/*************************************
Title:Linkman gets hacked as fast as I upload it
Version: 1:7
Author: J Fernandez
Demo:
Download:
Website: www.siamfishingtours.com
Short description: Need help to stop linkman getting hacked
*************************************/
(Here below you can write additional info, longer description and comments)
Hi all,
I have been a linkman user for a year or so. But just recently linkman got hacked and as result malware script (redirects) are injected in all my pages across my whole website.
Everytime I report this to my hosting service they clean the site, remove linkman (which they describe as shell script) and basically seem to be implying this software shouldnt be used as it is a security risk.
Can anyone tell me how I can stop linkman from simply being a means by which spammers can access my site and destroy my sites credibility?
A clear set of instructions on how to prvent this happening would be great
thanks
Ruf
Linkman gets hacked as fast as I upload it
Hello Ruf,
Sorry to hear you have problems with hackers, but there are no known security issues with LinkMan (if there was rest assured the forum would have been flooded with such reports as hundreds of sites would have been hacked).
If LinkMan was indeed the problem your host shouldn't have problems proving it from the access logs showing how a hole was exploited. If they can I would gladly fix any such issues and release a patch. But, from my experience, hosts usually rather blame a script than try to find the real problem (is your host running the latest version of PHP, Apache, has the server got firewall, mod_security or similar tools, ...?).
WARNING: you say all your pages get injected with a link? I've seen this before at least twice and both times the attacker actually used FTP to access the system (both times there was a virus that collected FTP passwords from FTP clients on local PC machine). I suggest that you:
- scan your PC (yes, PC, not server) with an updated antivirus (I recommend booting in safe mode if you use Windows)
- change your FTP password
- change or update your FTP client (program you use to upload files to the server)
Sorry to hear you have problems with hackers, but there are no known security issues with LinkMan (if there was rest assured the forum would have been flooded with such reports as hundreds of sites would have been hacked).
If LinkMan was indeed the problem your host shouldn't have problems proving it from the access logs showing how a hole was exploited. If they can I would gladly fix any such issues and release a patch. But, from my experience, hosts usually rather blame a script than try to find the real problem (is your host running the latest version of PHP, Apache, has the server got firewall, mod_security or similar tools, ...?).
WARNING: you say all your pages get injected with a link? I've seen this before at least twice and both times the attacker actually used FTP to access the system (both times there was a virus that collected FTP passwords from FTP clients on local PC machine). I suggest that you:
- scan your PC (yes, PC, not server) with an updated antivirus (I recommend booting in safe mode if you use Windows)
- change your FTP password
- change or update your FTP client (program you use to upload files to the server)
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here 
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Linkman
Hi Klemen,
Thank you for replying to my post. I did consider the possibility that the virus got in via FTP, but found no evidence, but it seems the virus is something called c100 and this apparently hijacks shell scripts, theres not a lot of info on the web about the c100 script except to say that those that have looked at it say its a rather clever and nasty bit of work. Seems that once it is on one php page (it normally getts in by looking for pages with common titles like "settings" "admin" etc it jumps to others and then mutates into a programme that can end up controlling the content of whole folders and more besides.
I think Linkman is great, but in truth I have had quite a lot of problems with it being hacked over 3 years, but mostly its been easily fixable or just one offs, but this hack seems far more agressive and difficult to eradicate.
Im only a novice web designer and dont really understand PHP so I cant say for sure who is right or wrong, but my host seems fairly confident that its the php files in linkman cuasing the issue.
Thanks again
Ruf
Thank you for replying to my post. I did consider the possibility that the virus got in via FTP, but found no evidence, but it seems the virus is something called c100 and this apparently hijacks shell scripts, theres not a lot of info on the web about the c100 script except to say that those that have looked at it say its a rather clever and nasty bit of work. Seems that once it is on one php page (it normally getts in by looking for pages with common titles like "settings" "admin" etc it jumps to others and then mutates into a programme that can end up controlling the content of whole folders and more besides.
I think Linkman is great, but in truth I have had quite a lot of problems with it being hacked over 3 years, but mostly its been easily fixable or just one offs, but this hack seems far more agressive and difficult to eradicate.
