Jamroom Logo Jamroom 5 Core
is now Open Source!
User Support Forum Archive (Read Only)
Jamroom Help:
Website was hacked!
beazyboy



Joined: 01 May 2009
Posts: 619
Location: NastiNati

Posted: 05/15/12 12:40 
The problem is now fixed i believe.... somehow my ftp info was guessed. There was a script, line of code inserted into my login.php. When a visitor would checkout and proceed to paypal my website would popup the login page with a weird string at the end of it. googles chrome browser detected the page as malware and that was the only thing that even mad me aware of it. all passwords are now changed and im pretty sure i removed the problem. but still i feel vulnerable... should I?


_________________
ServeMeBeats.com
Buy beats for sale online!
Back to top
Ken Rich



Joined: 01 Apr 2011
Posts: 219
Location: Canada

Posted: 05/16/12 07:37 

beazyboy:
The problem is now fixed i believe.... somehow my ftp info was guessed. There was a script, line of code inserted into my login.php. When a visitor would checkout and proceed to paypal my website would popup the login page with a weird string at the end of it. googles chrome browser detected the page as malware and that was the only thing that even mad me aware of it. all passwords are now changed and im pretty sure i removed the problem. but still i feel vulnerable... should I?


My site was hacked too. What happened to my response? Who deleted it and why?


_________________
Ken
Back to top
iLoveHouseMusic



Joined: 21 Apr 2009
Posts: 1482
Location: San Francisco CA

Posted: 05/16/12 14:57 

beazyboy:
The problem is now fixed i believe.... somehow my ftp info was guessed. There was a script, line of code inserted into my login.php. When a visitor would checkout and proceed to paypal my website would popup the login page with a weird string at the end of it. googles chrome browser detected the page as malware and that was the only thing that even mad me aware of it. all passwords are now changed and im pretty sure i removed the problem. but still i feel vulnerable... should I?


What version JR are you guys running? I had a similar intrusion. It was based on this vulnerability:

XSS Cross site scripting vulnerability in actions posting..
http://www.jamroom.net/index.php?m=td_tracker&o=view&id=1907

It took me a few days to track it down, not knowing what I was looking for. But initial symptom is that my cluster was being blocked by Google's default malware notice.

My login.php file was appended with a reference to a css file. This css file was added to the root of my dir, and within the file there was a reference to external URL/php script. Also my htaccess was fubarred royale.

This was my initial finding of "something wrong"
http://www.jamroom.net/phpBB2/viewtopic.php?t=40391&highlight=

This is when i finally realized what was going on:
http://www.jamroom.net/phpBB2/viewtopic.php?t=40024&highlight=

This is one of the reasons I put this thread into the suggestions list:
http://www.jamroom.net/phpBB2/viewtopic.php?t=39836

Hope this helps!

Back to top
Ken Rich



Joined: 01 Apr 2011
Posts: 219
Location: Canada

Posted: 05/16/12 18:28 

iLoveHouseMusic:
What version JR are you guys running? I had a similar intrusion. It was based on this vulnerability:


I am running the latest version. They got in and ran a phishing campaign through our mailer.

That was cleaned-up, but later I found a "back-door" and another phishing campaign.

I can see them in the logs tryng to run their missing files everyday. Seems to be automated.

Can anyone tell me if the Config folder is supposed to have a file named V6 and another named D0.


_________________
Ken
Back to top
Douglas
Jamroom Team


Joined: 08 Oct 2004
Posts: 6639
Location: Tornado Alley!

Posted: 05/17/12 07:12 

Ken Rich:

Can anyone tell me if the Config folder is supposed to have a file named V6 and another named D0.


These are not Jamroom files.

Hope this helps,
Douglas


_________________
Douglas Hackney
Jamroom Network Team Member: http://www.jamroom.net
Priority Support: http://www.jamroom.net/Support_Center
Back to top
Ken Rich



Joined: 01 Apr 2011
Posts: 219
Location: Canada

Posted: 05/17/12 07:28 

SixString:

Ken Rich:

Can anyone tell me if the Config folder is supposed to have a file named V6 and another named D0.


These are not Jamroom files.

Hope this helps,
Douglas


Thanks Douglas - I deleted them but wasn't sure if they should go back. Now I know - awesome.


_________________
Ken
Back to top
Display posts from previous:   
User Support Forum Archive (Read Only)
Jamroom Help

 
Solutions
• Social Media Platform
• Social Networking Software
• Musician Website Manager
• Community Builder
Products
• Jamroom Core
• Jamroom Addons
• Jamroom Modules
• Jamroom Marketplace
Support
• Support Forum
• Documentation
• Support Center
• Contact Support
Community
• Community Forum
• Member Sites
• Developers
Company
• About Us
• Contact Us
• Privacy Policy
©2003 - 2010 Talldude Networks, LLC.