Ask Question Forum:
Model Library:2025-02-08:A.I. model is online auto reply
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by philevans114
at 2024-07-28 10:34:16
Point:500 Replies:8 POST_ID:829140USER_ID:11495
Topic:
Web Development Software;;Networking Security Vulnerabilities
Hi
I am running a Centos 5, LAMP site. The problem is that one of the pages is being redirected to another page (not mine) that has a link. I think it is a hack.
This is being done on a 302 Found redirect :-
Found
The document has moved here.
The pages are part of my payments processing and so I have taken the site down while I resolve the problem.
I have tested the code and it is being executed correctly :-
elseif ($pmeth == 'card') {
//print_r ($inputdata);
$url=$url_prefix."payments/card.php";
$result=postArray($inputdata,$url);
if ($result != 'ok') echo $result;
exit;
However even if I rename card.php to xxx.php the redirect still happens. I don't know much about 302 redirects. How are they configured? Where do I start looking?
Thanks for any help.
I am running a Centos 5, LAMP site. The problem is that one of the pages is being redirected to another page (not mine) that has a link. I think it is a hack.
This is being done on a 302 Found redirect :-
Found
The document has moved here.
The pages are part of my payments processing and so I have taken the site down while I resolve the problem.
I have tested the code and it is being executed correctly :-
elseif ($pmeth == 'card') {
//print_r ($inputdata);
$url=$url_prefix."payments/card.php";
$result=postArray($inputdata,$url);
if ($result != 'ok') echo $result;
exit;
However even if I rename card.php to xxx.php the redirect still happens. I don't know much about 302 redirects. How are they configured? Where do I start looking?
Thanks for any help.
Author: philevans114 replied at 2024-07-28 11:34:23
Gary went beyond the initial question and provided some very useful support and advice.
Author: philevans114 replied at 2024-07-28 11:33:16
Hi Gary
Very helpful.
I've disable_function base64_decode in php.ini, changed passwords and am running csf. I need to look at the others things.
A good first start. Much appreciated.
Very helpful.
I've disable_function base64_decode in php.ini, changed passwords and am running csf. I need to look at the others things.
A good first start. Much appreciated.
Accepted Solution
Expert: Gary replied at 2024-07-28 11:15:34
500 points EXCELLENT
Without knowing how they got in...
Changing all your passwords is the first port of call
Any contact forms need to be checked for sanitizing data.
If you are using standard username/password SSH login then change it to certificate based and change the port - SSH is always under attack by hackers.
If you are using any plugins for check if they are updated - some of the easiest ways for hackers to get in.
Do you allow uploads? Are you ringfencing them
Are you running a firewall like CSF
Changing all your passwords is the first port of call
Any contact forms need to be checked for sanitizing data.
If you are using standard username/password SSH login then change it to certificate based and change the port - SSH is always under attack by hackers.
If you are using any plugins for check if they are updated - some of the easiest ways for hackers to get in.
Do you allow uploads? Are you ringfencing them
Are you running a firewall like CSF
Author: philevans114 replied at 2024-07-28 11:08:10
Thanks Gary for the advice.
I've sanitised the code and have the site off-line now. I don't have a copy that I can easily upload.
I need to prevent them getting in but don't know how. I'm looking at installing CXS. I assume that the base64_decode can inject code into pages somehow.
I need to do a bit more on EE to find out. I would welcome any ideas.
I've sanitised the code and have the site off-line now. I don't have a copy that I can easily upload.
I need to prevent them getting in but don't know how. I'm looking at installing CXS. I assume that the base64_decode can inject code into pages somehow.
I need to do a bit more on EE to find out. I would welcome any ideas.
Expert: Gary replied at 2024-07-28 10:54:54
This
base64_decode
is your clue to being hacked.
As you have said - change all your passwords to something strong - that mean uppercase, lowercase number and symbols.
Check all your server logins, ftp, ssh etc and change them.
You need to lock down your server.
I would temporarily take your site off line if possible, or if you have a local copy then delete the online version and put your clean copy up. If not then you will have to go through each page and cleanse them.
base64_decode
is your clue to being hacked.
As you have said - change all your passwords to something strong - that mean uppercase, lowercase number and symbols.
Check all your server logins, ftp, ssh etc and change them.
You need to lock down your server.
I would temporarily take your site off line if possible, or if you have a local copy then delete the online version and put your clean copy up. If not then you will have to go through each page and cleanse them.
Author: philevans114 replied at 2024-07-28 10:51:32
Thanks Gary.
Its my own PHP. 2 mins after posting I suddenly realised to check .htaccess. Its been altered with rewrites and redirects all over the place e.g.
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://doctor-store24x7.com [R,L]
RewriteCond %{HTTP_USER_AGENT} acs [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alav [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alca [NC,OR]
RewriteCond %{HTTP_USER_AGENT} amoi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} audi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} aste [NC,OR]
RewriteCond %{HTTP_USER_AGENT} avan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} benq [NC,OR]
RewriteCond %{HTTP_USER_AGENT} bird [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blac [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blaz [NC,OR]
RewriteCond %{HTTP_USER_AGENT} brew [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cell [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cldc [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cmd- [NC,OR]
RewriteCond %{HTTP_USER_AGENT} dang [NC,OR]
RewriteCond %{HTTP_USER_AGENT} doco [NC,OR]
RewriteCond %{HTTP_USER_AGENT} eric [NC,OR]
and more...
I'm also finding eval(base64_decode($_POST[ etc in some of the php pages and uploaded pages with the same.
I don't now how they are getting in. I'm running CSF and LFD and clamav.
I'm about to change passwords etc.
Its my own PHP. 2 mins after posting I suddenly realised to check .htaccess. Its been altered with rewrites and redirects all over the place e.g.
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://doctor-store24x7.com [R,L]
RewriteCond %{HTTP_USER_AGENT} acs [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alav [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alca [NC,OR]
RewriteCond %{HTTP_USER_AGENT} amoi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} audi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} aste [NC,OR]
RewriteCond %{HTTP_USER_AGENT} avan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} benq [NC,OR]
RewriteCond %{HTTP_USER_AGENT} bird [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blac [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blaz [NC,OR]
RewriteCond %{HTTP_USER_AGENT} brew [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cell [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cldc [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cmd- [NC,OR]
RewriteCond %{HTTP_USER_AGENT} dang [NC,OR]
RewriteCond %{HTTP_USER_AGENT} doco [NC,OR]
RewriteCond %{HTTP_USER_AGENT} eric [NC,OR]
and more...
I'm also finding eval(base64_decode($_POST[ etc in some of the php pages and uploaded pages with the same.
I don't now how they are getting in. I'm running CSF and LFD and clamav.
I'm about to change passwords etc.
Expert: duncanb7 replied at 2024-07-28 10:50:46
Could you provide us more information such as request and response header .
You can use the debugger tools from this site http://www.charlesproxy.com/download/
Duncan
You can use the debugger tools from this site http://www.charlesproxy.com/download/
Duncan
Expert: Gary replied at 2024-07-28 10:37:33
Is this Apache? Check your htaccess and httpd.conf
Is this a CMS like Wordpress or your own code?
Is this a CMS like Wordpress or your own code?