Postnuke site hacked - HELP!

[RFH Customer: JamesM]

Hi,

Our community website www.chestermc.org has been hacked, there is a load of rubbish text on the top of the index page, anyone know how I can disable it?

Were running on postnuke 1.0.1, I have search the whole backend DB for the text, nothing, so its not SQL Inject, cant see it in any of the PHP files, no url in the index or other, even if I disable a load of the PHP files it still shows on the index page.

Any suggestions appriciated

[RFH Customer: JamesM]

Bump!

[RFH Reseller: Rappie]

Your website seems to be fixed now. Where did you locate rubbish text?

[RFH Customer: JamesM]

Hi Rappie.

Thanks for getting back to me. Thats because I have changed the index page to just be a redirect to index_new.php

Unfortunatly none of the links on the site work as it needs to be just 'index.php' so its not really fixed.

The index_new is actually my origional index page, so whatever was done is not to that page, it must be in the php code pages and knows to put the rubbish up on the actual 'index' page. Because I have changed my index page to be just a redirect page, its redirecting too quick for the hacked rubbish to show, thankfully.

I will put it back to how it was tonight for you to see (cant at mo as work block FTP )

Thanks in advance!

[RFH Reseller: Rappie]

Hi James,

I've seen the rubbish text you mentioned earlier. The thing that seems most strange to me are the links. They seem to be "safe" and valid links. No porn, trojan or adware of any kind. (So far I can tell). I googled a couple of the links to see of if there are other website with similar problems. But haven't found any. So no clue's there.

I think it would be wise to download all pages and search for the rubbish to find the "infected" file. You can use Dreamweaver to search for phrases in all files whitin a folder. Or other programs, like WordPad (ctrl +f) to to search for phrases in individual files.

[RFH Customer: JamesM]

Hi Rappie.

I have managed to fix my site for now and track down the problem hack.

I downloaded the entire site and did a search, no results. I then started disabling files (.tmp) process of elim.

I found that as soon as I renamed pnTEMP another was created and 3 files were always created:

Admin_Messages^Imagic2^eng^%%FC^FCF^FCF07B3F%%admi n_messages_block_messages.htm.php
Header_Footer^Imagic2^eng^%%F1^F16^F161C1FA%%heade r_footer_page.htm.inc
Header_Footer^Imagic2^eng^%%F1^F16^F161C1FA%%heade r_footer_page.htm.php

I fortunatly had an old backup of my site and overwrite the 'Includes Directory' (backed up locally first) with that, which seems to have worked, for now! - Were looking at going to Community Server now anyway. Any other suggestions for a climbing club cms as postnuke is getting unmanagable.

Thanks again!

James.

[Tanzy]

I believe that Community Server costs. Have you taken a look at DotNetNuke? There are lots of CMS sites out there, what one to use all depends on what you are after.

[RFH Reseller: carpeni]

Our website acardjust4u.co.uk has been interferred with and the home page has been replaced with a "hacked by Nasah" page.
The source code on the server has been changed - but not by me as the site has been unchanged for many months - the new date of the index page is december.
Anybody got an idea why/how this could have happened?

[Staff: Warren Ashcroft]

Checking your website logs would be the first things to do, these attacks happen through vulnerabilities in your own website code.

[RFH Customer: JamesM]

I have had my postnuke report about fifty times using PNSecurity over the last 24 hours that the following IP has been trying to access our site:

220.120.130.55

I did a trace and its somewhere in Korea. We have no climbing club members in Korea, is there any way we could block this IP address? its the same one every time?

(By thw way Warran, I take your comments on board fully, and agree. Im actually in the process of creating a new Community Server site) but until thats live I have to keep the old postnuke site running.

Thanks.

James.