Today I found someone has hacked my site. I got this as my homepage:
Now I have recovered my site from backup.
But I cant figure out how it was hacked. I took all necessary security precautions while installing wordpress & phpforum & I was also updating them to latest version.
Another interesting thing was that, I found few files which indicate that whatever exploit was used was run by a script-kiddie. Because he even didnt bothered to clear the comments of the file.
If anybody wants I can provide those files.
Also is it possible there is some vulnerability in the main server? Hi Hitesh,
Well , I am not surprised. If you remember my forum was hacked too by a script kiddie, for like say 15 minutes, before I found out and did the needful. It was due to vulnerability in SMF Gallery MOD i suppose, because it did not function after I had removed the stupid hack of that kid.
But I suggest some ways. Did you install something fairly new ? I mean try out and then forgotten to uninstall ? If done that , do remove the thing. Otherwise it would have been difficult for a person to hack your site.
And yes! Frihost support can check the main server just to make sure. I hope this does not happen again.
Regards,
~KMKM
I recently updated wordpress blog when its update was released but that is meant to plug the loop-holes & not introduce them!
| hunnyhiteshseth wrote: |
Today I found someone has hacked my site. I got this as my homepage:
Now I have recovered my site from backup.
But I cant figure out how it was hacked. I took all necessary security precautions while installing wordpress & phpforum & I was also updating them to latest version.
Another interesting thing was that, I found few files which indicate that whatever exploit was used was run by a script-kiddie. Because he even didnt bothered to clear the comments of the file.
If anybody wants I can provide those files.
Also is it possible there is some vulnerability in the main server? |
Please post the script hereWhat is script kiddie ,
Does it attack all kinds of forums ?
| alkutob wrote: |
What is script kiddie ,
Does it attack all kinds of forums ? |
Someone who uses published tools that were written by actual hackers. ...Frequently hackers will use these morons computers as a jumping point in their own attacks. ...As you can tell by the fact they use published tools... ...They'll execute whatever a hacker tells them to. ...On their computer...
...Scary though, huh?Hackers are the devils on the web ... They are sick people who measure their presence by the number of damages they do
ehh they have sparetime problems... they dont have a job and they live a life alon in a basment!!! damn tards!!!!
Did the skiddie really exploit the server, or exploited the script or did he somehow social engineer you password !!!!
damn major security concern!!
My theory is social engineering or the feedback form on your page.
Could I view the sourcecode for your feedback form? It's probably allowing to excecute malicious code on your server.
Sorry if I'm seeming intrusive 
- Just trying to help a fellow Frihoster!
For now, just change all passwords (FTP, Forums, Blog, Email, DirectAdmin, MySQL, etc), otherwise they can get back in. I also suggest taking your feedback form off temporarily. | Hogwarts wrote: |
My theory is social engineering or the feedback form on your page.
Could I view the sourcecode for your feedback form? It's probably allowing to excecute malicious code on your server.
Sorry if I'm seeming intrusive - Just trying to help a fellow Frihoster!
For now, just change all passwords (FTP, Forums, Blog, Email, DirectAdmin, MySQL, etc), otherwise they can get back in. I also suggest taking your feedback form off temporarily.
|
Well I can rule out social engineering.
I never disclosed my password or any website details to anyone.
Yes, feedback form may be a problem because it was coded by me. 
And I am not confident about my coding skills.
And yes you are not being intrusive, I am not any bill gates that I cant disclose my source code!
Please PM me the email address at which I should send the code.could you please tell what does exactly do this script. And how did it get in your forum..And what measures could you do to fix it? thanks
mebbe the admins should upgrade the php and mysql versions to the latest, as some hackers manage to hack through these vulnerable systems.
I'll cast my own 2 cents on this one:
First off, i do not see hackers (the real ones) as malicious most of the time. they are in fact helpfull in most cases (not even harming the victim, just warning for security measures).
The real problem lies in script kiddies (which I usually call hacker wannabes) who perform already made scripts and thos DO harm the victim most of the time.
Following this, I'd say it's a security issue in one of the files you hosted and it had a known security leak that was detected (and abused) by the script.
As for server security.. IF it were a server security issue, i don't think this would've been the sole target of this attack. Apparently only your account was targeted, which means he got in to YOUR account not the server.
This will of course be checked upon to verify what has happened.
Please follow the official sites for wordpress and your phpforum to check if there are any other reports about similar situations (if it was a leak in their scripts, it WILL be talked about by other victims)
Be Well 
For some reason, a lot of hackers/scripts are/were targetting server 2 the last few days. And as there are a lot of vulnerable scripts, a lot of them succeeded. I have implemented some harsh mod_security rules which should prevent most common bot attacks, so most of those should be prevented. However, this doesn't fix the actual vulnerable scripts.
| Bockman wrote: |
Following this, I'd say it's a security issue in one of the files you hosted and it had a known security leak that was detected (and abused) by the script.
|
I am looking into it & checking each forum/website of concerned script.
I will surely post here when I will find it.
| Bonding wrote: |
For some reason, a lot of hackers/scripts are/were targetting server 2 the last few days. And as there are a lot of vulnerable scripts, a lot of them succeeded. I have implemented some harsh mod_security rules which should prevent most common bot attacks, so most of those should be prevented. However, this doesn't fix the actual vulnerable scripts.
|
Thanks for implementing harsh mod_security rules. But can you tell me what other functionalities will be affected by it? | hunnyhiteshseth wrote: |
Well I can rule out social engineering.
I never disclosed my password or any website details to anyone.
Yes, feedback form may be a problem because it was coded by me.
And I am not confident about my coding skills. |
Do you use the same password on different sites? If you sign up to a site.. And your password is stored in their database.. It can be incredibly easy to find your password. If it's possible to log in with only one password, then I'm sure that a password can be found out through a brute-force attack.
By the way - As far as I can see, your form is fine.
Could you tell me what version of PhpBB and WP you have installed and the mods installed on those? (Via PM, of course))
Hope to have helped- Tobias | Bondings wrote: |
| For some reason, a lot of hackers/scripts are/were targetting server 2 the last few days. And as there are a lot of vulnerable scripts, a lot of them succeeded. I have implemented some harsh mod_security rules which should prevent most common bot attacks, so most of those should be prevented. However, this doesn't fix the actual vulnerable scripts. |
http://www.frihost.com/forums/vt-73337.html
if i understand right so you've disabled parse_ini_file()... and now script of my catalog doesn't work (admin part). so what i should do now?hi,
i also want to know if the site got hacked related to installing wordpress? im thinking of installing one...do inform me!!!
| filet wrote: |
hi,
i also want to know if the site got hacked related to installing wordpress? im thinking of installing one...do inform me!!! |
All software have vunrabilities in, which is why new versions are being released. As long as you keep up to date wordpress then everything should be ok .... so no, it probably hasn't got anything to do with wordpress (unless the version installed is extremely old).wumingsden... i looked at your website and it's been hacked as well. what are you using that allowed it to be modified?
| friuser wrote: |
| wumingsden... i looked at your website and it's been hacked as well. what are you using that allowed it to be modified? |
All of my sites have been hacked, which indicates that it may not be security problem with my account, but the whole server, or at least parts of it.sent me as many info about what you are using so i can help
operanting system , desigh software, server , pathes , applications..
