I'm running 3 sites with eSyndiCat_Pro_v11 and 2 of them have been hacked within a week!!

Is there a security flaw in this version? how are the sites being hacked? and what can I do to stop it?

I'm running 3 sites with eSyndiCat_Pro_v11 and 2 of them have been hacked within a week!!

Is there a security flaw in this version? how are the sites being hacked? and what can I do to stop it?

Would be nice if you actually told us how they are being hacked? I haven't heard of anyone else having any problems.

We are also on V1.2 maybe it would be better to upgrade :) I know there are security features in that one.

Would be nice if you actually told us how they are being hacked? I haven't heard of anyone else having any problems.

We are also on V1.2 maybe it would be better to upgrade :) I know there are security features in that one.

I wish I knew how they had been hacked! I visited my site as I do time to time and the homepage had been removed and replaced with a 'HaCKeD By iNSoMNiA' I could get the directory up and running again after that. Then a few days later it happen on another domain!

I was hoping that someone here might be able to give me some help - the admin area was secured with alpha numeric passwords. After the first attack I thought they might be using the 'search box' to throw SQL commands at the database and attack it from there, so I removed the search box on the other domain but it still got hacked.

Millionaires,

Talk to your hosting company and see if there are any issues with them.
or if they heard the same from other web masters hosting with them.


You are the first with this issue and I am concerned now.
Please post any info or update you get.



.

I have the 3rd Ecat site still up and running - I will see if there are any attacks on that, If so I will leave the sites up, so maybe it will give a clue to how it was hacked.

As for the hosting issue, I have several domains on the same hosting package, only the sites that use ECat have been defaced/hacked.

How does one submit a link on your site?

Do they have to register and login?

or can they just submit a site via suggest link tab/button? They could be using something via these means, ie malicious javascript..I was actually warned recently about this....

you are not alone
http://www.google.com/search?q=HaCKeD+By+iNSoMNiA&hl=en&lr=&start=0&sa=N.

Maybe the guys here need to check the code for PHP injection attack

I don't know about this specific exploit, but it's good general practice to add the following line to your .htaccess file:

php_flag register_globals 0

The Google results look like a PHP exploit to me, rather than specific software - they seemed to be hitting phpBB, InvisionBoard, Joomla, and others.

How does one submit a link on your site?

Do they have to register and login?

or can they just submit a site via suggest link tab/button? They could be using something via these means, ie malicious javascript..I was actually warned recently about this....

Yes I did have a link suggestion - and you didn't need to register to add a link. maybe that's how it's done.

I don't know about this specific exploit, but it's good general practice to add the following line to your .htaccess file:

php_flag register_globals 0

The Google results look like a PHP exploit to me, rather than specific software - they seemed to be hitting phpBB, InvisionBoard, Joomla, and others.


What does that code do? sorry im not too technical

I managed to save a copy of the database into a few different formats, how easy is it going to be to restore all my links etc? I did have a quick go... but got the following error

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '---- Dumping data for table `dir_links`--INSERT INTO `dir_links` VALUES (1, 0, '' at line 1"

maybe it's because I have moved from one version to another??? would really appreciate some help on this - I wonder if the hackers realise that I have spent 8 hours already today trying to sort this out, that adds up to about £150 in lost earnings for me! as I should be working on other stuff.

There was an article somewhere about eSyndicat security issues but Simon has personally replied to that article and I believe those issues were addressed in the new version 1.2.
So first thing you should do is to upgrade your not hacked site (and probably others sites too...) to latest script version...

I know there was an exploit with the path in crons, so try to update those.

I know there was an exploit with the path in crons, so try to update those.


Sorry fellas, this means nothing to me ( I know you are trying to help) . I downloaded and uploaded the latest version of the directory script just now.

Do I now need to patch it too - or will the new version be good

Well it could be the way they are getting in, via the suggest link. Not saying it is, but i was warned that if i allow html via this link, then there is the ability to add more than just html ie nasty codes that could go to your database and therefore can be hacked to bits, i know the new version has codes that strip the html as a securty measure, however i am not sure that it had it in the last one. So my advice would be upgrade, and don't allow visitors easy access! Yes it's a schlep but hell wouldn't you rather have your site intact! Either that of course make a daily back up of everything..and deal with it when it comes..and comes again..

As for these little b@stards they really are going for it! Maybe if we can get an ip address then we can lock them out? Also i am dismayed to see the calender i am about to use for my site is also prone to being tampered with...shsssh :(

Saying all this I think Simon needs to tell us his view on this...

http://hackedsites.pbwiki.com/iNSoMNiA Look at this...I tell you there is going to be war!!!:mad:

Well it could be the way they are getting in, via the suggest link. Not saying it is, but i was warned that if i allow html via this link, then there is the ability to add more than just html ie nasty codes that could go to your database and therefore can be hacked to bits, i know the new version has codes that strip the html as a securty measure, however i am not sure that it had it in the last one. So my advice would be upgrade, and don't allow visitors easy access! Yes it's a schlep but hell wouldn't you rather have your site intact! Either that of course make a daily back up of everything..and deal with it when it comes..and comes again..

As for these little b@stards they really are going for it! Maybe if we can get an ip address then we can lock them out? Also i am dismayed to see the calender i am about to use for my site is also prone to being tampered with...shsssh :(

Saying all this I think Simon needs to tell us his view on this...

Where do I configure the script to not accept HTML code?

Where do I configure the script to not accept HTML code?
You don't it's automatic in the new version! Actually there might be but i don't remember the other version..

Sorry fellas, this means nothing to me ( I know you are trying to help) . I downloaded and uploaded the latest version of the directory script just now.

Do I now need to patch it too - or will the new version be good

You will have to apply the patch.

My host www.charlottezweb.com (http://www.charlottezweb.com) has upgraded all servers to use PHPSUEXEC which won't allow any files to have 777 permissions. Don't no the technicalities of this but here's a short extract that Jason put up on the forum to explain things. This could be more of a server protection device. I'm sure someone will be able to explain it in non-techno-speak.

"When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody". Under this mode, files or directories that you require your php scripts to write to need to have 777 permissions (read/write/execute at user/group/world level). This is not very secure because besides allowing the webserver to write to the file it also allows anyone else to read or write to the file.

With PHP running as CGI with suexec enabled your php scripts now execute under your user/group level. Files or directories that you require your php scripts to write to no longer need to have 777 permissions. In fact, having 777 permissions on your scripts or the directories they reside in will not run and will instead cause a 500 internal server error when attempting to execute them to protect you from someone abusing your scripts. Your scripts and directories can have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else). PHP running as CGI/suexec is much more secure than the older Apache module method."

My visiting list is getting longer and Christmas card list getting shorter.

Yes. Just check out those Google searches. As I said earlier, this does not look like an eSyndicat issue to me - it looks like a PHP issue or a server configuration issue. It is affecting all manner of Apache servers and PHP software.

to redeye and to all interested...

I found a pretty good explanation (http://codylindley.com/Misc/74/server-security-issues--phpsuexec--textpattern) of what phpsuexec is.

Jump straight to the section titled "Why PHPSUEXEC and the security hole of PHP".

to redeye and to all interested...

I found a pretty good explanation (http://codylindley.com/Misc/74/server-security-issues--phpsuexec--textpattern) of what phpsuexec is.

Jump straight to the section titled "Why PHPSUEXEC and the security hole of PHP".
Morning Vinny, thank you for the information.

From what i understood, if your Server API is as described here: You can easily tell if your server has phpsuexec enabled by visiting your server’s phpinfo page:- http://your.servername.com/phpinfo.php/ Simply look for the following near the top of that page. (4th Box Down Server API) :- “Server API Apache” This means that your server is currently running php as an apache module. If within the phpinfo page you see the following:- “Server API CGI” Then your server has a CGI installation of PHP with suexec enabled.
Then you are okay, yes? Well i looked in my Server Info via my directory Admin panel and for me it said:

Server API CGI So that would suggest i have the Apache Module that safe guards against these attacks.. I therefore unless i have got it all wrong, suggest that members check. I am with 1&1 dot co. uk. And no matter how much i rant off at them, for irritating mistakes recently they may have actually got something right! :blink:

Morning Queen of Hearts,

as I understand from the article if you see Server API -- CGI it means PHPSUEXEC is installed.

