Gossamer Forum
Home : Products : Gossamer Links : Discussions :

Virus / hacked

Quote Reply
Virus / hacked
My site has has either been hacked or a virus has got into the code somehow. Whether this is down to the host or not I have no idea as of now. The site is www.absolutedirectory.com

I cannot access the admin area either atm. Any advice would be greatfully received.

Be careful if visiting the site as a virus download starts on some of the pages.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
Anyone know how I can regain control over my admin panel?
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
In Reply To:
Anyone know how I can regain control over my admin panel?


Hell Jez,

Just login to your site via FTP & remove the .htaccess file in the /admin/ folder of links sql install. So next time u try to access the admin area, it should ask u to create a new username and password.

P.S. Always make sure that you don't use too easy to guess username/password combination.

Hope this helps.

Vishal

Vishal
-------------------------------------------------------
Quote Reply
Re: [SWDevil.Com] Virus / hacked In reply to
Hi Vishal,

Thanks for your reply, but I don't think that's the problem. I enter my usual password to enter the admin area and it I just get an error message. I don't think it's a case of the password being guessed and changed as I seem to log in ok but just don't get the admin area.

Hope that makes sense.

Jez.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
What error message are you getting?

Adrian
Quote Reply
Re: [brewt] Virus / hacked In reply to
Hi Adrian,

I am getting my own custom error message that appears every time something's gone wrong.

Jez.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
Hey Jez,

If you would take a screenshot or post the error here, it might help. As I just tried to type in your admin url and it is asking me for user/pass and gives normal authentication error when press cancel.

Vishal

Vishal
-------------------------------------------------------

Last edited by:

SWDevil.Com: Apr 24, 2006, 3:59 AM
Quote Reply
Re: [SWDevil.Com] Virus / hacked In reply to
Hi Vishal,

The error is:

Quote:
INTERNAL SERVER ERROR (500)

The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@absolutedirectory.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.



This is not the error I was getting earlier today. (which was simply "Something has gone wrong!") It leads me to believe that it is the ISP's server that has been hacked. I will post more when I know - the ISP is being very slow to respond - I should think they are busy!

Vishal, I will PM you the admin pass. Thanks for your help and concern.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
Hello Jez,

That error is because of wrong persmissions for your files.

Change the cgi file permission back to 755.

Vishal

Vishal
-------------------------------------------------------
Quote Reply
Re: [SWDevil.Com] Virus / hacked In reply to
Ah, thanks Vishal. Starting to make sense now, I hope. I got a call from the salesperson I deal with at the ISP and they have had to write a code to shut down file permissions due to an internal attack (yes, internal!) I will wait for more info from the techies there before i change the permissions back as i am not sure they have cleared the attack. Also not sure if the attack on my site is a part of that or not as no one else is complaining of virus or malaware infecting their pages. I have had another site on the same shared server completely disappear.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
Just got this reply from the ISP techie:

Quote:
I have looked at your absolutedirectory site and cgi-bin folder was moved under public_html that is not right. Scripts directory cgi-bin should be a separate location outside public_html in order for the webserver to parse it properly. You must have had wrong world writable permissions set on your public_html and cgi-bin trees to be affected by the malicious abuse. I have corrected the cgi-bin problem with location please review and try to restore your site to life again.

Does that make any sense? Is this going to affect the site's set up?

Please advise!

Jez.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
Update from the ISP tech:

Quote:
You will have to upload again your cgi-bin scripts as the current ones might have been tampered with. Actually the proper location for cgi-bin directory is under public_html, excuse me for my previous assumption.

So can I just re upload the scripts? I don't want to undo what i have on the site - but the scripts should not affect that, right? Please excuse my ignorance, most of this stuff is way over my head. I realise that I should have some knowledge to be able to use this stuff, but this goes way above that.

best,

jez.
http://www.absolutedirectory.com
Quote Reply
Re: [Jez] Virus / hacked In reply to
Another Update from ISP Techie,

Quote:
You have made 2 general mistakes in designing your sites, and they allow attacks to be able to succeed. These mistakes are common for perl/cgi based sites and are very undesired for proper operation. First one is mixing data and executable files, and the second one is assigning world writable permissions to files. Mixing data and executables is not fatal but prevents keeping permissions secure automatically. Assigning world writable permissions is like leaving the front door of your house open and expect everything is safe.

Our automated security scripts do not allow files with world writable permissions on the server and clean that flag as this makes your site succeptible to attacks similar to the one this weekend. This would prevent the webserver from writing data in your files and to allow it to do that we make the files have the same group as the webserver (nobody). However populating data files that the webserver should be able to write to in the cgi-bin directory makes it impossible to distinguish between data and executable files, and executable files are not allowed to be writable by the web server. So you have error 500 for having the group writable flag on perl files, or you get unable to write data to your data files.

You have to move out all data files out of the cgi-bin directory. Public_html should contain no executables except in the cgi-bin subdirectory. Then permission setup would be easy to maintain and all conditions would be satisfied: security and operability. I will restore back your absolutedirectory site but we will not be responsible if you get hit again for leaving the situation as is, open for attacks and unorganized for automatic prevention of this type of attacks. If you need additional details, instructions or help, we will help you organizing your sites properly to have them both protected and running at the same time.

Please keep using the Help Desk and let us know of your progress, as emails are intended as notifications, and the Help Desk keeps better tracking of problems and their solutions.

And there was me thinking it was their fault for letting undesirables use their hosting services. :-)

How can I fix this problem?
http://www.absolutedirectory.com