Looks like the old missing language file issue, except the fix that worked in the past wont work now. All my links in the text only admin cpanel take me to cronjobs folder. Can anyone help me figure out were the original file would be that has those links for admin area? The alteration HAS to be in there. Anyones help would be greatly appreciated right now!!!!!!!!!!!!!!!!!!!!

Thanks!

panelmenu.tpl

Still trying to figure out how it was done. I was able to deduce from my server log the ip of the hacker from my last 300 visitors log.
he had his refferer turned off and it only showed that he accessed / no files or anything else showed up as requested, whereas my log shows every file and folder address requested.
208.80.193.32 - - [16/Nov/2007:15:02:07 -0600] "GET / HTTP/1.1" 200 3870 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312466)"


I overwrote the rewritten software with my backup and wasn't able to actually see what code had been altered. I specifically overwrote templates/default, and the docroot admin folder and there full contents. I ran my page info tool in firefox and it would appear that my {$docroot} had been changed from http://mysite.com to http://mysite.com/cronjobs as all the url's listed had that new prefix, weather checking from index.php or from inside admin panel.
It is important that I find out how this was done in order to secure against further attacks. I am working with my host to re-secure everything, but this isn't enough. I need to know how it was done. I also have installed your excellent MyBackup software after this incident, as this will help very well with damage control. I highly recommend it to everyone.

I also noticed hits on my server accessing my foolishly url'd user Avatar from this forum. Just in case that was being exploited, I removed it.

Thanks in advance, hope you can help, and that this might help discover and possibly secure any new holes in the software.
Astroturkey

Im also wondering if the fix for messed up language files can be exploited to also mess up the site? Is this possible? Im not willing to test it on my own site LOL. If it is, im wondering if the removal of the language_upload.php file would stop this exploit. You could then upload it again if you needed to update lang changes again, then delete it when the task is done. I'm open to all suggestions here people.

Astroturkey

try to delete your cookies. I think that will fix the problem!
if that didnt, reload your language file

My websites was hacked and I restore backup each time I restored backup they hacked it again (8 times now).So I do the following:
I delete the following files

/inc/cmses/aedating4CMS.php
/inc/cmses/aedatingCMS.php
/inc/cmses/aedatingCMS2.php

I CHMOD the following files to 644
defaultUsrExtCMS.php
config.php
config.inc.php
/public_html/mydomain.com/chat/inc/config.php
/public_html/mydomain.com/chat/inc/config.srv.php
/public_html/mydomain.com/forum/config.php
/public_html/mydomain.com/myconfigs/config.php
/public_html/mydomain.com/config.inc.php


I add these to my .htaccess
###############################
#Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

# Protect files
<Files ~ "^(.*)\.(inc|inc\.php|tpl|sql)$">
Order deny,allow
Deny from all
</Files>

# Protect directories
<Files ~ "^(files|images|includes|lang|myconfigs|libs(/.+)?|temp(/.+)?|templates(/.+)?|javascripts(/.+)?)$">
Order deny,allow
Deny from all
</Files>

# Disable directory browsing
Options -Indexes
###############################

########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

Despite all this I am still hackedso I ceked my error log this is what I have:

[02-Apr-2008 15:11:56] PHP Fatal error: Class 'http://www.asigurareamea.ro/upload_fisiere/ibanar/suxokud/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[02-Apr-2008 15:11:57] PHP Fatal error: Class 'http://www.clubnataciotortosa.com/UserFiles/File/edut/jezin/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[02-Apr-2008 15:11:58] PHP Fatal error: Class 'http://www.inmoproin.com/img/promociones/ive/exozi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[02-Apr-2008 18:16:05] PHP Fatal error: Class 'http://oxymaster.net/pr_images/irifala/uwevuc/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[02-Apr-2008 18:16:06] PHP Fatal error: Class 'http://www.destinationthesun.info/capeverde/form/use/sampleform/admin/itixahe/rilika/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[02-Apr-2008 18:16:08] PHP Fatal error: Class 'http://chyngachanga.ru/content/wuge/asagula/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-Apr-2008 01:07:35] PHP Fatal error: Class 'http://sites.redskycreative.com/canyonlakechurch/jolalu/buq/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-Apr-2008 01:07:36] PHP Fatal error: Class 'http://sinzinuri.com/imsi/db/pic/huv/abey/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-Apr-2008 01:07:39] PHP Fatal error: Class 'http://www.service-exposants.com/store/iyi/jab/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 11:59:26] PHP Fatal error: Class 'http://www.stomol.ru/catalog/rivoz/vekudu/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 11:59:27] PHP Fatal error: Class 'http://www.channelnewsperu.com/imagenes/publicaciones/fotos/emesuki/ohuhud/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 11:59:28] PHP Fatal error: Class 'http://www.municipioxii.it/sunnyway/igodoq/bukosud/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 12:27:54] PHP Fatal error: Class 'http://www.unduetretoccaate.it/codice/fog/iyi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 12:27:54] PHP Fatal error: Class 'http://www.soeasywebsite.com/soeasycasino/enosucu/ijani/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 12:27:55] PHP Fatal error: Class 'http://www.filter-international.com/webservice/aro/medavuw/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 18:05:15] PHP Fatal error: Class 'http://www.cjp.spb.ru/en/aki/ucuyupi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 18:05:17] PHP Fatal error: Class 'http://www.cjp.spb.ru/en/aki/ucuyupi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[21-Apr-2008 18:05:19] PHP Fatal error: Class 'http://www.filter-international.com/webservice/aro/medavuw/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 02:15:01] PHP Fatal error: Class 'http://www.clubnataciotortosa.com/UserFiles/File/edut/jezin/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 02:15:03] PHP Fatal error: Class 'http://www.elettrodataservice.it/foto_articoli/pivafof/oqonon/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 02:15:06] PHP Fatal error: Class 'http://www.zlotow.biz/radiomariana2/rawi/ayutuqi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 17:57:26] PHP Fatal error: Class 'http://www.elettrodataservice.it/foto_articoli/pivafof/oqonon/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 17:57:27] PHP Fatal error: Class 'http://www.clubnataciotortosa.com/UserFiles/File/edut/jezin/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 17:57:28] PHP Fatal error: Class 'http://www.elettrodataservice.it/foto_articoli/pivafof/oqonon/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 20:41:19] PHP Fatal error: Class 'http://www.zlotow.biz/radiomariana2/rawi/ayutuqi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 20:41:20] PHP Fatal error: Class 'http://www.unduetretoccaate.it/codice/fog/iyi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[22-Apr-2008 20:41:22] PHP Fatal error: Class 'http://www.municipioxii.it/sunnyway/igodoq/bukosud/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[29-Apr-2008 05:45:56] PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 2213906 bytes) in /home/nigeria1/public_html/libs/Pear/DB/mysqlc.php on line 1721
[29-Apr-2008 05:46:40] PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 1835035 bytes) in /home/nigeria1/public_html/libs/Pear/DB/mysqlc.php on line 1721
[29-Apr-2008 05:46:45] PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 281143 bytes) in /home/nigeria1/public_html/libs/Pear/DB/mysqlc.php on line 1721
[29-Apr-2008 05:47:29] PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 90 bytes) in /home/nigeria1/public_html/libs/Pear/DB/mysqlc.php on line 309
