Jamit Software Forum
Welcome, Guest. Please login or register.
June 25, 2018, 12:02:16 am

Login with username, password and session length
Search:     Advanced search
May 5th, 2010 - Jamit Software Launches the Market!
3,080 Posts in 791 Topics by 1,428,504 Members
Latest Member: bettystart45
* Home Help Search Login Register
+  Jamit Software Forum
|-+  Jamit Job Board Customers
| |-+  Security
| | |-+  Help my website is hacked and redirecting to ya.ru
« previous next »
Pages: [1] 2 Print
Author Topic: Help my website is hacked and redirecting to ya.ru  (Read 30190 times)
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« on: August 11, 2010, 03:15:44 pm »

Hello Everyone,

I need you're help. Embarrassed

My Job Board Website is hacked and will be redirecting ( sometimes, not always ) to a Russian Search Machine: http://ya.ru/
The hacker from Russia ( Kiev ) login through the Employers account. After that the Site was taken over.

( On Google they say that it's a JavaScript redirect?? ) 

Does someone have the same experience?
Does it mains that there is a leak in our software?
What can we do about this? How can I fix this?

I hope to hear from you.

Thanks!

Greetings,
John de Vries
Logged
fujipadam
Jammers
Sr. Member
*
Posts: 62


« Reply #1 on: August 11, 2010, 05:54:22 pm »

Thats not good - I am not sure how this happened but have a look at your index.php file - usually javascript redirects are based on a javascript code in the index file. if you remove that, the redirect will be removed. But that doesnt prevent it from happening again.

Also check with your hosting provider to see if the server was hacked instead of the script. What version of jamit are you using?

Anyone else know where the security hole is?

Best of luck to you!

Fuji
« Last Edit: August 11, 2010, 06:03:43 pm by fujipadam » Logged
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« Reply #2 on: August 12, 2010, 06:30:39 am »

Hi Fujipadam,

Thanks for the replay, for you're help and for you're advise!

I follow you're advise and I look at the index.php file but I can't find any Javascript code to remove.
What I saw in the bron code of the website some strange large code after </body></html> ( a large code ( with numbers and letters and so on) that doens't belong there ) I don't no how to remove that!

An other thing what concerning me, is that they ( hackers ) could have installed backdoors etc. to allow them through again! ( when I fix it, I run a risk, that in a blink of an eye the problems starts over again. )
 
I look also at my login at my hosting provider. It seems normal.

For you're information:

- I use v3.5.6 ( I test at this moment the v3.6.4 in a separate file )
- I test the v3.6.4 because the template of Vince is not ready for the v3.6.4. Vince works on it. So I have to wait for it )
- I blocked every IP adres from Russia. ( I don't no how they get acces to my website?? )

I send Adam also a email about this issue, so that he can look also at this problem.
I guess there is a leak in the software.

We don't has to forget: what happens to me, can happens to everyone one of us.
So we must help each other to "kill" this problem for once and for all.

Anyone else with ideas to fix this problem?

Thanks!

Greetings,

John de Vries
Logged
lee
Jammers
Sr. Member
*
Posts: 86



WWW
« Reply #3 on: August 12, 2010, 10:47:27 am »

Hi John export your database from php admin and then do a fresh install of Jamit then reinstall  your database it should only take 30mins and see if that sorts the problem also run traffic cop because it will block the yandex.ru search engine robots ( 95.108.217.252  yandex.ru) from crawling your site there no need to let these in unless you have a Russian market, get back to us with the results

Best regards lee
Logged
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« Reply #4 on: August 12, 2010, 12:40:15 pm »

Hi Guys,

Everybody thanks for there help and for there advice, for so far!

An half our ago I'll put a ( clean ) copy of the index.php back to the server. And guess what?: the treat is gone. Smiley
There is no redirecting more to ya.ru!  Smiley

But it still concerning me, is that they ( hackers ) could have installed backdoors etc. to allow them through our WebSites again.
On a way I described it above.( through the Employers pannel --->they get in to the site, and it starts over again )
Traffic Cop etc. can't stop this. ( I blocked all the IP adresses from Russia )
Perhaps, they use a other computer for it. A computer outside Russia.

There must be a solution for this.

John de Vries
Logged
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« Reply #5 on: August 12, 2010, 01:04:14 pm »

Hi Guys,

This is what Adam says about the treat:

If your index.php files was modified, then it means that the hacker either has your FTP details or has privileged access to the machine which your site is hosted on. Please also check your computer for malware (eg key logger or Trojan) and make sure to always access your site only from a trusted network and a secure connection
 
Usually these hacks are not made by humans - they are 'worms' which are made to spread automatically. What happens is you first visit an infected website, then the infected website exploits your software, eg, a security flaw in your web browser, flash, acrobat, etc. Once installed on your system, the worm can capture your ftp details and then upload itself to your site. Once on your site, it can spread to other users by exploiting the same flaw.
All known security vulnerabilities in Jamit have been patched. Please also try the Security Tools plugin http://market.jamit.com/ the latest version updates the scan engine. I use the Security Tools plugin on my sites and scan daily.


After reading Adam his replay;
I'll restore all the PhP files, changes my FTP inlog code, scan my computer ( again ), and I shell use the Security Tool ( again ).

I hope it will help.

Thanks Guys for helping me!

