Elxis CMS Forum
Support => General => Topic started by: ROUBOS on October 16, 2010, 02:23:08
-
Hi, something unreal happened. My friend's hosting service got hacked. And the hackers changed all the index files.
Now is it a matter of just downloading elxis and copying the index file over again?
I don't think that with elxis the template index got damaged.
Might be just the main index.php file.
check it out http://www.fmlife.gr
they hacked into the server and posted an ad
-
I think that some people has nothing to do in the day >:(...
Also a site of my customer yesterday was hacked
some index php/html files changed, at the end of file i found the iframe of the same malware get hacked one month ago many sites on godadddy.
so i restored all index files giving them permission 444 (only reading). Maybe works ???
In your case, is a simply file index file and in some case with a simply file jscript, Is not so dangerous for your site. Usually they renamed your original index file in the principal root and put their index html.
Change the password of your ftp access and administrative panel with a complex password, and if a future happens again, change hosting. not secure ;)
-
It is a script called "mass.pl", might renamed as "mass.txt". It is a perl script that replaces all "index*", "default*" and "home*" files on the server. Also it deletes all the log files (the whole directory and also the .log files). It is not Elxis that has been hacked, but an other application on the server (osCommerce in my case) and afterwards everything on the server was affected.
Take a look on the same server:
http://ns3.1host.gr
http://96.9.147.197
I tell you this info because I have had the same problem once and I know exactly what it does. You have to restore backups everywhere and remove the uploaded files (a.pl, ss.pl, c, mass.txt, an html file, and some folders with many html ads named .news, .view, .cch, etc,....). Your friend should contact his hoster for support.
A part from mass.pl
#!/usr/bin/perl
use strict;
my $index = $ARGV[0];
if ($ARGV[0])
{
if( -e $index )
{
system "echo -e \"\033[01;34mStarted xxxxxxxxx [ll Ok !!\033[01;37m\"\n";
system "echo -e \"\\033[01;37mDefacing all homepages ...\"\n";
system "find xxxxxxxxx -name \"index*\" -exec cp $index {} \\;";
system "find xxxxxxxxx -name \"README.html\" -exec cp $index {} \\;";
system "find xxxxxxxxx -name \"home*\" -exec cp $index {} \\;";
system "find xxxxxxxxx -name \"default*\" -exec cp $index {} \\;";
system "echo -e \"\\033[01;37m[+] done ! all sites in this box should be defaced !\"\n";
system "echo -e \"\\033[01;37m----------------------------------------------------------\"\n";
system "echo -e \"\\033[01;37mCleaning up logs ...\"\n";
system "echo -e \"\033[01;34m---------erasing default log files (too fast =))---------\033[01;37m\"\n";
# if( -e "/var/log/lastlog" )
.................
-
Yeah all the sites on the server have been affected. It's not elxis that has been hacked. The host provider has offered 5 year free hosting after their security issue. The thing is, that I cannot find a renamed file. Now how do I restore the index.php file? Do I get one from another Elxis installation?
-
If your hosting is serious, you can ask to restore your site from a backup. If all server was affected, surely they restore all... Mine six month ago did so. Naturally before to preceed, they advised me
In any case you can restore only index.php and index.html.
Before to restore, unpack in local elxis.
In first, on your server, check every file index.html . You find them in each directory. A clean index.html of elxis is only 44 bytes or 48 bytes. if you find an index.html bigger, get a look at his date. If has a different date when you installed elxis on server, restore it with a clean index.html.
Pay attention to index.html you created for your application. (i don't know this. you know!)
When you finished with the index.html, check the lenghts of the file index.php in the principal root and in /administrator. If their lenghts are different from original lenghts of elxis, copy the original index.php on server in the same position.
Yesterday I did so. To be sure, when I restored the clean files i've put their permissions to 444 (only read).
In meantime get a look at the folders too. I don't know these type of hacker, maybe has created some strange different folder from elxis folders. If yes...delete them. Pay attention at the default folders of your system, like cgi, awstat, webalizer and so on. In any case case get a look also in these to see if there's something of strange. If you don't know very well which are the default folders of your system, and his contents, ask support to your hosting. If has a good service, they'll do.
-
Dont you have a backup? It is not just the index.php, index2.php and index3.php files, all index.html files has been affected. And there is 1 index.html file per directory...
If you dont have a backup get the original files from the main elxis release. Your hoster can help you locate/update the original files. There are many easy ways to do so.
Here are some examples (commands executed from elxis root folder):
1. Locate the files that have been modified within the last day:
find . -type f -mtime -1
2. Locate all files which their name start from "index":
find . -type f -name "index*"
3. Locate all "index.html" files, delete them and create new empty "index.html" files:
find . -name "index.html" -exec rm -rf {} , touch {} \;
4. Set the proper owner to all files and directories (replace username and group):
chown -R username:group *
5. Set the proper permissions on all files:
find . -type f -exec chmod 0644 {} \;
6. Set the proper permissions on all folders:
find . -type d -exec chmod 0755 {} \;
Execute the last (3) command first inorder to clean the majority of files. Then replace the "indexX.php" files from the Elxis main release. Dont forget your template's index.php file! This way you will clean up your site very quickly. After you login at the site run Updiag tool to check your Elxis installation for possible other files that have been affected.