Hello all,

I need help. My site has been hacked twice now and they have replaced my logo with a image in spanish that has some nasty words. I have removed ALL my FTP accounts and reset the password to the main account. NO ONE but me has the password, not even my wife! How can they be getting into the site to make this change?!?!

Here is the URL www.mystic-auction.com

Any help would be greatly appreciated. I am only glad that they have only made the one change and it is easily fixed. But it is only a matter of time before they do some real damage!

Thanks,
Kevin

Maybe you have some spy-ware running on your PC.

Or maybe the file being replaced has a chmod allowing anyone to write to it, someone found that and is replacing it.

Just a few ideas on how this might happen.

I was just poking around your site looking in your image directory. Did not try and replace any images . . . but I would suggest you turn off indexes as a start. Put this in your htaccess:

Options -indexes

Does your auction program allow users to upload files to the server? The only real thing I could think of would be that a user is uploading a file with the same name as your banner to throw you off. Is anything else on your site being played with or is it just that one banner as you'd indicated?

you use frontpage, don't you?

i went to a meeting of a satanic cult one time, and after it was over, they gave us all a copy of frontpage and told us to go out and spread it around, like SARS or monkeypox...

i just went home and had a tumbler of Bailey's Irish Cream and threw frontpage into the mississippi river.

galexia:

and then there are those people who are so narrow minded that if their brain was rolling down a razor blade, it would look like a BB rolling down a 3-lane highway.....

a bad web design tool does not make a good web designer a bad one, nor does a good tool make a bad designer a good one.

Hi All,

first off, no I do not use front page and never will. But I do think I found the way they got in and it was through the OSC admin and it's file manager. I have since deleted it off the site and so far it has been ok since then. :-)

Thanks,
Kevin

You didn't follow the security tips in the osCommerce forum section here, I take it... You should protect the admin folder with .htaccess username/password protection.

Originally posted by stevel
You didn't follow the security tips in the osCommerce forum section here, I take it... You should protect the admin folder with .htaccess username/password protection.

Actually, I had used the .htaccess to protect it, but I guess that is not foolproof. I even made sure not to allow IE to save my password. I am getting ready to re-format my drives to make sure there is no hidden spyware or something like that as well as to fix some other problems and clean off old unused files. Once that is done, I will reinstall my firewall and hope that stops the hacking for good. :-)

Kevin

my site was hacked several times. the first time it was hacked a new file, perf.html was added that said "perf has invaded your box" and the index.html was replaced with a new index.html containing an anti-war message LiKe ThIs. I luckily had a copy of my real index.html file which I immediately replaced and deleted perf.html completely. Why they had to tell me they were there I dont know. Guess it was cool or something in their eyes. Then I got hacked again. This time nothing was changed cept a new file was added, kewl.txt that said Hello I was here. I think it was the same person to tell you the truth but how would I know. Then my forum, Invision Boards format, was hacked. First the skins went, then the members, then certain boards, and on and on. I was always having to fix something that worked fine before. Luckily nothing was lost permanently except one board. I then went and changed all the passwords and since then have not had one single instance of hacking or boards crashing. No unknown files appear in my stuff or anything so I must have solved the problem. My guess is the password I had was too easy and they figured it out and at the time it was the same for both the ftp and mysql so once they got into ftp they then turned around and fooled around in mysql. That is my guess .. could be wrong. It is weird though how they suddenly stopped once the password was changed. I can only hope they never get back in again. I made it extra hard this time :p