PDA

View Full Version : Hacked by c99madshell.php anyone?

germanseneca
01-02-2009, 11:24 AM
Hi there,

I did a search on this forum but could not find anybody affected by this hack.
My site (www.richardalois.com) got hacked and it's no fun at all. Am using pp 1.7.1.

As a result I got classified by FF3 as dangerous and you could not load my site anymore.
Also first they changed all my titles and later deleted my DB completely (had a backup fortunately).
For a description of the hack see: http://forums.theplanet.com/index.php?showtopic=90109

Can anyone confirm that the solution offered in post works with pixelpost 1.7.1?

Thanks and happy new year
Richard
Dennis
01-02-2009, 01:10 PM
The hack is not related to Pixelpost. It cannot be said Pixelpost is the offending system. It looks like a server hack using insecure uploading scripts.

Pixelpost only allows uploads when logged in as an admin. So even if our upload is insecure, you have to have the admin credentials to actually upload a file. So either they stole your admin credentials and even then I doubt if the upload process allows to upload PHP files.

Anyway, the easiest way is to check if there is a php file in the images folder.
germanseneca
01-03-2009, 10:46 AM
Yes, they stole my admin credentials, I dunno how though. I changed them now.

There are 5 php files in the images folder (e.g. 20081003174757_cache.php), do they not belong there? Can I delete them?

Thanks
Richard
puzzled
01-03-2009, 10:55 PM
Anyway, the easiest way is to check if there is a php file in the images folder.

Dennis, can php files be deleted from the images folder? I have a handful in my folder, but have always been afraid to delete things I don't know anything about.

P.S. Hi!
jaywilliams
01-04-2009, 01:42 AM
The only thing that should be in the images/thumbnails folders are images. If you have any other type of file in there, I'd delete them right away. And then change your password.
dhdesign
01-04-2009, 01:59 AM
There is also an index.html file that is in the images folder that needs to stay there to prevent someone from browsing the folder. Other than the index.html and the image files, there should be no other type of file in that folder.

I second Jay's recommendation to delete the php files from the images folder and change your password right away.
puzzled
01-04-2009, 10:46 PM
Okay, thanks. Glad I read this thread even though I haven't been hacked as far as I know. I've deleted everything except the images and the index.html file. In addition to the php files, there was also a file named "images" with no extension and an .htaccess file. I've deleted both and changed my password.