Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Have I Been Hacked?

  1. #21
    Senior Member Adendum's Avatar
    Join Date
    Apr 2010
    Location
    London (UK) & Granada (Spain)
    Posts
    926

    Default

    Quote Originally Posted by RayC View Post
    Do I have an obligation to the other site owners to let them know they may have been hacked?
    Probably not....but if any of my sites were in that lot I think I'd appreciate an email. It would scare the sh1t out of me but I'd rather know than not.
    Paul - Aditerum Ltd and AllSortsOfStuff Ltd
    NOF11 (in Admin mode!); Vista Premium 64bit; AMD Phenom IIx4 945 Processor 3.00Ghz; 8.0Gb RAM
    Wouldn't it be great if there was only a single browser to worry about!!!

  2. #22
    Senior Member Andy Hoyt's Avatar
    Join Date
    Apr 2010
    Location
    Maine
    Posts
    134

    Default

    Why dontcha list 'em here so that at least this group can (hopefully) have peace of mind
    Only the Blue Roads

  3. #23
    Twayne
    Guest

    Default Re: Have I Been Hacked?

    In news:RayC.49mx3z@no-mx.forums.netobjects.com,
    RayC <RayC.49mx3z@no-mx.forums.netobjects.com> typed:
    > OK. I just had another look at the hacked INDEX file, and
    > the links are all -external - links to other sites,
    > pointing to a similar /subfolder/file1234.PHP. So it would
    > appear several other sites have been similarly hacked, and
    > cross-linked.
    >
    > Do I have an obligation to the other site owners to let
    > them know they may have been hacked?
    >
    > Or do I do a New York: Get out of the line of fire, keep my
    > head down, and mind my own business?
    >
    > What's the Netizen Code of Conduct for something like this?
    >
    > P.S. Thanks for the tip on keepass, Mike. I'll check it out.
    >
    > -RayC


    It's never happened to me so I'm not sure what Id do. I know I
    wouldn't visit the sites because there's no way to tell what
    other malware might be roaming around, waiting for you in
    addition to the infection you have.

    Every website is supposed to have a webmaster@... or abuse@...
    address, so I guess I might send a notice, from a THROW-AWAY
    account , to their "webmaster@..." addresses.
    Another thing; some of those sites might be the
    spammers/criminals too, you never know for sure. Just beause
    names are the same doesn't mean the code is.
    I think I'd appreciate a heads-up if I were one of them, so
    I guess I'd notify thru their webmaster@... addresses since
    you have al the domain names there. but don't use anything
    that gives away your "good" e-mail address.

    Final thoughts: It's unusual that a spammer is dumb enough to
    leave addresses in the clear like that, even if it is in PHP
    language. The addresses could easily be hidden server-side
    usinig PHP, so I have to wonder whether that's on purpose or
    just stupidity. But I might just be too paranoid now.

    Also be careful you don't identiy your real address by munging
    it from the whole list of addresses; it'd be easy to tell who
    you were if someone had the original spam and noticed it was
    one address short. I'd guess it's either some sort of joe-job
    or maybe a zombie build going on; hard to say.
    Keep an eye on your own machine for awhile. Wouldn't hurt
    to run updated AV and malware scans just in case.

    HTH,

    Twayne`



  4. #24

    Default

    Ray I use coffeecup form builder its easy to use and I have no problems with being hacked, one of my sites was being badly hit last year thru the NOF guest book so made a mock guest book using the Coffeecup form builder it worked a treat, no more spam (you can use SQL etc)

    Mike C

  5. #25
    Senior Member RayC's Avatar
    Join Date
    Apr 2010
    Location
    Toronto-ish, Canada
    Posts
    1,732

    Default

    The more I look at this, the creepier it gets. I did a Google search using one of the .PHP file names that are in the hacker folder, and I find all kinds of links back to the client site. For example, this one:

    http://www.askkids.com/resource/Bueno-Beef.html

    The link second from the bottom links back to the client site, amonavi.com. (Although the links should all now be broken because I've renamed to folder.)

    I guess on the plus side, with all of the links to the site, the Google rank may go up in the short term. But it could also ultimately be penalized, which is my concern. Also, I doubt they want to come up in searches for chopped beef or toe amputations.

    I'm looking into Google's process for de-indexing pages, hoping that will stave of repercussions.

    I bravely (or foolishly) went to a couple of root URLs from the embedded links. For example, if the link was:
    www.myhackedsite.com/folder/1234.php,
    I went to:
    www.myhackedsite.com.

    A couple were parked domains, or webhosts holding expired domains, and a couple seemed like actual sites. Most are from the Netherlands, so it's difficult to understand the sites.

    I'm planning on implementing Tectite's Form Mailer, which looks fairly comprehensive and easy to set up.

    And I just stripped out the URLs from the code to make a list: there are 196 links! I'll post the list online for d/l if anyone is interested.

    Thanks, all, for the tips and advice.