Excellent! No off with their heads then..i do hate that part :ooi: being such the peace loving person that I am.. :D

Thank You Sweetheart for pointing this very useful article out to us. I now can rest that these particular fends, hopefully..touches wood, wont do nasties to my site.

Loren,
Could you point me in the right direction - where to look for server info?
I am using 1and1 also just in the US
Thanks

I decided to test it on our online [test] directory.

PHP Info reads this:

Server API -- CGI/FastCGI

Then I issued the command `chmod 0600 includes/config.inc.php` (thus restricting access ONLY to my username) as described in the article.

Then I changed character encoding [Admin Panel >> Configuration >> General Configuration] from iso-8859-1 to utf-8 and saved the changes. And it worked!

It means that the file is writible, which in turn means apache executes php scripts under the same username I use to upload files via ftp, and not the default nobody username.

:cool-yo:

to WTM

Log into Admin Panel, at the top of the page you will see an inventory line that reads like

SITE HOME | DIRECTORY HOME

Click the SERVER INFO link

Voila!

Thank you, Vince
On 1and1 server I have: --CGI
on ResellerZoom: CGI/FastCGI

Then I issued the command `chmod 0600 includes/config.inc.php` (thus restricting access ONLY to my username) as described in the article.

Then I changed character encoding [Admin Panel >> Configuration >> General Configuration] from iso-8859-1 to utf-8 and saved the changes. And it worked!

It means that the file is writible, which in turn means apache executes php scripts under the same username I use to upload files via ftp, and not the default nobody username.


Is this something you would suggest to get done for all directories?

I haven't tested it yet.

But as the article suggests, you have to do the following

1. chmod 755 all the folders
2. chmod 400 all the read-only files
3. chmod 600 all the files that the script modifies

The files that should have writeable flag are:

includes/config.inc.php
language/<language>.php
templates/<template>/css/style.css

The major problem here is to chmod in batch. It's really inconventient to chmod via ftp client item by item taking into account the number of files and folders.

Thanks Vincent for all the info.

If I do not use my admin panel to edit my config.inc file, language file or templates (I like to do it on my computer in my editor), do I still need to leave these files 600?

First of all -- make sure Apache runs phpsuexec. If yes, then you should change it to 400 (not 600 since don't need editing it via admin panel).

When I changed the css file to 600, it does not load it. So now I have it at 755 but it won't load my logo.......

What is the url of the site?

The logo works now in IE, but not firefox. Also, now I can not appove categories and links in the control panel. What should the Language be set too? I have tried, 744. 644, 755

The url is http://www.findtoplinks.com

I can see the logo and I use Firefox.

Well, did you make sure that you Apache runs phpsuexec? Since without it the system will prevent your site from functioning when changing permissions to mentioned above.

I think it does it says CGI/Fast CGI

I really didn't understand all that stuff in the post in all honesty...

Ok, something must be wrong with my Firefox, because nothing is working (can't approve links or categories), however it works in IE.......argh.

what if it shows server api : appache

what if it shows server api : appache

If it says Appache i guess you don't have the CGI bit therefore possible vunerability..

2 SDawkins I m with you Hun:friends: I have no idea what Vincent is wittering on about either..whether these instructions be for those who don't have the CGI bit or for all regardless. Lets wait tell he gets back to us on this..

This is all over my head also.
What would the best thing to have the "Server API" show so someone would not have any worries?

I think we're jumping to conclusions here... I haven't seen anything yet to indicate how the hacker(s) is getting into these sites or what they have in common.

The only thing I think we can say is that this is a vulnerability either in PHP or in Apache or something else at the server level. Beyond that, I don't think there's been enough information to base any conclusions on. Not seeing the "server api cgi" thing doesn't necessarily mean you're at risk.

