[web20guy]

Hi folks,

We have seem to been hacked but I cannot find out where.

There are several links (hidden) in our template. Every page. So I assume it would have been the header or meta template. But I cant find anything.

Example: <u style="display:none"> and a bunch of href links. In the source, this shows up before <!DOCTYPE html...

Please view the source.

How is this being loaded?

Any ideas on how this happened and where it's coming from?

Thanks

[Yankidank]

I see that your forum profile says that you are using Pligg 9.8.2. We have posted a security update (Pligg 9.9.5 Beta) that fixes some known exploits that have compromised parts of Pligg in earlier versions. Please upgrade if you haven't already done so. We sent out a mass email with this information so that all users should have been notified of the updates a several months ago.

[web20guy]

I was afraid of that.

I'm almost positive our theme will not be compatible with 9.9.5 and the work it would take to modify the theme is more than we would like to take on (again).

Any suggestions on where to get a theme (purchased if necessary) to ease the pain of the upgrade?

Thanks

[c4rl]

that's not what it is; host gator uses an outdated version of apache, and refuses to switch or upgrade to a new version due to "compatibility issues." for the longest time my .htaccess was being re-written over and over and i couldn't figure out why until i put an info.php up that made me realize apache was over 3 years old. they're retarded, that's why i dropped them.

[web20guy]

c4rl,

I checked the htaccess file. I don't see anything that would be pasting links into the header. It appears to be the same as the day I uploaded it.

I'll paste it below. Is there something that I'm missing?

Code:

##### Gzip Begin #####
## To enable Gzip and decrease the load times of your Pligg site
## change /home/path/to to your absolute server path and remove the two # from both lines
## php_value auto_prepend_file /home/path/to/begin_gzip.php
## php_value auto_append_file /home/path/to/end_gzip.php

# Use PHP5 as default
AddHandler application/x-httpd-php5 .php
#AddType "text/javascript" .gz
#AddEncoding gzip .gz
#RewriteCond %{HTTP:Accept-encoding} gzip
#RewriteCond %{THE_REQUEST} ^(.*).js
#RewriteCond %{SCRIPT_FILENAME}.gz -f
#RewriteRule ^(.*)\.js $1.js.gz [L]
##### Gzip End #####

##### 404 Error Begin #####
## If Pligg is installed in a subfolder, change the below line to ErrorDocument 404 /name-of-subfolder/404error.php
ErrorDocument 404 /404error.php
##### 404 Error End #####

##### Re-directing Begin #####
Options +Indexes +FollowSymlinks
RewriteEngine on
## If Pligg is installed in a subfolder, change the below line to RewriteBase /name-of-subfolder
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.lensroll\.com [NC]
RewriteRule ^(.*)$ http://www.lensroll.com/$1 [L,R=301]
##### Re-directing End #####


##### You can find the below lines pre-made for you in the category management section of the admin panel ######
RewriteRule ^(all|Beliefs|Religion|Philosophy|Astrology|Paranormal|Skepticism|Mysticism|Caring|Charity|Community|Nonprofits|Volunteering|Business|Advertising|Credit|AffiliateMarketing|Barter|Micro-EnterpriseDevelopment|Marketing|Investment|SmallBusiness|Loans|Finance|Economics|NetworkMarketing_MLM|RealEstate|FineArts|Ceramics|Jewelry|Glass|Painting|Pottery|Sculpture|Fun|Humor|Satire|Bizarre|Comedy|Parody|Jokes|Earth|Animals|Astronomy|Environment|Geography|Geology|Nature|Sciences|Family|Adoption|Parenting|ChildDevelopment|KidsStuff|Relationships|Hobbies|Antiques|Genealogy|Collecting|Crafts|Entertainment|Movies|Music|Radio|Celebrity|Television|Learning|DistanceLearning|DIY|Education|Homeschooling|How-To|Reference|SelfHelp|Lifestyles|Fashion|Food_Cooking|HomeGarden|SeasonalHolidays|Pets|Shopping|Vegetarian|Weddings|History|Anthropology|AncientHistory|Archaeology|ArtHistory|MedievalHistory|ModernHistory|Mythology|Internet|SEO|Blogging|SocialNetworking|Squidoo|WebDevelopment|Recreation|Sports|Adventure|Travel|Boating|Camping|Fishing|Society|People|Sociology|Politics|Culture|News|Technology|Computers|Gadgets|Geek|Gaming|MobilePhones|Programming|Software|Transport|Cars|Trucks|Planes|Seafaring|Motorcycles|Trains|Wellbeing|SubstanceAbuse|Senior|Pregnancy_Childbirth|Nutrition|MentalHealth|Medicine|Health|Fitness|AlternativeTherapies|WeightLoss|CreativeArts_Media|Animation|Dance|Cartoons_Comics|DigitalArts|Filmmaking|GraphicDesign|Illustration|Photography|Literature|PerformingArts|Songwriting|Writing)/([^/]+)/?$ story.php?title=$2 [L]
RewriteRule ^(all|Beliefs|Religion|Philosophy|Astrology|Paranormal|Skepticism|Mysticism|Caring|Charity|Community|Nonprofits|Volunteering|Business|Advertising|Credit|AffiliateMarketing|Barter|Micro-EnterpriseDevelopment|Marketing|Investment|SmallBusiness|Loans|Finance|Economics|NetworkMarketing_MLM|RealEstate|FineArts|Ceramics|Jewelry|Glass|Painting|Pottery|Sculpture|Fun|Humor|Satire|Bizarre|Comedy|Parody|Jokes|Earth|Animals|Astronomy|Environment|Geography|Geology|Nature|Sciences|Family|Adoption|Parenting|ChildDevelopment|KidsStuff|Relationships|Hobbies|Antiques|Genealogy|Collecting|Crafts|Entertainment|Movies|Music|Radio|Celebrity|Television|Learning|DistanceLearning|DIY|Education|Homeschooling|How-To|Reference|SelfHelp|Lifestyles|Fashion|Food_Cooking|HomeGarden|SeasonalHolidays|Pets|Shopping|Vegetarian|Weddings|History|Anthropology|AncientHistory|Archaeology|ArtHistory|MedievalHistory|ModernHistory|Mythology|Internet|SEO|Blogging|SocialNetworking|Squidoo|WebDevelopment|Recreation|Sports|Adventure|Travel|Boating|Camping|Fishing|Society|People|Sociology|Politics|Culture|News|Technology|Computers|Gadgets|Geek|Gaming|MobilePhones|Programming|Software|Transport|Cars|Trucks|Planes|Seafaring|Motorcycles|Trains|Wellbeing|SubstanceAbuse|Senior|Pregnancy_Childbirth|Nutrition|MentalHealth|Medicine|Health|Fitness|AlternativeTherapies|WeightLoss|CreativeArts_Media|Animation|Dance|Cartoons_Comics|DigitalArts|Filmmaking|GraphicDesign|Illustration|Photography|Literature|PerformingArts|Songwriting|Writing)/?$ ?category=$1 [L] 
#####

