Paul - Aditerum Ltd and AllSortsOfStuff Ltd
NOF11 (in Admin mode!); Vista Premium 64bit; AMD Phenom IIx4 945 Processor 3.00Ghz; 8.0Gb RAM
Wouldn't it be great if there was only a single browser to worry about!!!
Why dontcha list 'em here so that at least this group can (hopefully) have peace of mind
Only the Blue Roads
In news:RayC.49mx3z@no-mx.forums.netobjects.com,
RayC <RayC.49mx3z@no-mx.forums.netobjects.com> typed:
> OK. I just had another look at the hacked INDEX file, and
> the links are all -external - links to other sites,
> pointing to a similar /subfolder/file1234.PHP. So it would
> appear several other sites have been similarly hacked, and
> cross-linked.
>
> Do I have an obligation to the other site owners to let
> them know they may have been hacked?
>
> Or do I do a New York: Get out of the line of fire, keep my
> head down, and mind my own business?
>
> What's the Netizen Code of Conduct for something like this?
>
> P.S. Thanks for the tip on keepass, Mike. I'll check it out.
>
> -RayC
It's never happened to me so I'm not sure what Id do. I know I
wouldn't visit the sites because there's no way to tell what
other malware might be roaming around, waiting for you in
addition to the infection you have.
Every website is supposed to have a webmaster@... or abuse@...
address, so I guess I might send a notice, from a THROW-AWAY
account , to their "webmaster@..." addresses.
Another thing; some of those sites might be the
spammers/criminals too, you never know for sure. Just beause
names are the same doesn't mean the code is.
I think I'd appreciate a heads-up if I were one of them, so
I guess I'd notify thru their webmaster@... addresses since
you have al the domain names there. but don't use anything
that gives away your "good" e-mail address.
Final thoughts: It's unusual that a spammer is dumb enough to
leave addresses in the clear like that, even if it is in PHP
language. The addresses could easily be hidden server-side
usinig PHP, so I have to wonder whether that's on purpose or
just stupidity. But I might just be too paranoid now.
Also be careful you don't identiy your real address by munging
it from the whole list of addresses; it'd be easy to tell who
you were if someone had the original spam and noticed it was
one address short. I'd guess it's either some sort of joe-job
or maybe a zombie build going on; hard to say.
Keep an eye on your own machine for awhile. Wouldn't hurt
to run updated AV and malware scans just in case.
HTH,
Twayne`
Ray I use coffeecup form builder its easy to use and I have no problems with being hacked, one of my sites was being badly hit last year thru the NOF guest book so made a mock guest book using the Coffeecup form builder it worked a treat, no more spam (you can use SQL etc)
Mike C
The more I look at this, the creepier it gets. I did a Google search using one of the .PHP file names that are in the hacker folder, and I find all kinds of links back to the client site. For example, this one:
http://www.askkids.com/resource/Bueno-Beef.html
The link second from the bottom links back to the client site, amonavi.com. (Although the links should all now be broken because I've renamed to folder.)
I guess on the plus side, with all of the links to the site, the Google rank may go up in the short term. But it could also ultimately be penalized, which is my concern. Also, I doubt they want to come up in searches for chopped beef or toe amputations.
I'm looking into Google's process for de-indexing pages, hoping that will stave of repercussions.
I bravely (or foolishly) went to a couple of root URLs from the embedded links. For example, if the link was:
www.myhackedsite.com/folder/1234.php,
I went to:
www.myhackedsite.com.
A couple were parked domains, or webhosts holding expired domains, and a couple seemed like actual sites. Most are from the Netherlands, so it's difficult to understand the sites.
I'm planning on implementing Tectite's Form Mailer, which looks fairly comprehensive and easy to set up.
And I just stripped out the URLs from the code to make a list: there are 196 links! I'll post the list online for d/l if anyone is interested.
Thanks, all, for the tips and advice.
-RayC
Edit: Here is the complete list: http://soundsinsync.ca/HackerNews/HackerURLs.txt
Last edited by RayC; 04-20-2010 at 01:09 AM. Reason: URL List posted
Paul - Aditerum Ltd and AllSortsOfStuff Ltd
NOF11 (in Admin mode!); Vista Premium 64bit; AMD Phenom IIx4 945 Processor 3.00Ghz; 8.0Gb RAM
Wouldn't it be great if there was only a single browser to worry about!!!
Since you found links to other sites on the server that you don't control I'd say the server itself was hacked and the person you've leased space from needs to secure their server. Sounds like they have not patched their PHP files and have left themselves wide open for hacks. The current stable version that I'm using is PHP 5.2. Look at your phpinfo and see what version your server is running. Then I'd let the Host Provider know that their server is compromised.
I manage my own web servers and this is an area that some hosting providers tend to forget, that is updating their servers to ensure security. They don't upgrade because they don't want to go back and fix sites or let others know that their sites may get broken because of an upgrade that depreciates older tags that may be compromised or are just out of date as there are newer codes that do the same job but more efficiently.
Thanks, Franklyn.
I just moments ago had an online chat with tech support. They seem to have no real interest in seeing the files or considering anything other than my own missteps as being the cause of the hack. When I asked if the most likely cause was either guessing the FTP login, or some sort of key logging exposure, they said, "Yes, most likely done via FTP or or C-Panel file manager". Since there was a folder created and files uploaded, I'm not sure if a code injection could accomplish this.
I just ran PHP-Info, and it says they are at PHP Version 5.2.13.
I was at my "other" job, which has a network prone to virii due to a bunch of knuckle-heads who use the computer for all manner of surfing. I erased all browser stored passwords in FireFox and deleted all of the accounts I'd set up in FireFTP.
I've spent some time surfing the "dark side" looking at all sorts of (mis) information about code-injection, trojans, drive-bys, and I-Frame Injection (!), etc. I doubt I'll ever truly figure it out, and am just spinning my wheels trying to do so. So it's just, clean up, be more careful, and move on.
Although I did come across this for Paul:
http://www.whatsonxiamen.com/news_images/99341.jpg
-RayC
The most typical point of entry is via FTP. Your host could have one of their root ftp accounts compromised. If they use "off shore" email or phone support this means that they have root level ftp credentials floating around all over the place. The more ftp accounts the more likely one of them can become compromised. This is why I suggested that you check the FTP logs as soon as you notice the breach. It will show you which FTP account did the uploading. If it is your host, you had better do some loud shouting FTP compromise is just as true for you. You "should" have only one FTP account and you should rotate the password regularly. If you find that you have more than one account delete all except one to reduce your change of compromise. I have seen users who have had their personal computers infected by key stroke trojans that capture and transmit usernames/passwords. You should use up to date virus/trojan software and scan on a regular basis. If you find you have an infection you need to change every username/password on every log in you have, ESPECIALLY financial ones.
The second most common is unsecured anonymous uploads from forms. If a form uploads content above root (http accessible folder) anyone can upload a hack package then using their web browser go to the folder, unpack the package and have full access to the domain. I always try to discourage people from allowing uploads from forms unless the upload is below root (not http accessible).
SQL injection is a direct defacing where a site has unsecured inline coding and a bot can append more commands to the url to upload database content directly from a URL injection. There are fixes to all of these but it requires the owner of the domain to know what to do to fix the coding.
NetObjects Fusion Cloud Linux enabled Web Hosting, support + training starts at $14.95
NetObjects Fusion web Hosting and support + ASP + PHP + ColdFusion + MySQL + MS SQL
FREE NetObjects Fusion Support & training comes with all web hosting accounts
NetObjects Fusion Web Hosting: http://www.gotHosting.biz