Hacked?!!

[aly]

My 4.5 1..0.9 site is inaccessible (shows site offline page) and I am unable to log in to admin. When I attempt to do so I get the following error messages:

Code:

Warning: database(configuration.php): failed to open stream: No such file or directory in /home/reality/public_html/classes/database.php on line 75

Warning: database(configuration.php): failed to open stream: No such file or directory in /home/reality/public_html/classes/database.php on line 75

Warning: database(): Failed opening 'configuration.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/reality/public_html/classes/database.php on line 75

Warning: database(offline.php): failed to open stream: No such file or directory in /home/reality/public_html/classes/database.php on line 76

Warning: database(offline.php): failed to open stream: No such file or directory in /home/reality/public_html/classes/database.php on line 76

Warning: database(): Failed opening 'offline.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/reality/public_html/classes/database.php on line 76

In my latest visitors I find the following entry:

Code:

Host: 62.226.255.86
		
408
	Http Code: "-" 	Date: Feb 18 23:43:24 	Http Version: - 	Size in Bytes: "-"
	Referer:
	Agent:
		
/\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
	Http Code: 352 	Date: Feb 19 05:15:17 	Http Version: 414 	Size in Bytes: "-"
	Referer: -
	Agent:
		
/_vti_bin/_vti_aut/fp30reg.dll
	Http Code: 403 	Date: Feb 19 05:17:07 	Http Version: HTTP/1.1 	Size in Bytes: -
	Referer: -
	Agent: -

WHAT IS THIS??????

WHOIS INFO SHOWS:

inetnum: 62.225.192.0 - 62.227.255.254
netname: DTAG-DIAL12
descr: Deutsche Telekom AG
country: DE
admin-c: DTIP
tech-c: DTST
status: ASSIGNED PA
remarks: ************************************************** ****************
remarks: * Abuse Contact: http://www.t-com.de/ip-abuse in case of Spam, *
remarks: * Hack Attacks, Illegal Activity, Violation, Scans, Probes, etc. *
remarks: ************************************************** ****************
remarks: size decremented -1 because otherwise RIPE SW is choking
remarks: correct end-address is 62.227.255.255 (lbo)
mnt-by: DTAG-NIC
changed: ripe.dtip@telekom.de 20000512
changed: ripe.dtip@telekom.de 20030211
changed: ripe.dtip@telekom.de 20030910
changed: ripe.dtip@telekom.de 20040709
changed: ripe.dtip@telekom.de 20040907
source: RIPE

route: 62.224.0.0/14
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
member-of: AS3320:RS-PA-TELEKOM
mnt-by: DTAG-RR
changed: bp@nic.dtag.de 20000516
source: RIPE
changed: rv@TE142.T-COM.XX 20040615

[aly]

I should add that just before I discovered the site "offline" I received an email notification that a new user had registered on my site. I have no idea who they are or why they registered .... it's a hotmail account, therefore I was suspicious. Would that log-in have any bearing?

And HOW DO I LOG BACK IN TO MY ADMIN to resolve this stuff???

[aly]

Well I managed to get my site back up by creating a new sql admin and updating my config. I then upgraded to 4.5.1 and got my site back in order. Tonight I've been officially HACKED ... with a hideous page titled: Hacked By UpXiLon!!

Fortunately it's only one of my sites, and not a client site. I'm going to (hopefully) upgrade to 4.5.2 now and pray that this goes away. I have no clue what's going on here. The site in question is not even a public sute. Are they going out looking for mambo sites?

[argie01]

Hi,

try to find the pattern

\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H

on the snort rules (www.snort.org).
So, you'll know wich vulnerabilitie the hacker had used. But I think the problem is not Mambo, but the server...

[AnOddName]

With as many exploits that are available, I think it's a matter of 'WHEN' we will be hacked. I'm guessing you have a pretty high profile site? I had a site on my server that was 100% up to date. The server was using all the latest PHP installation, the latest Mambo, etc, and it still got hacked. Just something that's going to happen, the hackers seem to be one step ahead of the code developers. Just download routine backups...

[aly]

Actually my site is not at all high profile, so it was a shock to me. It's just a quiet business site. But I'm sure now I'm on some list somewhere, and it has now happened multiple times. The most recent homepage defacement forced me to reinstall Mambo and move the database. I did, of course, change the password.

I was updated, or so I thought. But I guess you're right .... it's a matter of "when"

Sigh.

[pepiux]

It seems to be an Apache vulnerability (thats i get from a google search) so thats why sometimes doesnt matter if you are "php" or "mambo" up to date... i your host admin doesn update the apache or kernel or anythin elses vulnerability patches...

I love gnu software, like mambo but there are many other holes hackers know (and dont share) because they can see the core code...

Aly, please find out with your hosting provider whether multiple sites were defaced. If so --> it's their problem and you should demand additional security measures! If not --> then it's most likely a flaw of Mambo or another webapplication that you are running on your account.

In the latter case, please share the complete raw access logs (ask your webhost) with us, so additional analysis is possible on the exploit. Everyone is helped if we detect and fix vulnerabilities at the earliest occasion.

Thanks
Willem