62.gif.php and used this script to upload a file to the server.

I edited the dodgy scripts and turned off the uploads. Also I even removed the upload folder so that it would error if it was attempted.

Then I IP banned the hacking address.

Thanks again for all your help folks.

[Tony]

Yikes. You didn't even hint that you were running a forum where people could upload files. In fact, you called it a 'simple php website'. Okay, I see later in the thread you sort of touched on it.

Still, all modern forums always restrict the allowed file extensions to be uploaded. If this is a supported forum, I'd point out this glaring vulnerability to them to save others the grief.