Cheers,

John de Vries


 
Logged
fujipadam
Jammers
Sr. Member
*
Posts: 62


« Reply #6 on: August 12, 2010, 08:32:24 pm »

Hope this works out for you! Cheers!
Logged
lee
Jammers
Sr. Member
*
Posts: 86



WWW
« Reply #7 on: August 12, 2010, 09:04:21 pm »

3 good free security programs to use together, using all 3 wont conflict with each other either

http://www.trades4all.com/forum/phpBB3/viewtopic.php?f=35&t=30
Logged
Imran
Global Moderator
Hero Member
*****
Posts: 255


WWW
« Reply #8 on: August 13, 2010, 09:26:45 am »

Sorry for late reply, I was not in the forum.

Your site is infected, it is done via open writable files check your File and directory permissions, and also Each and every index.html/.php files and remove any of the code that is infected, remember if you open the file directly if might infect ur system as well hence make sure u delete these files and replace them with original un-infected files and also tighten your File and Directory permissions.
Logged
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« Reply #9 on: August 13, 2010, 02:30:08 pm »

Hi Guys,

Thanks for al you're replays! Thanks Guys!

I follow Adam what he says about the treat.

So what did I do?

1. Changes my FTP codes.
2. I restore all of my php files from a backup. ( the redirect to a Russian Search Machine: http://ya.ru/ is gone )
3. I scan my complete Computer ( Kaspersky anti virus 2010 )
4. I used the Security Tool  in the admin menu ( see nothing stranges )
5. I checkt all the Blocked IP Adresess from Russia, Ukrain etc.

So I thought that it was over.

But guess what Huh!
The hacker ( worm ) is back! Angry
15 minutes ago he strikes again. 

Look at the picture I make of it : http://www.banenpakhuis.nl/worm.jpg
( and look at the IP Adres )
Guys, the worm ( hacker of what ever it is ) use the Employers Panel to strike again.

No virus defender can't stop this. This is something else.

I report this also to Adam.

We have to wait for a solution.

Greetings,

John de Vries

Logged
Amjad
Global Moderator
Hero Member
*****
Posts: 109


« Reply #10 on: August 13, 2010, 06:08:25 pm »

Hi John ,
Sorry to hear that your site is infected ,surely its v. painful for you

I advice you to do the following steps :

1- Backup your DB on your local computer
2-Reset your hosting account (ask your hosting company to do that )
3- install fresh JJB (use 3.5.7 version )

Regards,
Amjad
Logged
steve
Jammers
Hero Member
*
Posts: 150


« Reply #11 on: August 13, 2010, 07:16:40 pm »

I had something similar happen to me that affected/infected all my websites. Here is a tip that will help you. When you change your passwords to your websites including FTP etc. Always do it from a different computer. Then, clean up your computer and make sure it is clean before you login to your websites from your usual computer.
Logged
lee
Jammers
Sr. Member
*
Posts: 86



WWW
« Reply #12 on: August 13, 2010, 11:45:28 pm »

I had something similar happen to me that affected/infected all my websites. Here is a tip that will help you. When you change your passwords to your websites including FTP etc. Always do it from a different computer. Then, clean up your computer and make sure it is clean before you login to your websites from your usual computer.

Thats good advice steve, if possible format your pc and reload your operating system from scratch then you know your pc is clean because it still sounds as if you still have a virus somewhere

Good luck John
Logged
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« Reply #13 on: August 14, 2010, 10:07:05 am »

Hi Guys,
Lee, Steve and Amjad, thanks for you're replays on this issue!

I follow you're instructions. My computer is clean ( Kaspersky makes a deep scan, find nothing ), I changes the FTP inlog codes.  My Hosting Company gives me, through a protected connection, new FTP codes. I has activate them through that protected connection.

It’s logic to think that it is a normal computer virus. But, I think that we must look in a other direction.

The hacker ( worm ) registers itself through the Employer Panel.
After the registration, the Hacker ( worm ) is a legal “Employer”, with a legal Member ID and a legal Password
( sending automatic by e-mail from my e-mail account : affirmative email )

Once inside, he’s change his conformation from a “legal Employer” to a something that puts shit on my server.
( the question is: How does he do that?? That’s something for Adam I guess )

You can’t stop this through a Virus scan or something like that. Because he register itself as a legal Employer.
( at the moment from register,  he is not a treat. But after the register, he became a treat. )

The only thing to stop this is to locate the IP address. I locate that, It’s in the Ukraine. 
I blocked IP addresses from different Country's. For example: The IP's from Russia, Ukraine etc.
I blocked them through the htaccess. ( file )

I figure out that there was a hole in the list of the blocked IP addresses.
Is there a hole in the list, then the IP addresses no longer blocked again.
And ( I guess ) that’s the way he ( the hacker, worm ) could register himself.
So, the htaccess ( file ) does not work  save enough.

So, I would like to use the Traffic Filter Plugin.

Question:
Can someone send me a photo of the configure Traffic Filter Plugin, so that I can see ( as a start up to configure the plugin )
what the best way is to configure this plugin. ( blocking IP address, redirect url’s etc. etc. )

Will someone help me with this, so that I can blocked those guys from Russia, Ukraine etc.
Thanks! I would appreciate that very much!

Jamit – on!

Greetings,
John de Vries
Logged
fujipadam
Jammers
Sr. Member
*
Posts: 62


« Reply #14 on: August 14, 2010, 04:36:40 pm »

John - its disturbing that after all this cleaning, you are still facing the threat. I agree IP address blocking might be a short term solutiion but how long will that last? He can use a proxy the next time and make it look like he is coming from another country. Based on your experience it does look like a legitimate script vulnerability especially since he is logging in as an employer.(if all he had was the passwords, he doesnt need to create an account).

Is adam looking into this? What is his opinion after repeated attacks?

Fuji
Logged
Pages: [1] 2 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.056 seconds with 17 queries.