Don't know how helpful this will be but here's a link to my host's thread about the issues and resolutions.

Essentially, if you look through your files on your server and see any at 777 then you haven't got PHPSUEXEC running as the max it allows is 755 and there's also a post about htaccess files in root directry.

http://www.charlottezweb.com/forums/index.php?topic=462.0

This is all over my head also.
What would the best thing to have the "Server API" show so someone would not have any worries?

No that is a melon!:]

It the wooosh sound..get that frequently..Here look at pic from directory server info. If this is CGI or CGI fast it's good, if Apachi probably not so good, as for the other stuff..still flying way over head :)

I'm running 3 sites with eSyndiCat_Pro_v11 and 2 of them have been hacked within a week!!

pauleddison... what exactly was it that was hacked on your site? Files... database... configuration settings... I'm just wondering what was accessed and what was done.

No that is a melon!:]

It the wooosh sound..get that frequently..Here look at pic from directory server info. If this is CGI or CGI fast it's good, if Apachi probably not so good, as for the other stuff..still flying way over head :)

Thanks Loren for api info. ;)

Just checked and mine is "Apache" Guess I'll check with my host and see what they have to say.

(red thinks it's a veggie, you think it's a melon, it looks like a lime to me :)

Nonsense - it's clearly a crash helmet made out of a green tennis ball.

Nonsense - it's clearly a crash helmet made out of a green tennis ball.

Way off :offtopic: :D
Here's a blowup of the pic.
Sure looks like a lime 2 me. :)

http://members.aol.com/javascriptcity/lime.gif

Way off Here's a blowup of the pic.
Sure looks like a lime 2 me.

http://members.aol.com/javascriptcity/lime.gif
Blinking big lime! A Kitty head ain't that small Nah it's a melon or squash of some kind. Have to say though that kitty does not look impressed..

Updated thought..it could be a green grapefruit, that might fit..it's the dent skin that makes it look like a citrus fruit. So here is a picture of a very large green kind of grapefruit called a Pomelos http://www.gourmondo.de/medias/BHVKWVH4bl788guwdf0sie-30.jpg

Blinking big lime! A Kitty head ain't that small Nah it's a melon or squash of some kind. Have to say though that kitty does not look impressed..

Updated thought..it could be a green grapefruit, that might fit..it's the dent skin that makes it look like a citrus fruit. So here is a picture of a very large green kind of grapefruit called a Pomelos

First idea was to post these:
http://www.collegehumor.com/pictures/28271/
http://www.pineapple-girl.com/melee/0312.php

Then I found this:
http://en.wikipedia.org/wiki/Limecat
Further investigation has led many to speculate that the fruit in question is, in fact, a pomelo. (It is a Chinese tradition to put the rind of a pomelo on one's head during the Mid-Autumn Festival.) The image has
the tagline "Limecat is not pleased." Limecat is also known as "Meloncat", "General Whiskers", and "Gimp-Master Klein."

So Loren you may just be right. :)

Sorry to everyone else for all the :offtopic: posts.

See... what can i tell you , i just have a knack, call it intuition, psychic ability or just plain noseyness..but i generally always find out the right answer! ;)

I've joined the crazy house %)

to Loren

This often happens to me. I mean the intuition. I often judge things by intuition, not logic or reasoning. I just feel that something is wrong or right.

Probably intuition is just a mix of knowledge, experience, common sense, your mood, etc?

Don't you start getting into this heebeejeebee stuff Vincent %)

We have enough with our own Mystic Meg :]


Incoming .......... :fingal:

Don't you start getting into this heebeejeebee stuff Vincent

We have enough with our own Mystic Meg


Incoming .......... :fingal:

Watch it You :batz:Otherwise that lovely shiney head of yours will be under your arm soon, get my drift... :)

Well, I think its nice when a man in touch with his right side of the brain..and i agree it is a mixture of all these things, but i put it ultimately down to the collective conciousness and just a good ability to tap into it, oh and my guides of course ;)