XFileSharing Pro - HELP! My site got hacked!! - Page 2

Message
Author
PowerChaos
Posts: 521
Joined: Dec 19, 2009 5:12 pm

#16 Postby PowerChaos » Jul 29, 2010 4:57 am

every thing that get executed need to be somewhere that gets included or to have a place to store before it can get executed (mostly in a file you wont expect)

you should be able to see it somewhere , maybe hard to find but it need to be there somewhere

so far you say , it says ok:db:site

check where that last ok need to come from
check if it get executed from the second server or that it get executed from the first server

see if that missing ok get executed from other scripts instead the api.cgi ??

try to find the exact location back where it need to be executed , try to rebuild the steps of what it does

is that ok generated with a template ? (it got a green color so it need to have html commands)
is that ok generated directly from the other server ??
yes ?
then search in that file where it come from and probaly you will see instead ok the code of that iframe

no ?? , then search on your local files to see where that ok need to come from and search there for the iframe code (in place of the ok code)

mostly the code will be placed before the ok command so it execute the iframe instead the ok command

basicly , it can be a stand alone iframe (has nothing to do with the script) or it can just replace the ok command (prevent that ok get executed by replacing it by his own site/text)

but i cant help more then this as i need to see and search on my own to provide more accurate information to get it solved :S

anyway , the file is in the place of the ok command so it need to be there somewhere from the same spot where the ok command comes from

probaly as i am reading your post over and over again , its just before the ok command
try to locate the ok command and you will probaly see the site to

hopely this can help you fix it

Greetings From PowerChaos

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#17 Postby qq_bbq » Aug 01, 2010 12:28 am

I have moved the files to another server and the iframe injection has gone away.

But one of my other server still has that iframe injection.

From this I can see that the iframe injectin attached itself to this server's specific domain.

PowerChaos
Posts: 521
Joined: Dec 19, 2009 5:12 pm

#18 Postby PowerChaos » Aug 01, 2010 12:35 am

its strange

as a script need to be in a file to be able to execute
it is not possible to execute from a exern site to include it then with out finding it back

it is possible that they got root acces and that they execute it in apache itself or that it is a root process that execute it on the certain page
but then you should have a lot more problems then only that iframe problem

a last thing you can try is to update the software (update linux or rebuild and apache ) and with luck the iframe get disabled (i dont say that it is removed , but it can disable sometimes stuff that doesnt belong there ^^ )

if that fails to , then just move your files like you dit with your other server

Greetings From PowerChaos