Im only a novice web designer and dont really understand PHP so I cant say for sure who is right or wrong, but my host seems fairly confident that its the php files in linkman cuasing the issue.
Thanks again
Ruf
C100 is a so-called "shell script" (and numerous variants of it). I know the script and no matter how hasty it is, it still needs a way to be uploaded to the server (either through FTP or an exploit). Once it's on the server it can do a lot of damage, but you/your host need to figure out how it got there in the first place.
Even if the attacker didn't access your FTP you should still change all your passwords. You should also ask your host to update server software to the latest (most secure) versions; for example they still run PHP version from year 2008!
Do you have access to apache access logs (usually can be downloaded from the hosting control panel)? If you could send them to me I would be happy to check for any suspicious requests as I am also interested in keeping my scripts secure.
Even if the attacker didn't access your FTP you should still change all your passwords. You should also ask your host to update server software to the latest (most secure) versions; for example they still run PHP version from year 2008!
Do you have access to apache access logs (usually can be downloaded from the hosting control panel)? If you could send them to me I would be happy to check for any suspicious requests as I am also interested in keeping my scripts secure.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Linkman
Hi Klemen,
As ever you are a helpful and generous contributor to the web community, and I am very grateful for your attitude, open minded and porbably more knowledgeable than those offering me advice that is not free!
I will see if I can get the apache logs for you to look at, as like you I would like to be sure I understand what is going on here so I can hopefully prevent it in the future.
I did interestingly remove a trojan from my PC this morning, running a system wide scan. I didn;t take much notice of its name before deleting, but could a Trojan have uploaded the malicious script to my hosts server?
Kind Regards
Ruf
As ever you are a helpful and generous contributor to the web community, and I am very grateful for your attitude, open minded and porbably more knowledgeable than those offering me advice that is not free!
I will see if I can get the apache logs for you to look at, as like you I would like to be sure I understand what is going on here so I can hopefully prevent it in the future.
I did interestingly remove a trojan from my PC this morning, running a system wide scan. I didn;t take much notice of its name before deleting, but could a Trojan have uploaded the malicious script to my hosts server?
Kind Regards
Ruf
If you do get the logs please let me know.
As for the Trojan - too bad you didn't record the name to be sure, but it's definitely possible. It's what one of my colleagues had few months ago. A trojan on his PC that searched the computer for credentials and then used those to login via FTP (we verified that by changing the passwords and then noticed a lot of failed FTP login attempts in the logs) to modify pages (insert Javascript and/or hidden links to all HTML pages). The trojan also created files called "image.php" inside any image folders found on the server. This is what it was:
http://blog.unmaskparasites.com/2009/05 ... ed-script/
How it works is explained here:
http://blog.unmaskparasites.com/2009/05 ... mment-1005
As for the Trojan - too bad you didn't record the name to be sure, but it's definitely possible. It's what one of my colleagues had few months ago. A trojan on his PC that searched the computer for credentials and then used those to login via FTP (we verified that by changing the passwords and then noticed a lot of failed FTP login attempts in the logs) to modify pages (insert Javascript and/or hidden links to all HTML pages). The trojan also created files called "image.php" inside any image folders found on the server. This is what it was:
http://blog.unmaskparasites.com/2009/05 ... ed-script/
How it works is explained here:
http://blog.unmaskparasites.com/2009/05 ... mment-1005
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
LINKMAN WAS NOT THE REASON I GOT HACKED
Dear Klemen,
After lots of communication with my host, it has become clear that my sites where the victim of Gumbar. Or variants there of.
I have removed quite a few malicious files both from the server(host) AND my PC. My server had been accessed via Korea, Turkey, Argentina and others, all in a few days....
Its been very educational for me. I now have ftp allow deny files on my server, I now no that things are not what they seem. The virus planted a file called imgifi.php in all my imgae folders, as well as placing a trojan on my computer that stole my ftp passwords. I foudn these eventally by changing from NOD32 to AVG and running Malware bytes anti malware programme.
Im still paranoid that these crinminals still have some nasty lurking somewhere in a folder in my PC seriously considering wiping it and starting afresh as it has been a week of nothing but hassle.
