Please remove
-
- Power Poster
- Posts: 424
- Joined: Sat Feb 02, 2008 12:42 am
- Location: USA
Please remove
-deleted-
Last edited by Anonymous on Fri Jul 04, 2008 2:11 am, edited 1 time in total.
Take a penny, leave a penny.
Re: Hacked
Do you have any other scripts installed? Like Coppermine or something?
Re: Hacked
What modules do you have installed?
Re: Hacked
Look for strange query strings (junk after '?'). The first ones. It is even easier when pretty URLs are activated.mikeim wrote: ...the access log file is over 1GB (is that normal) but what in particular should I be looking for?
Kind request to a pretty URL :
Code: Select all
"GET /aboutus/locations.html HTTP/1.1" 200
Code: Select all
/some/path/to/page.html?evil_parameter=1bad&some=http://junk...
Filtering bad requests I get :
Code: Select all
"GET /cmsmsfolder/ HTTP/1.1" 200
"GETorHEADorPUTorPOST /cmsmsfolder/?// HTTP/1.1" 403
"GETorHEADorPUTorPOST /cmsmsfolder/?* HTTP/1.1" 403
Pierre M.
Re: Hacked
If this was an upgrade then they might have loaded something before the upgrade that allows them to get back in, you may want to delete all folders, except your images making sure nothing untoward is in Uploads etc., then reupload fresh set of folders/files, check config.php for bad entries...