Plished? Hijacked? Bad Bad Bad

[rj]

I first noticed something wrong a few weeks ago when I would see urls that were not mine in Statcounter ENTRY and POPULAR. CLick on them and there was my blog but filled with keywords all over the place. From four different places. I contacted Statcounter and they said change my security code and uplaod the new code which I did, I now no longer SEE them. But... I got email from GOOGLE ADSENSE this morning saying I have 72 hour to remove malicious porn material from my site.
The offending url is You can see my blog filled with their content. This is all new to me, I don't understand what it is or what to do.

http://angelicreikiamerica.com/question ... o-hombres/

the note from Google is

Google AdSense: You have 3 working days to make changes to your site
This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message.<br> -------------------------------------------------------------------------------------------------------------------------------<br> <br> Hello,<br> <br> While reviewing your account, we noticed that you are currently displaying Google ads in a manner that is not compliant with our policies. For instance, we found violations of AdSense policies on pages such as http://angelicreikiamerica.com/question ... o-hombres/. Please note that this URL is an example and that the same violations may exist on other pages of your website.<br> <br> As stated in our program policies, AdSense publishers may not display Google ads on pages with adult or mature content. While we understand that it may be challenging to monitor user-generated content, such as comments, on your site, we require publishers to check that the webpages containing their ad code complies with our program policies.<br> <br> Please make any necessary changes to your webpages in the next 72 hours. We also suggest that you take the time to review our program policies (https://www.google.com/support/adsense/ ... spe-1pp-en) to ensure that all of your other pages are in compliance.<br> <br> Once you update your site, we will automatically detect the changes and ad serving will not be affected. If you choose not to make the changes to your account within the next three days, your account will remain active but you will no longer be able to display ads on the site. Please note, however, that we may disable your account if further violations are found in the future.<br> <br> Thank you for your cooperation.<br> <br> Sincerely,<br> <br> The Google AdSense Team<br> <br> Issue ID# 1694854<br> ----------------<br> For more information regarding this warning email, please visit our Help Center: https://www.google.com/adsense/support/ ... spe-ai4-en.

I dont know were to begin...

Thanx RJ

[Don Chambers]

ok, first, keep the really good porn material..

Just kidding.. I have seen this happen when FTP credentials get compromised, so I would start by changing those. I have also seen index.php get compromised, so try uploading a fresh copy of that file, or the entire serendipity package.

Garvin, or others, may have better suggestions, but perhaps you could try these while waiting for additional suggestions.

[rj]

thanx don... I will check

[Timbalu]

As we have said in another thread regarding you problems:
PLEASE update to Serendipity 1.5.5! and find out how they did it!

First, shut down you blog and have a very deep look concerning changed files, uploades files like *.php.png, etc. There are different places which could have been compromised, even the database with having a new entry. (I know of /uploads, maybe /templates_c, /templates/yourtemplate, /htmlarea and so on.) But this is Serendipity only. Is there any kind of other Software running in the same web / same server, like maliscious javascripts etc.???
The compromised link show all these entries inside the html nugget plugin. I can't say how they did it from here.

Invite Don, to take away the porn material first, ( ) maybe he'll help you cleaning up.

If you can say, you are clean now, do the upgrade to serendipity 1.5.5.

Then check you templates index file for example, which has a lot of table stuff inside the html head section, which is no good!

There will be more, I presume.
If this is all to much, you should get help of a real person!

Ian

[rj]

I think I know the HOW of it.
I use a 3rd party FTP program, so when I moved to the far more complicated DEDICATED server in November I did not bother with the FTP app there as I assumed it was turned off by default. A week or so ago when I began noticing this problem I checked it out to realize default was open to just about everything. I shut it off and then re adjusted MY FTP CMODS. Most of which in public is WRITE OFF EXECUTE ON. So I THINK I found how they entered? It is getting rid of what is already there that is my primary issue. I have looked in the areas you mention and cannot find anything, but then I dont know what to look for.

Is there a specific name for what this is. Is this called MAN IN THE MIDDLE HIJACKING?

If I do the install of the new version, and then try that horrible link, if the new version fixed it will it be gone. Or is there sort of residual affect...

Both of us ADMINISTRATORS changed our passwords. Everyone else registered is standard editor, there are about 250. Do I need to worry about that?

One thing I noticed about that the other day, even if I MANAGE USERS and uncheck all the boxes in the overall STANDARD EDITOR page, when I look at their PERSONAL Page a lot of them are checked anyway. Like Publish which doesnt work for them though. All I want registered to do is comment and nothing else.

With new security code uploaded with my counter (statecounter) I see no NEW instances of this problem, there were 3 different urls involved. SO what do they do, they VIEW SOURCE, copy it a

[Timbalu]

I have looked in the areas you mention and cannot find anything, but then I dont know what to look for.