Thanks for pointing me in the right direction, and I hope to have Linkman up and running again on all my sights soon.
Best wishes
Ruf
After lots of communication with my host, it has become clear that my sites where the victim of Gumbar. Or variants there of.
I have removed quite a few malicious files both from the server(host) AND my PC. My server had been accessed via Korea, Turkey, Argentina and others, all in a few days....
Its been very educational for me. I now have ftp allow deny files on my server, I now no that things are not what they seem. The virus planted a file called imgifi.php in all my imgae folders, as well as placing a trojan on my computer that stole my ftp passwords. I foudn these eventally by changing from NOD32 to AVG and running Malware bytes anti malware programme.
Im still paranoid that these crinminals still have some nasty lurking somewhere in a folder in my PC seriously considering wiping it and starting afresh as it has been a week of nothing but hassle.
Thanks for pointing me in the right direction, and I hope to have Linkman up and running again on all my sights soon.
Best wishes
Ruf
Hello Ruf,
I am both sorry and relieved; sorry to hear about all your problems but on the other side relieved that you found the real problem and that the real problem wasn't LinkMan.
I hope you sort this out as soon as you can. If I were you I most likely would wipe out my PC and just reinstall everything. It's better than worrying if and where some pieces were left.
Don't forget to change passwords for all your websites, e-mail accounts, bank/paypal accounts (if you have any) etc.
Good luck with the sites.
Regards,
Klemen
I am both sorry and relieved; sorry to hear about all your problems but on the other side relieved that you found the real problem and that the real problem wasn't LinkMan.
I hope you sort this out as soon as you can. If I were you I most likely would wipe out my PC and just reinstall everything. It's better than worrying if and where some pieces were left.
Don't forget to change passwords for all your websites, e-mail accounts, bank/paypal accounts (if you have any) etc.
Good luck with the sites.
Regards,
Klemen
linkman reinstated
I have now reinstated linkman on my site www.siamfishingtours.com/links/links.php my computer being clean and my server (im told), I have ftp allow/deny files on my root so only IP addresses I choose can gain access.
My host is still very uncomfortable about files and folders have chmod 666 777 they seem to think its big security risk....I realise that interactive websites of any kind cant really function without certain files being writable etc, just wondered if ther is anything more I can do to make the use of linkman even more secure?
Ruf
My host is still very uncomfortable about files and folders have chmod 666 777 they seem to think its big security risk....I realise that interactive websites of any kind cant really function without certain files being writable etc, just wondered if ther is anything more I can do to make the use of linkman even more secure?
Ruf
Files/folders need to be 666/777 because the script needs writing access to those files or folders.
As long as the server is secure any there aren't any scripts with exploits uploaded this isn't a problem. File permissions only become an issue once an attacker has gained access to the server, because he can sometimes use an exploit to create new files himself in the folders chmoded to 777. But this really depends on a number of factors, most importantly what kind of exploit it is.
A good analogy I found sometime ago: 666/777 is just like having your keys in a car and the car in a locked garage. As long as the garage is locked your car is safe. However, if the garage is broken into, your car is an easy steal.
As long as the server is secure any there aren't any scripts with exploits uploaded this isn't a problem. File permissions only become an issue once an attacker has gained access to the server, because he can sometimes use an exploit to create new files himself in the folders chmoded to 777. But this really depends on a number of factors, most importantly what kind of exploit it is.
A good analogy I found sometime ago: 666/777 is just like having your keys in a car and the car in a locked garage. As long as the garage is locked your car is safe. However, if the garage is broken into, your car is an easy steal.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Linkman not hacked!
Thank you Klemen, I think that analogy is very much in line with my understanding of the situation.
From here on in my server will only allow acces from the IPs I allow (if the ftp:allow ftp:deny system works as it is supposed)
I fully intend to use linkman soon on all my sites, it help me attain hundreds of links over the last few years.
Thanks Again for your patience and willingness to help a novice webmaster.
Ruf
From here on in my server will only allow acces from the IPs I allow (if the ftp:allow ftp:deny system works as it is supposed)
I fully intend to use linkman soon on all my sites, it help me attain hundreds of links over the last few years.
Thanks Again for your patience and willingness to help a novice webmaster.
Ruf