hacked php

[Rowse]

i have a customer whose php web site has been hacked.
the index.php in a forum starts to load the page but then comes up with a black screen with Whackerz-Pakistan on it.

any got any ideas on what to look for to cure it?

 

[sleipnir214]

I think it's way too early to be looking at PHP.

First, you need to see the extent of the damage done. The hackers may not have stopped with defacing a website. They may have added or modified programs or data elsewhere on your system.

Second, you need to figure out how they got in.

Third, you need to lock down your operating system and services on this machine to stop them from getting in again.

If and only if you have done all of the above is it time to look at PHP.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[Rowse]

the server is a remote one held by a hosting company somewhere.

it's only the one page thats changing aswell.

 

[lgarner]

All of that is very true. Also, it may depend on what kind of "php web site" it is. Some of the packaged CMS's (Nukes, e107, drupal, etc.) allow for file uploads. There have been vulnerabilities in the past with some of these.

Hacker: "I'd like to upload a file called index.php to /var/

http://www/html"

Website: "Sure, no problem"

 

[Rowse]

they've been through the code on the pages but can't see anything different.

in case anyones seen it before, here's some of the message:

Whackerz-Pakistan

Massege : hAckeR{BoT} & Mianwalian Was Here

 

[Foamcow]

Was it PHPBB by any chance?
If so, what version are/were they running?

Foamcow Heavy Industries - Web design and ranting
Toccoa Games - Day of Defeat gaming community
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
"I'm making time

 

[Rowse]

its phpbb but not sure of the version as there techie guy is away.

Does it just need upgrading then? or can something else be done?