[03-May-2008 06:10:30] PHP Fatal error: Class 'http://www.obrasmecanicasch.com/omch/img/anawuho/ledego/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-May-2008 06:10:31] PHP Fatal error: Class 'http://www.unduetretoccaate.it/codice/fog/iyi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-May-2008 06:10:32] PHP Fatal error: Class 'http://www.unduetretoccaate.it/codice/fog/iyi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-May-2008 10:14:57] PHP Fatal error: Class 'http://www.marsbook.co.kr/main/created/product/2/mumas/ohalupa/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-May-2008 10:14:58] PHP Fatal error: Class 'http://www.marsbook.co.kr/main/created/product/2/mumas/ohalupa/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[03-May-2008 10:14:59] PHP Fatal error: Class 'http://www.municipioxii.it/sunnyway/igodoq/bukosud/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[04-May-2008 02:39:30] PHP Fatal error: Class 'http://www.obrasmecanicasch.com/omch/img/anawuho/ledego/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[04-May-2008 02:39:33] PHP Fatal error: Class 'http://www.municipioxii.it/sunnyway/igodoq/bukosud/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[04-May-2008 02:39:34] PHP Fatal error: Class 'http://www.unduetretoccaate.it/codice/fog/iyi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[04-May-2008 10:00:37] PHP Fatal error: Class 'http://www.thoseguysfilms.com/forums/templates/subSilver/images/timuji/ogu/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[04-May-2008 10:00:41] PHP Fatal error: Class 'http://www.northfans.ch/forum/admin/settings/ocoyo/azad/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[04-May-2008 10:00:43] PHP Fatal error: Class 'http://www.unduetretoccaate.it/codice/fog/iyi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[06-Jun-2008 15:22:52] PHP Fatal error: Class 'http://www.psikolojikyardim.org/etkinlik/include/eto/rix/jas/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[06-Jun-2008 15:22:57] PHP Fatal error: Class 'http://sans-packing.ru/img/jipeqap/ehudute/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[06-Jun-2008 15:22:58] PHP Fatal error: Class 'http://mslayouts.ws/icons/administrator/components/com_menus/etotag/qeba/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[06-Jun-2008 20:20:37] PHP Fatal error: Class 'http://rabotnitsa.ru/joomla__/administrator/backups/arim/zaf/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[06-Jun-2008 20:20:40] PHP Fatal error: Class 'http://www.tcmforum.com/layout/oxiqade/onese/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[06-Jun-2008 20:20:42] PHP Fatal error: Class 'http://www.polarflug.de/sources/sinokof/copaxan/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[07-Jun-2008 08:55:54] PHP Fatal error: Class 'http://www.math.science.cmu.ac.th/lms/moodledata/2/moddata/forum/vata/kewa/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[07-Jun-2008 08:55:55] PHP Fatal error: Class 'http://www.qubestunes.com/treytest/1/adoyuru/alameja/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[07-Jun-2008 08:55:56] PHP Fatal error: Class 'http://www.elettrodataservice.it/foto_articoli/pivafof/mibi/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[07-Jun-2008 19:45:27] PHP Fatal error: Class 'http://www.oriolmanya.net/nautilus/phpBB2/language/lang_english/ifekeri/cekogah/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[07-Jun-2008 19:45:28] PHP Fatal error: Class 'http://www.bowlaw.com/practice_areas/ogi/iteyu/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363
[07-Jun-2008 19:45:29] PHP Fatal error: Class 'http://www.winbd.net/admin/jist_code/wowoz/obowupu/' not found in /home/nigeria1/public_html/libs/modOsDate/modOsDate.php on line 363

So it seems they are hacking through modOsDate.php Kindly help

OK. Seems like you are hacked by nigeria hackers.

Suggestion is to install osDate in a new directory with a new DB and change config.php to use old DB.

ALso, ensure you have proper .htaccess files in places. (root, admin, myconfigs, etc..)

Not sure if this is completely relevant but...

When I checked my public_html/libs/modOsDate/ location in my browser the directory structure was WIDE open!

No index.htm files are in these folders!

Am I right in saying this is a huge risk?... To be safe I'm adding index.htm to all folders.

This should standard anyway, shouldn't it?

Hiya,

Will we still need an index.htm if there is already an index.php?

Cheers,
Tim

No, because the .htm file would take priority over the .php index file.

This could lead to a massive crash of your site, so if there is already a index.php file in the folder, don't add another one.

You can however add a index.htm to a folder which has a index.tpl and it will work fine.