Hi there.

My website has been hacked for the third time and I really don't know what to do any more.

The last time I changed ALL my passwords and I even disabled ftp access to my account to make it safer but no luck. Today I found that my index.php had been changed again.

I also found two other files that seem to be binary files. They contain some strange lines.

<command line>/usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/config.h

<built-in>abi-note.S/usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/abi-tag.h

init.c
help data_start printf@@GLIBC_2.0
_fini
getopt_long@@GLIBC_2.0
gethostbyname@@GLIBC_2.0
exit@@GLIBC_2.0
atoi@@GLIBC_2.0
_edata
_GLOBAL_OFFSET_TABLE_
_end

Now, I know that there have been other powweb websites hacked in the past and I wonder if there might be a security problem with the webservers or just tell me what else I can do.

Thank you.

Those look like Linux source files. What kind of site do you run? What sort of scripts does it have? I'd guess you were hacked through one of the scripts.

I use ipcounter.php, I also run an ikoboard 3.1.2a forum and of course I use many php scripts for my site and a perl script for my mailing list. Could it be a badly written script?

Could it be a badly written script?I'd say 99% of perceived 'hacks' are due to poorly written scripts.

I'd say 99% of perceived 'hacks' are due to poorly written scripts.And from your nick "clanfear" 90% of the clan sites I've seen use "phpnuke" ;)

Thank you for your help but I think I have found the cause. It 's one of my php scripts which "includes" some local files given a path parameter. The problem was that if anybody typed a URL pointing to a php script anywhere on the web that script would be included and executed inside my own script. Now I check that the parameter does not begin with http or ftp.

I can't think of a more stupid thing to do :o Can you?

I hope I don't have any more such scripts.

.. or https, or...

This is just a bad thing to do. What if someone puts in a path to another script on your site that can cause damage? What sort of input is supposed to be valid for this script?

It may be that people can cause you problems by inserting PHP code in the input as well.

Why there are many sites hacked and this happen so many times with Powweb? :cool:



My website has been hacked for the third time and I really don't know what to do any more.

Why there are many sites hacked and this happen so many times with Powweb? :cool:
Probably, because those people are "uneducated" as far as security goes,
and PowWeb is a hosting services that offer freedom to be ignorant (and craacked).
There are other hosting services that do not allow PHP, CGI.

Also, PowWeb has very open Forum where you can report things.
Many hosting services do not have that, and you would not notice problems.

Even though some people might get wrong impression that PowWeb has lots of problem
reading this forum, users tend to come here ONLY when they have a problem.

And people who can solve probelm by themselves do not come here often, either.
So, we see people with nightmares, confusion, and hight level of frustration, here, naturally.