Boss

I've just been hacked. When going to my URL, the hacker's page displays. HostforWeb fixed it by reloading all files, except the databases, from yesterdays backup.
Any suggestions on how to prevent this in the future?

baris

What Version is running on Your site.
Is Your register globals off ?

smarty

Boss this is no good .. Can you please post more details ..

What Version you are running ...

What Mods you have install and any changes ..

Also you should get your server logs and send them to the admin here so they can see how they got in and then can shut the door ...

What you have just done to repair your site is a waste of time and YOU WILL be hacked again as you have not fixed where they got in ...

Also go through every folder and file and make sure they have not left anything behind (folder,File)... 9 out of 10 times they have and will be able to get back in using what they have left behind .. even if you have closed the hole they first used to get in .

2 in 2 days ..Posts made about being Hacked but with no details on how .. This is rubbish ..

Boss

I haven't found the problem. I was hoping someone else was aware of this hack and knows how to stop it recurring.

I'm using Aedating 4.1. I've made some mods but nothing drastic that I think would be likely to open any holes.

I turned off Globals as soon as Smoge sent his message.

Both the homepage and the URL/admin page came up with the same screen.

I wasn't game to keep the page, but I printed it out and can scan it if someone can tell be how to upload a picture to this forum

Looks like I'm going to have a long night.

smarty

Get hold of you server logs and ask Smoge to have a look at them .. that will show where they got in ..

Boss

I've sent to logs to admin as you suggested - and will look at them myself.
I didn't know they existed - thanks for your suggestion.
I will post anything I learn.

Smoge

Hi,

You need to fix the damage from the hack... turning off register_globals will not reset your site to "OK" - the damage/changes have already been done!

I am not sure why HostForWeb is setting up servers with register_globals on... but the last couple of modmysite users servers I worked on that were hosted there had register_globals enabled.

The hacks (as RR1024) will tell you - could be from other means - but register_globals being off is a great start.

Other simple steps are to .htaccess your admin directory - many people don't do that.

And run code that has been cleaned up some.... aedating and dolphin tend to be a little "susceptible". GPLdate - perhaps less so - or at least, we care about that aspect of the GPLdate code.

Another option you may want to try, is to consider hosting your site on FreeDatingHost.Com - our sister site... that server is configured a bit differently to help in the security area.. both for YOUR site, and for the OTHER sites on the server - since if they are hacked, if PHPSuExec is not being used - a hacker can use another account on a server to look at your files, including header.inc.php and so on. FreeDatingHost has PHPSuExec enabled (among other things).

On FreeDatingHost - we are considering disabling some functions that these hacks use - but are not used by aedating / dolphin / gpldate - to further twart them. We already disabled compiler access - since this is not needed - but often used by script kiddies.

Yes - the server logs can be very helpful.... but my guess is.. once you clean up the hack, and have register_globals off - you will be OK.

With the files cleaned up and register_globals off - are you 100% safe - no.... but I bet it stops.

Smoge

__________________
ModMySite Administrator

Problems? Questions? Need modifications or other help with your site?

Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.

Boss

Thanks Smoge & Smarty - I will implement the fixes.

rr1024

Here are some important HINTS to help secure your AED / Dolphin Site:

1. Change the Name of your Admin Panel Directory i.e. it's default is /admin/ to /adminMyDogsName/
Modify your header.inc.php to allow this.

2. Move All the files in the inc directory except header.inc.php to a directory outside your public html www directory

home/inc/*.inc.php all inc goes here except header.inc.php and js directory of course.
home/public_html/allAedUserFilesHere
home/public_html/inc/header.inc.php

Now if you really want to screw the stupid ass hackers...LOL do what I did....Create a bunch of FAKE php files and dump them into home/public_html/inc/ such has
design.inc.php with nothing in it
admin.design.inc.php with nothing in it....LOL

It provides hours of fun and laughs.....I even added some code so it would look like they made progress but still got nothing. and it would email me with each attempt and log IP/domain/agent..LMAO!!!!!

Remove all phpself's and just use the darn $site[url] . "filename.php"

Sanatize a simple example Well hope that helps a little

__________________
Windows defined as 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company that can't stand 1 bit of competition.
-----------------------------------------------------
My Aed site
Adult Sex Toys

My aed module test server for fun stuff