My Site Got Hacked...how is that possible?

[swbiz]

Hey,

I went to one my sites this morning that I have hosted on a VPS server and found out that somebody has hacked it. It is one of my landing pages that is targeting the weight loss niche. How is this possible? I get a black screen saying that the site has been hacked.

 

[Bofu2U]

Hey,

I went to one my sites this morning that I have hosted on a VPS server and found out that somebody has hacked it. It is one of my landing pages that is targeting the weight loss niche. How is this possible? I get a black screen saying that the site has been hacked.

Chances are if it was a defacement it was automated and it happened to everyone on the server. PM me the URL I'll take a peek.

 

[swbiz]

I just sent you the PM. I emailed my VPS provider and they said I'm the only one affected. If you look at the source code, you will find a pretty nasty code which I'm scared could affect my other sites. This has never happend to me before.

 

[LotsOfZeros]

who's your VPS with?

 

[swbiz]

slhost.com

 

[r3p1v]

ftp into your site and see what new files are there. usually with things like this they are just able to upload an index.html file.

They could be exploiting a script on your space though. Are you using any old content management systems (forums, blogs, etc...)

I had a problem once where somebody found an exploit in my own coding and they were able to upload files to my server. They uploaded a php program that basically gave them root (or close to root) access. The crazy thing though is that they didn't touch any files or anything so I didn't even know it happened. They ended up uploading phishing sites for paypal and some online UK bank. I got a bunch of abuse tickets for phishing from my server company and it was crazy. I would delete the phishing sites but he kept reuploading them. I eventually figured out how he was doing it by looking through the logs and then I fixed the code so he couldn't do it anymore.

 

[Bofu2U]

I see a blank HTML.

 

[swbiz]

yeah my host was too fast and cleared all the files that were on there. They also state that the main log file seemed to be also cleared up and so it is difficult for them to elaborate on why the attack happend.

And then they gave me a list to see if any unauthorized root accesses were made from certain IP(s).

 

[scorch]

ftp into your site and see what new files are there. usually with things like this they are just able to upload an index.html file.

They could be exploiting a script on your space though. Are you using any old content management systems (forums, blogs, etc...)

I had a problem once where somebody found an exploit in my own coding and they were able to upload files to my server. They uploaded a php program that basically gave them root (or close to root) access. The crazy thing though is that they didn't touch any files or anything so I didn't even know it happened. They ended up uploading phishing sites for paypal and some online UK bank. I got a bunch of abuse tickets for phishing from my server company and it was crazy. I would delete the phishing sites but he kept reuploading them. I eventually figured out how he was doing it by looking through the logs and then I fixed the code so he couldn't do it anymore.

Root access on your host provider or your personal host space?

 

[r3p1v]

Root access on your host provider or your personal host space?

personal/unmanaged dedicated server at Layered Tech

 

[redmonkey]

Do you have any other CMS on your box?

Side note: If u do AM, go with the managed service, like wiredtree or so. Even though i like playing with my server, money's still the first priority. I'm having two boxes atm, one for AM and another one for testing stuff.

 

[jenzkc]

how is possible your computer got hacked? uhh... welcome to the internet. time to learn how to secure your shit if you're using a dedicated box.

 

[LotsOfZeros]

I've had a wiredtree managed vps for a few months now and so far their support has been great, the uptime and speed has been good too.

 

[mason]

wiredtree user here also. support is superb then again I really never have to use support in the first place.

 

[IronLogik]

definitely need to watch out for scripts you have laying around on your domains, especially old ones.

i had a dedicated box of mine rooted a couple years back because i had a old copy of phpAdsNew (freeware ad management) sitting in an unlinked subdirectory of a really old domain. the bastard got lucky by scanning common urls and found my orphaned install. luckily they only used my box as a proxy for a stupid eggdrop IRC shell.

moral of the story - keep all your scripts up to date or delete them if not in use.

 

[Mr. Websites]

A few more bucks ($4) and you can go with HostV. I'm getting more than double your disk space (25GB), and quadruple your bandwidth (1000GB) for $39.99 per month; the latter being key. If you're going to be throwing thousands into an affiliate campaign, I would highly suggest you go with a reputable host. I haven't had any problems with them yet. Click here if you want to sign-up under my referral; or here if you don't.

 

[jenzkc]

if you want to keep your vps secure you need to do more than worry about what scripts or web apps you're running. you also need to be aware of possible exploits in system-level applications. that's probably how the OP got rooted.

 

[jeff_p]

wiredtree user here also. support is superb then again I really never have to use support in the first place.

i concur. i've use wiredtree since they were first launched up until when they started becoming more popular. good people and they've always taken care of me and their clients.

on the other hand, if you want affordable but stable vps hosting, go with slicehost. very good developer vps solutions-- alot more credibility than slhost.com.

 

[redmonkey]

i concur. i've use wiredtree since they were first launched up until when they started becoming more popular. good people and they've always taken care of me and their clients.

on the other hand, if you want affordable but stable vps hosting, go with slicehost. very good developer vps solutions-- alot more credibility than slhost.com.

Yeah, agree with that. I'm using wiredtree and slicehost as well.

AM stuff, tracking -> wiredtree.
Scrappers, stuff that need to be re-formated often-> slicehost

On top of that, slicehost runs Xen which is much more stable.

 

[bizzykehl]

2 of my blogs just got pwned by some guy/crew who calls himself/themselves "Scorpion". Wordpress 2.6 - No idea how they got in. Checked logs, theres really nothing unusual. It's possible they just guessed my admin password. Make backups people!