Server Hacked: WSN Support

Version: 2.3.3

Server Hacked

Paul Grego
Member

Usergroup: Customer
Joined: Jan 20, 2006
Total Topics: 10
Total Posts: 25

Posted 07/20/06 - 03:54 AM:	#1
Hi, My site is on a shared server and there was a server wide hack by someone that I would like to kill. The hack has left my gallery in a bit of a state but everything is still there in place on the server. I think all it would take is to install the gallery again but I'm unsure what to install/overwrite because I don't want to lose any of the pics etc. Some of the things gone wrong is now on every page I see this instead of the title: WSN Support and on the admin side I can still see the menu on the left but in the main frame I'm just getting a message from the person who hacked. Also on the admin side in the Language Misc/All I get this: {LANG_HACKED BY AL-W7SH-ALKASER \\ N-N5@HOTMAIL.COM} I've tried deleting it but it will not go. It also affected my WSN Guestbook, everything is still in place on the server but I can't access the control panel, what to install and overwrite? Any help would be appreciated, thanks, Paul Edited by Paul Grego on 07/20/06 - 06:38 PM

Paul Grego
Member

Usergroup: Customer
Joined: Jan 20, 2006
Total Topics: 10
Total Posts: 25

Posted 07/21/06 - 09:10 AM:	#2
Ok I have installed the latest version of the gallery 2.3.6 in the hope it would overwrite the old one and with it anything that was affected by the hack. Nothing as improved though: On the admin side drop down menu's are not giving me the choice of 'Yes or No' It is just blank. In the Customizations>language>Misc./All I am getting this which will not delete: Hacked By Al-w7sh-Alkaser \\\ n-n5@hotmail.com: {LANG_HACKED BY AL-W7SH-ALKASER \\ N-N5@HOTMAIL.COM} [Delete] it appears above this: charset: utf-8 [Delete] email_emaillinkbody: {FROMEMAIL} (IP address {SENDERIP}) has emailed this topic to you: {TOPICTITLE}: http://www.webmastersite.net/forums/comments.php?id={TOPICID} {TOPICDESCRIPTION} {CUSTOMTEXT} [Delete] The pagination on the site itself is still not right. The index page is known as WSN Support where other pages link to it so it looks something like: WSN Support \| Page One \| Page Two WSN Support appears at the very top of the browser on every page where 'Gallery - Page One' used to be. Can someone please help. Everything is still there in place and the appearance and style of the site which also was affected is not right (I can fix that myself) I am sure there is probably a simple fix I just don't know what. Thanks Paul

Paul
Administrator

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6175

Posted 07/22/06 - 12:14 AM:	#3
It's language which they modified, which means the file(s) in your /languages/ directory. On upgrades your old language is normally retained, so you'll need to overwrite it with the file from /languages/setup/. You'll have to redo your language customizations after this of course, if you had any. You should scan any 777 directories such as /attachments/ for suspicious files such as php files which the hacker could use to keep control, though the nature of the defacement looks more like a kid who wouldn't bother. It also affected my WSN Guestbook, everything is still in place on the server but I can't access the control panel, what to install and overwrite? WSN Guest was written many years ago and had the language in the database, unfortunately this means it's harder to fix. You could replace the wsnguest_language table in phpmyadmin with one from a new install. You might also need to overwrite any templates which had been chmoded to be writeable such that the hacker may have changed them. Also, to avoid the dangers of shared hosting you can get a virtual private server pretty cheap from Tektonic (I previously used them though I've since moved to Liquid Web for faster speed and better support). Edited by Paul on 07/22/06 - 12:27 AM
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat

Paul Grego
Member

Usergroup: Customer
Joined: Jan 20, 2006
Total Topics: 10
Total Posts: 25

Posted 07/22/06 - 12:21 PM:	#4
Hi Paul, That worked for the most part although the hack still shows or is still working when I click on the 'Options' and the 'PM' link on the gallerie's members side. Also when I try to edit 'image details' I get a 406 error, all the others I have tried to edit so far have been succesful it's just the image details one. Thanks for the tip and links regard virtual private server's I will definitely check them out.

Paul
Administrator

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6175

Posted 07/23/06 - 06:38 AM:	#5
Those don't sound like language issues, so check that the related templates are okay and that the php files are okay. Looking up 406 errors doesn't suggest anything but that such errors should never show in a browser: http://www.checkupdown.com/status/E406.html
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat

You don't have permission to post.