Well everything you did not put there, everything which isn't in a Serendipity release zip file and/or has different or unusual dates.

If I do the install of the new version, and then try that horrible link, if the new version fixed it will it be gone. Or is there sort of residual affect...

Is that a question? Please read next.

Both of us ADMINISTRATORS changed our passwords. Everyone else registered is standard editor, there are about 250. Do I need to worry about that?

One thing I noticed about that the other day, even if I MANAGE USERS and uncheck all the boxes in the overall STANDARD EDITOR page, when I look at their PERSONAL Page a lot of them are checked anyway. Like Publish which doesnt work for them though. All I want registered to do is comment and nothing else.

I would say: YES! You can't say, what they have changed! Caution is the mother of wisdom! In your case I even would check every single entry in the database.
AFAIK, you dont need registered users to post comments. Or did you mean POSTS?

With new security code uploaded with my counter (statecounter) I see no NEW instances of this problem, there were 3 different urls involved. SO what do they do, they VIEW SOURCE, copy it a

hmm, my magic ball can't tell me what you wanted to say here....
Anyhow you still need to upgrade to S9y 1.5.5. Read the Announcement for this release, else you still remain vulnerable.

Ian

[rj]

I am runnin 1.5.1

Preparing to upgrade I did INTEGRITY CHECK and got this
Verify Installation Integrity

Oh and I dont see the UPGRADE link in ADMIN like it says I should.

* htmlarea/plugins/ExtendedFileManager/manager.php corrupt or modified: failed verification
* htmlarea/plugins/ExtendedFileManager/demo_images/linux/linux.gif corrupt or modified: failed verification
* htmlarea/plugins/ExtendedFileManager/demo_images/bikerpeep.jpg corrupt or modified: failed verification
* htmlarea/plugins/ExtendedFileManager/demo_images/wesnoth078.jpg corrupt or modified: failed verification

Is this the issue you think? where the shit sits?
Problem is the date is yesterday and this problem looks form their VIEW PAGE began Jan 1, not Jan 31.

Can the upgrade proceed with this problem?

Should I delete something there and upload the copy from my HD first?
The entire HTMLAREA folder or just the plugin folder?
What should I do first?

Thanx! RJ
Really thanx I really need some help and direction here. I am no A student on this but I have learned over time from Don and Garvin and I think of myself as c+ mabye even a b- !

We are progressing, only 46 hours to go before Adsense shuts me down

[Don Chambers]

Proceed with the upgrade

[Timbalu]

Is this the issue you think? where the shit sits?

Yeah, at least some of them (remember you ftp wide wide open thing)!!!

Did you ever read http://blog.s9y.org/archives/224-Import ... eased.html with all comments and all the other threads concerning upgrades while being compromised?

The best in my opinion ist to clean everything before doing a fresh copy install.
Keep your controlled! theme, the serendipty_config_local.inc.php and all the /upload/files if they belong to you... keep controlled! additional plugins also. Don't blame me, if I forgot something, its your head which decides

Afterwards you still have to go through all the entries in your database carefully. I still think there might be something in there.

What do you mean with upload the copy from my HD first? Hopefully an unchanged nice and freh copy of S9y1.5.5.zip

We are progressing, only 46 hours to go before Adsense shuts me down

I don't know anything about these AdSense things, but I think if you do as advised, this could be solved.

Ian

[rj]

OH NO! 6,546 entries!
When I look at one of the entries that has been corrupted I can find nothing in there at all suspicious. THough it is an EMBED video from The Onion which is a save and respected website.
Or wouldn I see anything there no matter? Or do you mean going over each of the 6546 articles INSIDE the DB... Ouuu, This is the stuff of nightmares!

I also have edited index.tpl, entries.tpl, serendipity findmore, and of course style css. I put them all in safe keeping just in case, but I assume all but findmore are in my specific template and are not overwitten anyway...

When you say clean up, not sure what you mean. But the root where serendipity resides if full of my crap and I should move it somewhere else I suppose...

thanx again

[Timbalu]

OH NO! 6,546 entries!
When I look at one of the entries that has been corrupted I can find nothing in there at all suspicious. THough it is an EMBED video from The Onion which is a save and respected website.
Or wouldn I see anything there no matter? Or do you mean going over each of the 6546 articles INSIDE the DB... Ouuu, This is the stuff of nightmares!

Taking a look to the suspicious one first, was a very good idea - now you could eventually decide to stop looking at all the others
If you are using serendipity_event_entryproperties there might be a cache copy in the XXX_entryproperties table. Control this one also.
(If all the stuff we are doing here doesn't help with google, you could decide to delete this specific entry!)

I also have edited index.tpl, entries.tpl, serendipity findmore, and of course style css. I put them all in safe keeping just in case, but I assume all but findmore are in my specific template and are not overwitten anyway...

