0

Possible Duplicate:
My server's been hacked EMERGENCY

My site has been hacked and all sites on the virtual server have also been hacked. I need to know how they got in.

The code they changed in all the index.php files is as follows:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<html> 
<head> 
<title>hacked by jago-dz</title> 
<meta name="generator" content="Web Page Maker (unregistered version)"> 
<style type="text/css"> 
/*----------Text Styles----------*/
.ws6 {font-size: 8px;}
.ws7 {font-size: 9.3px;}
.ws8 {font-size: 11px;}
.ws9 {font-size: 12px;}
.ws10 {font-size: 13px;}
.ws11 {font-size: 15px;}
.ws12 {font-size: 16px;}
.ws14 {font-size: 19px;}
.ws16 {font-size: 21px;}
.ws18 {font-size: 24px;}
.ws20 {font-size: 27px;}
.ws22 {font-size: 29px;}
.ws24 {font-size: 32px;}
.ws26 {font-size: 35px;}
.ws28 {font-size: 37px;}
.ws36 {font-size: 48px;}
.ws48 {font-size: 64px;}
.ws72 {font-size: 96px;}
.wpmd {font-size: 13px;font-family: Arial,Helvetica,Sans-Serif;font-style: normal;font-weight: normal;}
/*----------Para Styles----------*/
DIV,UL,OL /* Left */
{
 margin-top: 0px;
 margin-bottom: 0px;
}
</style> 

</head> 
<body Text="#FFFFFF" bgColor="#000000"> 
<div id="text1" style="position:absolute; overflow:hidden; left:206px; top:29px; width:532px; height:500px; z-index:0"> 
<div class="wpmd"> 
<div align=center><font face="Comic Sans MS" class="ws12"><B>HACKed By</B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12">jago-dz</font></div> 

<div align=center><font face="Comic Sans MS" class="ws12"><B><BR></B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><B>ALGEria ATTACKED</B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><B><BR></B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><B><BR></B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><B><BR></B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><B><BR></B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><B><BR></B></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 
<div align=center><font face="Comic Sans MS" class="ws12">PentrationTesting@Gmail.Com</font></div> 

<div align=center><font face="Comic Sans MS" class="ws12"><BR></font></div> 

<div align=center><font color="#800000" face="Comic Sans MS" class="ws12">UP: </font></div> 
<div align=center><font face="Comic Sans MS" class="ws12">Kakashi </font><font color="#FF0000" face="Comic Sans MS" class="ws12">|</font><font face="Comic Sans MS" class="ws12">Ked</font><font color="#339966" face="Comic Sans MS" class="ws12">_</font><font face="Comic Sans MS" class="ws12">Ans-Dz</font><font color="#FF0000" face="Comic Sans MS" class="ws12">|</font><font face="Comic Sans MS" class="ws12">anis</font><font color="#339966" face="Comic Sans MS" class="ws12">_</font><font face="Comic Sans MS" class="ws12">soldat </font><font color="#FF0000" face="Comic Sans MS" class="ws12">|</font><font face="Comic Sans MS" class="ws12">Gar3a </font></div> 
</div></div> 

<div id="image1" style="position:absolute; overflow:hidden; left:359px; top:149px; width:226px; height:198px; z-index:1"><img src="http://www.topnews.in/files/Algerian_flag_.jpg" alt="" title="" border=0 width=226 height=198></div> 


</body> 
</html>
Community
  • 1
meohmy
  • 1
  • Sorry, this sort of question is off topic for Stack Overflow. – Greg Hewgill Jul 04 '11 at 20:38
  • We need much more info. What sort of web site were you running? (Wordpress/custom/etc.). What do your system's access logs say? Were there multiple failedl ogon atempts? etc. –  Jul 04 '11 at 20:38
  • where would i usually find system logs? the sites are generally all custom builds. – meohmy Jul 04 '11 at 20:41

2 Answers2

5

You are running a public server and don't know where your system logs are?

I'm sorry but that is just plain dangerous.

Please get professional help from an expert (read: professional system administrator) and make sure you run secure servers. Also just pasting the HTML won't help. Generally the only way to make sure a compromised server is clean again is a completely new installation.

Running a public server isn't something that you should do if you don't know where your system logs are.

Martin M.
  • 6,428
  • 2
  • 24
  • 42
1

First off sorry to hear of your troubles.

Second go read the My Server's Been Hacked - Emergency question which more that adequately covers the ground on how to respond to this sitatuon.

Bottom line: You're looking at a complete re-install and a recovery from known-good backups (which you have right? right?). Nuke the site for orbit, it's the only way to be sure.

Lastly, I'm going to flag this question for closing because it's been asked (and answered) many times and there's nothing specific here that the general advice and procedures listed in the My Server's Been Hacked - Emergency question doesn't cover.

Community
  • 1