PDA

View Full Version : My Cjoverkill has been hacked


klaasjanneke
2nd February 2009, 08:56 PM
My cjoverkill (version: 4.1.2), was hacked by some Islam-Group. Very strange. Today i went to my website, and didn`t see MY website, but some weird other website(with some text like: 'hacked by blabla' , 'Allah is the greatest' etc.). Why and how they did it, i don`t know. The website has very low vistors.

You can still look at it trough google`s cache (because i allready 'fixed' the problem on the site)

http://www.google.com/search?q=pornogames&rls=com.microsoft:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

The website i`m talking about is the first(pornogames.ws). You don`t have to go to the page itself, because you won`t see anything anymore. But when you go the google`s cache you can still see what weird group hacked my CJ. (it has been there for 3 weeks, since i didn`t look at it in these 3 weeks.)

I will try to explain exactly what i did, so maybe you people can pinpoint where the problem lies.

Firstly i deleted: in.php , this didn`t help.

2: I went into the database, and deleted old PHPBB-forum database entries from it. This wasn`t working anymore , but i forgot to delete it months ago. The forum-files wern`t on the server anymore, just the database entries.

3: When the forum-entries were deleted from the database, the page was gone, i now could see my own frontpage again. But, out.php etc. still wasn`t working (when i clicked those pages, i again got that weird website).

4: I deleted al cj-related files. The problem was solved, because i only got that website if i clicked a CJ-related php file.

5: I installed the newest CJ on another website, and i made pornogames.ws one of the sites in the network. Uploaded in.php and out.php etc. And it now works all fine.


I really don`t know how they did it. It looks to me that the phpbb database entries are related, because the frontpage turned back normal when i deleted those. The cj was defenitly 'infected' , because every CJ page i clicked, i got that website again. Other pages worked fine

I really don`t know if this is usefull, but maybe it is. And i also know that it is important to update the CJ over time. But i don`t look at my website often :) I now have the newest version, and i fully trust you people that it is secure.

English isn`t my native language. So don`t mind the typo`s

ICEFIRE
2nd February 2009, 10:06 PM
I guess it's something phpbb related since you confirm that when phpbb was deleted the problem was gone.
Anyways, if you used the same password for your phpbb and your CjOverkill install, then most probably they just sucked the password from phpbb.

Other option would be to infect the cj-conf file using an old phpbb bug present on insecure php installations.


Version 4.1.x has no reported security bugs, anyways I will take a look at that closely just in case.

Appoltara
31st March 2011, 03:04 PM
Hi,

I found my 3 servers was hacked by "KabuS". I found all my customers index was replace by "Hacked By The KabuS" page.
I found the index file nothing change. But all index page redirect to page "Hacked By The KabuS". Anybody can consult me?

ICEFIRE
5th April 2011, 08:26 PM
Sorry for the late reply

CjOverkill doesn't write to other files other than the toplist ones. Also is nothing in the code that would allow it to write to your site files.

Check that your site script is using the latest version and that the file permissions on your site are correct.

Appoltara
22nd April 2011, 07:43 PM
just an update
I there is also a 2nd site on my account which also runs mambo, it had mambo 4.5.2, and its template has been also hacked

I upgraded the 2nd one to 4.5.6 and uploaded all fresh files but again after few hours both the sites have their template index.php replaced ?
I had also set permissions on index.php as 444 but it did not make any difference
i have checked the ftp logs and no one has logged in except me so it isnt related to the password thing

Please suggest that how can I troubleshoot this ?

ICEFIRE
24th April 2011, 12:30 PM
Take a look at mambo.

Make sure you are using stable and bugfree modules and that your mambo installation is ok. It's known to be a very buggy CMS.

Also check your PC with an updated antivirus.