Dizkus

Yes, that will prevent further exploit of the xmlrpc vulnerability. What keeps them from using the backdoor they hid deep in a folder buried in your cache or languages? It's a huge risk to patch and move on - you really need to wipe your account clean and start over (buy you can keep your data - so your content is pretty safe).

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

Oh this sucks so badly. My ftp program doesn't allow me to delete directories with files in them so I essentially have to go through every single directory and remove the files first, then remove the directory. And if there are sub-directories I have to do the same thing within each of those. There has GOT to be a better way!!!!

I've backed up my database information. I have one highly customized module, and one custom template through AutoTheme. I suppose I'm just going to have to grin and bear it, eh? Yikes. Never could get it even partially fixed without having to resort to this...

~Laura

There is a better way, tell your host to wipe your account so you can start again, that way they doa ll the work for you.

--
www.mancuniathletes.co.uk

The problem is that the hackers can leave backdoor tools somewhere in your files and folders. To easily remove all the files, get a free ssh client like putty and use it to connect to your domain (that's how I do it with dreamhost). Once you connect change directories (cd) to the one for your domain, and then you can delete all your filed with one command:

rm -rf *

IMPORTANT
Keep in mind, this will delete all files and folders without confirmation or warning. After a few seconds, they are all gone. It beats going through each directory with FTP. This way you don't have to wait for the technicians to do it.

You can back up your theme and module, but there is some risk that there's a file in there they've planted to allow easy "backdoor" access. If it happens that they placed their files in some folder you keep, they can come back. It's a risk. If you have backups of those files locally, you're all set, with no risk.

Just think of this as a great opportunity to upgrade to .760. ;)

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

I agree this is the best way, at least all the data is still there. My site is now running again, and everything is upgraded.

--
----------------
What now!

Hi Frank,
Thanks for the info on how to wipe out the files using Telnet. I've done this and am in the midst of uploading .76 now. I am nervous about getting everything re-configured, especially with my custom module. I did look through all the files in the directories I saved and couldn't find anything that looked at all suspicious so I'm hopeful it's all going to be all right.

How is it that such a seemingly minor hack can cause so many headaches? And do these hackers do it just to see people get frustrated and squirm? That's just sad and pitiful! They need to get a life!

~Laura

The hack is kind of a standard exploit - it lets them in, and allows them to plunk down some code that does bad things. The part that gets a lot of people is that they leave things behind. People patch the hole, but they don't realize that the hackers built a new (back)door while they were inside. They can use that backdoor to come in anytime and do more damage, as they please. That's why it's so important to clean house after there's an intruder in your account.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

Ok, I redid EVERYTHING! Wiped out my entire domain, uploaded .76, ran install program. Everything went all right until the whole database connection. I modified the config file and uploaded that without any problem. That allowed me to kind of view my site, although my custom module wasn't loading so it wasn't really fully loading the page. I uploaded my custom module (which I went through with a fine-toothed comb looking for suspicious files and found NOTHING odd). Now Spykids owns me again! What the f***!!!

I swear I'm about to cry from frustration.

~Laura

How fast did they hit you?

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

The minute I'd finished uploading the LOLA module (my custom one) I was hit.

~L

Hmm. That makes me suspicious... Do you have any sort of backup of this LOLA module that you know is clean?

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

I'm trying to upload one that I *think* is clean. Will let you know what happens.

Laura

grrrrr....apparently the "clean" version has a call to something called "fixquotes" which is an undefined function now. But the good news is that I'm not getting spykids owning me now so that's progress, right? Sheesh, I think I may have to hire a programmer now to figure out what's wrong with this module.

In the meantime, how can I disable this module when I can't even load the admin page? I couldn't find a way to do that through the Swiss Army Knife.

Thanks SO much for all your help. I really do appreciate it!

~Laura

In your database, you'll have a nuke_modules table (or <prefix>_modules). Browse through it looking for an entry in the pn_name field like LOLA. When you find it, edit it and set the pn_state value to 0.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com</prefix>

a friend of mine looked into this...aparently spykids did this last christmas or the christmas before

they install a program that attaches itself to a stats software program and no matter how many times you upload new files this program seeks out the new files and replaces them with it's own.

Found on a net misuse site.

Any help appreciated I amust be dealing with the thickest technical support team on the planet as they don't seem to understand the site has been hacked....HELLO.

Moon Maiden