    -RayC

    Edit: Here is the complete list: http://soundsinsync.ca/HackerNews/HackerURLs.txt
    Last edited by RayC; 04-20-2010 at 01:09 AM. Reason: URL List posted

  6. #26
    Senior Member Adendum's Avatar
    Join Date
    Apr 2010
    Location
    London (UK) & Granada (Spain)
    Posts
    926

    Default

    Quote Originally Posted by RayC View Post
    .....Most are from the Netherlands, so it's difficult to understand the sites.....Here is the complete list: http://soundsinsync.ca/HackerNews/HackerURLs.txt
    I spent the whole night on this Ray but after site 173 I had to give up. Didn't find a single naked woman
    Paul - Aditerum Ltd and AllSortsOfStuff Ltd
    NOF11 (in Admin mode!); Vista Premium 64bit; AMD Phenom IIx4 945 Processor 3.00Ghz; 8.0Gb RAM
    Wouldn't it be great if there was only a single browser to worry about!!!

  7. #27
    Member Franklyn Halamka's Avatar
    Join Date
    Feb 2010
    Location
    Texas
    Posts
    97

    Default

    Since you found links to other sites on the server that you don't control I'd say the server itself was hacked and the person you've leased space from needs to secure their server. Sounds like they have not patched their PHP files and have left themselves wide open for hacks. The current stable version that I'm using is PHP 5.2. Look at your phpinfo and see what version your server is running. Then I'd let the Host Provider know that their server is compromised.

    I manage my own web servers and this is an area that some hosting providers tend to forget, that is updating their servers to ensure security. They don't upgrade because they don't want to go back and fix sites or let others know that their sites may get broken because of an upgrade that depreciates older tags that may be compromised or are just out of date as there are newer codes that do the same job but more efficiently.

  8. #28
    Senior Member RayC's Avatar
    Join Date
    Apr 2010
    Location
    Toronto-ish, Canada
    Posts
    1,732

    Default

    Thanks, Franklyn.

    I just moments ago had an online chat with tech support. They seem to have no real interest in seeing the files or considering anything other than my own missteps as being the cause of the hack. When I asked if the most likely cause was either guessing the FTP login, or some sort of key logging exposure, they said, "Yes, most likely done via FTP or or C-Panel file manager". Since there was a folder created and files uploaded, I'm not sure if a code injection could accomplish this.

    I just ran PHP-Info, and it says they are at PHP Version 5.2.13.

    I was at my "other" job, which has a network prone to virii due to a bunch of knuckle-heads who use the computer for all manner of surfing. I erased all browser stored passwords in FireFox and deleted all of the accounts I'd set up in FireFTP.

    I've spent some time surfing the "dark side" looking at all sorts of (mis) information about code-injection, trojans, drive-bys, and I-Frame Injection (!), etc. I doubt I'll ever truly figure it out, and am just spinning my wheels trying to do so. So it's just, clean up, be more careful, and move on.

    Although I did come across this for Paul:
    http://www.whatsonxiamen.com/news_images/99341.jpg

    -RayC

  9. #29
    Senior Member gotFusion's Avatar
    Join Date
    Jan 2010
    Location
    www.gotHosting.biz
    Posts
    4,529

    Default

    Quote Originally Posted by RayC View Post
    Thanks, Franklyn.

    I just moments ago had an online chat with tech support. They seem to have no real interest in seeing the files or considering anything other than my own missteps as being the cause of the hack. When I asked if the most likely cause was either guessing the FTP login, or some sort of key logging exposure, they said, "Yes, most likely done via FTP or or C-Panel file manager". Since there was a folder created and files uploaded, I'm not sure if a code injection could accomplish this.

    -RayC
    The most typical point of entry is via FTP. Your host could have one of their root ftp accounts compromised. If they use "off shore" email or phone support this means that they have root level ftp credentials floating around all over the place. The more ftp accounts the more likely one of them can become compromised. This is why I suggested that you check the FTP logs as soon as you notice the breach. It will show you which FTP account did the uploading. If it is your host, you had better do some loud shouting FTP compromise is just as true for you. You "should" have only one FTP account and you should rotate the password regularly. If you find that you have more than one account delete all except one to reduce your change of compromise. I have seen users who have had their personal computers infected by key stroke trojans that capture and transmit usernames/passwords. You should use up to date virus/trojan software and scan on a regular basis. If you find you have an infection you need to change every username/password on every log in you have, ESPECIALLY financial ones.

    The second most common is unsecured anonymous uploads from forms. If a form uploads content above root (http accessible folder) anyone can upload a hack package then using their web browser go to the folder, unpack the package and have full access to the domain. I always try to discourage people from allowing uploads from forms unless the upload is below root (not http accessible).

    SQL injection is a direct defacing where a site has unsecured inline coding and a bot can append more commands to the url to upload database content directly from a URL injection. There are fixes to all of these but it requires the owner of the domain to know what to do to fix the coding.
    NetObjects Fusion Cloud Linux enabled Web Hosting, support + training starts at $14.95
    NetObjects Fusion web Hosting and support + ASP + PHP + ColdFusion + MySQL + MS SQL
    FREE NetObjects Fusion Support & training comes with all web hosting accounts
    NetObjects Fusion Web Hosting: http://www.gotHosting.biz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •