ICEFIRE Webmaster Board  

Go Back   ICEFIRE Webmaster Board > CjOverkill Support Forum > CjOverkill SECURITY

CjOverkill SECURITY CjOverkill security patches and discussion

Reply
 
Thread Tools Display Modes
  #1  
Old 2nd February 2009, 08:56 PM
klaasjanneke klaasjanneke is offline
Junior Member
 
Join Date: Feb 2009
Posts: 1
Default My Cjoverkill has been hacked

My cjoverkill (version: 4.1.2), was hacked by some Islam-Group. Very strange. Today i went to my website, and didn`t see MY website, but some weird other website(with some text like: 'hacked by blabla' , 'Allah is the greatest' etc.). Why and how they did it, i don`t know. The website has very low vistors.

You can still look at it trough google`s cache (because i allready 'fixed' the problem on the site)

http://www.google.com/search?q=porno...x=&startPage=1

The website i`m talking about is the first(pornogames.ws). You don`t have to go to the page itself, because you won`t see anything anymore. But when you go the google`s cache you can still see what weird group hacked my CJ. (it has been there for 3 weeks, since i didn`t look at it in these 3 weeks.)

I will try to explain exactly what i did, so maybe you people can pinpoint where the problem lies.

Firstly i deleted: in.php , this didn`t help.

2: I went into the database, and deleted old PHPBB-forum database entries from it. This wasn`t working anymore , but i forgot to delete it months ago. The forum-files wern`t on the server anymore, just the database entries.

3: When the forum-entries were deleted from the database, the page was gone, i now could see my own frontpage again. But, out.php etc. still wasn`t working (when i clicked those pages, i again got that weird website).

4: I deleted al cj-related files. The problem was solved, because i only got that website if i clicked a CJ-related php file.

5: I installed the newest CJ on another website, and i made pornogames.ws one of the sites in the network. Uploaded in.php and out.php etc. And it now works all fine.


I really don`t know how they did it. It looks to me that the phpbb database entries are related, because the frontpage turned back normal when i deleted those. The cj was defenitly 'infected' , because every CJ page i clicked, i got that website again. Other pages worked fine

I really don`t know if this is usefull, but maybe it is. And i also know that it is important to update the CJ over time. But i don`t look at my website often I now have the newest version, and i fully trust you people that it is secure.

English isn`t my native language. So don`t mind the typo`s
Reply With Quote
  #2  
Old 2nd February 2009, 10:06 PM
ICEFIRE ICEFIRE is offline
Administrator
 
Join Date: Sep 2008
Location: Galaxy Media
Posts: 503
Send a message via ICQ to ICEFIRE
Default

I guess it's something phpbb related since you confirm that when phpbb was deleted the problem was gone.
Anyways, if you used the same password for your phpbb and your CjOverkill install, then most probably they just sucked the password from phpbb.

Other option would be to infect the cj-conf file using an old phpbb bug present on insecure php installations.


Version 4.1.x has no reported security bugs, anyways I will take a look at that closely just in case.
Reply With Quote
  #3  
Old 31st March 2011, 03:04 PM
Appoltara Appoltara is offline
Junior Member
 
Join Date: Jan 2011
Posts: 3
Default My Cjoverkill has been hacked

Hi,

I found my 3 servers was hacked by "KabuS". I found all my customers index was replace by "Hacked By The KabuS" page.
I found the index file nothing change. But all index page redirect to page "Hacked By The KabuS". Anybody can consult me?
Reply With Quote
  #4  
Old 5th April 2011, 08:26 PM
ICEFIRE ICEFIRE is offline
Administrator
 
Join Date: Sep 2008
Location: Galaxy Media
Posts: 503
Send a message via ICQ to ICEFIRE
Default

Sorry for the late reply

CjOverkill doesn't write to other files other than the toplist ones. Also is nothing in the code that would allow it to write to your site files.

Check that your site script is using the latest version and that the file permissions on your site are correct.
Reply With Quote
  #5  
Old 22nd April 2011, 07:43 PM
Appoltara Appoltara is offline
Junior Member
 
Join Date: Jan 2011
Posts: 3
Default My Cjoverkill has been hacked

just an update
I there is also a 2nd site on my account which also runs mambo, it had mambo 4.5.2, and its template has been also hacked

I upgraded the 2nd one to 4.5.6 and uploaded all fresh files but again after few hours both the sites have their template index.php replaced ?
I had also set permissions on index.php as 444 but it did not make any difference
i have checked the ftp logs and no one has logged in except me so it isnt related to the password thing

Please suggest that how can I troubleshoot this ?
Reply With Quote
  #6  
Old 24th April 2011, 12:30 PM
ICEFIRE ICEFIRE is offline
Administrator
 
Join Date: Sep 2008
Location: Galaxy Media
Posts: 503
Send a message via ICQ to ICEFIRE
Default

Take a look at mambo.

Make sure you are using stable and bugfree modules and that your mambo installation is ok. It's known to be a very buggy CMS.

Also check your PC with an updated antivirus.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 08:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.