##### URL Method 2 ("Clean" URLs) Begin #####
RewriteRule ^story/([0-9]+)/?$ story.php?id=$1 [L]
RewriteRule ^story/title/([^/]+)/?$ story.php?title=$1 [L]
RewriteRule ^story/([0-9]+)/editcomment/([0-9]+)/?$ edit.php?id=$1&commentid=$2
RewriteRule ^story/([0-9]+)/edit/?$ editlink.php?id=$1
RewriteRule ^story/([0-9]+)/modify/([a-z]+)/?$ linkadmin.php?id=$1&action=$2
RewriteRule ^recommend/([a-zA-Z0-9-]+)/?$ recommend.php?id=$1 [L]
RewriteRule ^category/([^/]+)/?$ index.php?category=$1 [L]
RewriteRule ^upcoming/category/([^/]+)/?$ upcoming.php?category=$1 [L]
RewriteRule ^upcoming/([a-zA-Z0-9]+)/?$ upcoming.php?part=upcoming&order=$1
RewriteRule ^inbox/?$ user.php?view=inbox
RewriteRule ^user/?$ user.php
RewriteRule ^user/view/([a-zA-Z0-9-]+)/?$ user.php?view=$1
RewriteRule ^user/view/([a-zA-Z0-9+]+)/([a-zA-Z0-9+]+)/?$ user.php?view=$1&login=$2
RewriteRule ^user/view/([a-zA-Z0-9+]+)/login/([a-zA-Z0-9+]+)/?$ user.php?view=$1&login=$2
RewriteRule ^user/([a-zA-Z-]+)/link/([0-9+]+)/?$ user_add_remove_links.php?action=$1&link=$2
RewriteRule ^published/?$ index.php
RewriteRule ^published/([a-zA-Z0-9-]+)/?$ index.php?part=$1
RewriteRule ^published/([a-zA-Z0-9-]+)/category/([a-zA-Z0-9-]+)/?$ index.php?part=$1&category=$2
RewriteRule ^upcoming/([a-zA-Z0-9-]+)/category/([a-zA-Z0-9-]+)/?$ upcoming.php?part=upcoming&order=$1&category=$2
RewriteRule ^search/(.+)/?$ search.php?search=$1
RewriteRule ^login/?$ login.php
RewriteRule ^login/([a-zA-Z0-9-]+)/?$ login.php?return=$1
RewriteRule ^login/([a-zA-Z0-9-]+)/([a-zA-Z0-9-]+)/?$ login.php?return=$1/$2
RewriteRule ^register/?$ register.php
RewriteRule ^topusers/?$ topusers.php
RewriteRule ^about/([a-zA-Z0-9-]+)/?$ faq-$1.php
RewriteRule ^upcoming/?$ upcoming.php
RewriteRule ^submit/?$ submit.php
RewriteRule ^rss/?$ rss.php
RewriteRule ^rss/([a-zA-Z0-9-]+)/?$ rss.php?status=$1
RewriteRule ^rss/category/([a-zA-Z0-9-]+)/?$ rss.php?category=$1
RewriteRule ^rss/search/([a-zA-Z0-9-]+)/?$ rss.php?search=$1
RewriteRule ^rss/user/([a-zA-Z0-9-]+)/?$ rss.php?user=$1
RewriteRule ^rss/user/([a-zA-Z0-9-]+)/([a-zA-Z0-9-]+)/?$ userrss.php?user=$1&status=$2
RewriteRule ^trackback/([0-9]+)/?$ trackback.php?id=$1 
RewriteRule ^profile/?$ profile.php
RewriteRule ^admin/?$ admin_index.php
RewriteRule ^tagcloud/?$ cloud.php
RewriteRule ^tagcloud/range/([0-9]+)/?$ cloud.php?range=$1 [L]
RewriteRule ^tag/(.+)/([0-9]+)/?$ search.php?search=$1&from=$2&tag=true [QSA,NC,L]
RewriteRule ^tag/(.+)/?$ search.php?search=$1&tag=true [QSA,NC,L]
RewriteRule ^live/?$ live.php
RewriteRule ^out/([^/]+)/?$ out.php?title=$1 [L]
RewriteRule ^settemplate/?$ settemplate.php
RewriteRule ^comments/?$ live_comments.php
RewriteRule ^live_published/?$ live_published.php
RewriteRule ^unpublished/?$ live_unpublished.php
RewriteRule ^logout/([a-zA-Z0-9-]+)/([a-zA-Z0-9-]+)/?$ login.php?op=logout&return=$1/$2
RewriteRule ^published/page/([^/]+)/?$ index.php?page=$1 [L]
RewriteRule ^published/page/([^/]+)/category/([^/]+)/?$ index.php?page=$1&category=$2 [L]