When you say clean up, not sure what you mean. But the root where serendipity resides if full of my crap and I should move it somewhere else I suppose...

If your own template isn't harmed by any hacker its ok to keep it, you will need it again!
Clean means ERASE everything unneeded and being overriden by a fresh install normally, yes!
This crap your talking about is what makes me getting feel very unwell... are you sure its all yours?
Are you sure you haven't got some more vulnerables underneath? What is it doing there...? a.s.o.

Ian

[rj]

Oh its my stuff alright, just graphics and downloads and stuff that should be in my graphics, logo And video folders that built up over time... I moved 100 of such things on my hd to a safe place and then deleted them on the server and didn't lose anything on the blog, so it was just lazy crap I never moved.

I noticed in FTP that my templates C folder was public read, write, execute checked. Should I turn off WRITE when Im done?

So now I am already to go. Have the 1.5.5 sitting in the root on my hd, with the old config local inc file. But there is no UPGRADER thing that the directions says should be there in my admin screen.
So should I wait around and get some help finding that? Or just upload the files to the server as is?

Thanx
RJ

I deleted one of the articles that was corrupted by this and it made no difference, crap still in the article when I refresh. Title "In case you missed the Toshiba Ball Drop"
I assume when I deleted it was deleted from the DB. So does this mean the problem is not in the DB? Fingers crossed hopefully

http://angelicreikiamerica.com/question ... o-hombres/

When I look at the page view of that mess of my blog, its seems the third line there is the troublemaker

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<base href="http://rackjite.com/" />

<title>'Revistas mexicanas para hombres | videos de hombres sin ropa' | 'hombres follados por su mujer'</title>
<meta name="description" content="Revistas mexicanas para hombres. videos de hombres masturbandose, significado de los aretes en los hombres, hombres calientes, fotomujeres maltratada por hombres, videos hombres velludos, hombres con pollas grandes videos, fotos de artistas hombres desnudos, mujeres y hombres masturbandose gratis, imagenes de hombres desnudos, fotos de artistas hombres desnudos." />
<meta name="keywords" content="fotos hombres viejos desnudos, fotos hombres en lenceria de mujer, fotos de hombres desnudo, hombres cojiendo animales, hombres famosos sin ropa interior" />
<meta name="verify-v1" content="MSQR+3wA2Gf4zkIksxDuDX73D1cVzmXo/mPJLYHcrk4=" />
<meta name="verify-v1" content="AS6hoegh623pXRv1zfaVzd/gGYGeKJ25D+kp7tSiJUY=" />
<meta name="y_key" content="3f96edc183ccb42e" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="robots" content="all" />
<meta name="Powered-By" content="Serendipity v.1.5.1" />

[Timbalu]

I noticed in FTP that my templates C folder was public read, write, execute checked. Should I turn off WRITE when Im done?

No, you (Smarty) need(s) it with perms 775 or even 777!

[Timbalu]

So now I am already to go. Have the 1.5.5 sitting in the root on my hd, with the old config local inc file. But there is no UPGRADER thing that the directions says should be there in my admin screen.
So should I wait around and get some help finding that? Or just upload the files to the server as is?

Just upload as is!
Didn't forget to have your template folder in templates?
775 or 777 on serendipity_config_local.inc.php and .htaccess also? OK Then you go!
If its done and you open your blog you get the upgrade screen.

Ian

[Timbalu]

<title>'Revistas mexicanas para hombres | videos de hombres sin ropa' | 'hombres follados por su mujer'</title>
<meta name="description" content="Revistas mexicanas para hombres. videos de hombres masturbandose, significado de los aretes en los hombres, hombres calientes, fotomujeres maltratada por hombres, videos hombres velludos, hombres con pollas grandes videos, fotos de artistas hombres desnudos, mujeres y hombres masturbandose gratis, imagenes de hombres desnudos, fotos de artistas hombres desnudos." />
<meta name="keywords" content="fotos hombres viejos desnudos, fotos hombres en lenceria de mujer, fotos de hombres desnudo, hombres cojiendo animales, hombres famosos sin ropa interior" />
<meta name="verify-v1" content="MSQR+3wA2Gf4zkIksxDuDX73D1cVzmXo/mPJLYHcrk4=" />
<meta name="verify-v1" content="AS6hoegh623pXRv1zfaVzd/gGYGeKJ25D+kp7tSiJUY=" />
<meta name="y_key" content="3f96edc183ccb42e" />

Yes this is one of the reasons I still think they manipulated the database entries. These specific entries look like they could have accessed the metakey/description plugin for this and possible other entries. You should check this.
There is still another funny sort of code more below right up the </head> tag. These table stuff things should not be there.

Ian