RewriteRule ^published/page/([^/]+)/([^/]+)category/([^/]+)/?$ index.php?page=$1&part=$2&category=$3 [L]
RewriteRule ^upcoming/page/([0-9]+)/?$ upcoming.php?page=$1 [L]
RewriteRule ^upcoming/page/([^/]+)/category/([^/]+)/?$ upcoming.php?page=$1&category=$2 [L]
RewriteRule ^upcoming/page/([^/]+)/upcoming/([^/]+)/?$ upcoming.php?page=$1&part=upcoming&order=$2 [L]
RewriteRule ^upcoming/page/([^/]+)/upcoming=([^/]+)category/([^/]+)/?$ upcoming.php?page=$1&part=upcoming&order=$2&category=$3 [L]
RewriteRule ^topusers/page/([^/]+)/?$ topusers.php?page=$1 [L]
RewriteRule ^topusers/page/([^/]+)/sortby/([^/]+)?$ topusers.php?page=$1&sortby=$2 [L]
RewriteRule ^admin_links/page/([^/]+)/?$ admin_links.php?page=$1
RewriteRule ^admin_comments/page/([^/]+)/?$ admin_comments.php?page=$1
RewriteRule ^admin_users/page/([^/]+)/?$ admin_users.php?page=$1
RewriteRule ^comments/page/([^/]+)/?$ live_comments.php?page=$1 [L]
RewriteRule ^published/page/([^/]+)/?$ live_published.php?page=$1 [L]
RewriteRule ^unpublished/page/([^/]+)/?$ live_unpublished.php?page=$1 [L]
RewriteRule ^published/page/([^/]+)/([^/]+)/?$ index.php?page=$1&part=$2 [L]
RewriteRule ^published/page/([^/]+)/range/([^/]+)/?$ ?page=$1&range=$2 [L]
RewriteRule ^search/page/([^/]+)/([^/]+)/tag search.php?page=$1&search=$2&tag=true [QSA,NC,L]
RewriteRule ^user/page/([^/]+)/([^/]+)/([^/]+)/?$ user.php?page=$1&view=$2&login=$3 [L]
RewriteRule ^statistics/page/([^/]+)/?$ module.php?module=pagestatistics&page=$1
RewriteRule ^view/([^/]+)/?$ admin_users.php?mode=view&user=$1
##### URL Method 2 ("Clean" URLs) End #####

[web20guy]

Well I did find where the hidden elements were coming from.

config.php

Not sure how this file was edited, but it was. Server is secure and have not had any attacks to my knowledge but it happened.

For the Pligg masters -

Is it possible that ver 9.8.2 security exploits as mentioned above could allow someone to edit the file without having access to the server?

I would think not...but asking all the same.

Thanks

[web20guy]

Hidden elements are still getting in.

We have upgraded to version 9.9.5 but this exploit is still happening and it's not the htaccess.

I thought the upgrade from ver 9.8.2 to 9.9.5 would solve this for us.


What the hell is going on?

Does the exploit still exists in ver 1.?

[MissDanni]

Have you tried searching your db for <u style="display:none">

[web20guy]

Yep, searched the db. there is no instance of <u style="display:none">

The config file is being re-written from it's original 5k to 56k.
The only IP that the hosts sees logging in is mine. This has me very confused.

I wonder if others have this problem?

Is the admin_editor.php file still unsecured I wonder?

Hopefully one of the pligg masters can help us here.

[Jaffery]

May be other account on your server is doing this.

I suggest you to check all files on your account and see if something extra is there .. may be a malicious script is residing your server or most probably in your account which do it periodically.