FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


My site was hacked





hunnyhiteshseth
Today I found someone has hacked my site. I got this as my homepage:



Now I have recovered my site from backup.
But I cant figure out how it was hacked. I took all necessary security precautions while installing wordpress & phpforum & I was also updating them to latest version.

Another interesting thing was that, I found few files which indicate that whatever exploit was used was run by a script-kiddie. Because he even didnt bothered to clear the comments of the file.
If anybody wants I can provide those files.

Also is it possible there is some vulnerability in the main server?
KMKM
Hi Hitesh,

Well , I am not surprised. If you remember my forum was hacked too by a script kiddie, for like say 15 minutes, before I found out and did the needful. It was due to vulnerability in SMF Gallery MOD i suppose, because it did not function after I had removed the stupid hack of that kid.

But I suggest some ways. Did you install something fairly new ? I mean try out and then forgotten to uninstall ? If done that , do remove the thing. Otherwise it would have been difficult for a person to hack your site.

And yes! Frihost support can check the main server just to make sure. I hope this does not happen again.


Regards,
~KMKM
hunnyhiteshseth
I recently updated wordpress blog when its update was released but that is meant to plug the loop-holes & not introduce them!
wumingsden
hunnyhiteshseth wrote:
Today I found someone has hacked my site. I got this as my homepage:


Now I have recovered my site from backup.
But I cant figure out how it was hacked. I took all necessary security precautions while installing wordpress & phpforum & I was also updating them to latest version.

Another interesting thing was that, I found few files which indicate that whatever exploit was used was run by a script-kiddie. Because he even didnt bothered to clear the comments of the file.
If anybody wants I can provide those files.

Also is it possible there is some vulnerability in the main server?


Please post the script here
hunnyhiteshseth
I have posted the reply.
alkutob
What is script kiddie ,

Does it attack all kinds of forums ?
Mannix
alkutob wrote:
What is script kiddie ,

Does it attack all kinds of forums ?


Someone who uses published tools that were written by actual hackers. ...Frequently hackers will use these morons computers as a jumping point in their own attacks. ...As you can tell by the fact they use published tools... ...They'll execute whatever a hacker tells them to. ...On their computer...

...Scary though, huh?
alkutob
Hackers are the devils on the web ... They are sick people who measure their presence by the number of damages they do
WallBase
ehh they have sparetime problems... they dont have a job and they live a life alon in a basment!!! damn tards!!!!
swizzy
Did the skiddie really exploit the server, or exploited the script or did he somehow social engineer you password !!!!

damn major security concern!!
Hogwarts
My theory is social engineering or the feedback form on your page.

Could I view the sourcecode for your feedback form? It's probably allowing to excecute malicious code on your server.

Sorry if I'm seeming intrusive Sad - Just trying to help a fellow Frihoster!

For now, just change all passwords (FTP, Forums, Blog, Email, DirectAdmin, MySQL, etc), otherwise they can get back in. I also suggest taking your feedback form off temporarily.
hunnyhiteshseth
Hogwarts wrote:

My theory is social engineering or the feedback form on your page.

Could I view the sourcecode for your feedback form? It's probably allowing to excecute malicious code on your server.

Sorry if I'm seeming intrusive - Just trying to help a fellow Frihoster!

For now, just change all passwords (FTP, Forums, Blog, Email, DirectAdmin, MySQL, etc), otherwise they can get back in. I also suggest taking your feedback form off temporarily.


Well I can rule out social engineering.
I never disclosed my password or any website details to anyone.

Yes, feedback form may be a problem because it was coded by me. Razz
And I am not confident about my coding skills.

And yes you are not being intrusive, I am not any bill gates that I cant disclose my source code!

Please PM me the email address at which I should send the code.
hilander
could you please tell what does exactly do this script. And how did it get in your forum..And what measures could you do to fix it? thanks
orcaz
mebbe the admins should upgrade the php and mysql versions to the latest, as some hackers manage to hack through these vulnerable systems.
Bockman
I'll cast my own 2 cents on this one:

First off, i do not see hackers (the real ones) as malicious most of the time. they are in fact helpfull in most cases (not even harming the victim, just warning for security measures).
The real problem lies in script kiddies (which I usually call hacker wannabes) who perform already made scripts and thos DO harm the victim most of the time.

Following this, I'd say it's a security issue in one of the files you hosted and it had a known security leak that was detected (and abused) by the script.

As for server security.. IF it were a server security issue, i don't think this would've been the sole target of this attack. Apparently only your account was targeted, which means he got in to YOUR account not the server.

This will of course be checked upon to verify what has happened.


Please follow the official sites for wordpress and your phpforum to check if there are any other reports about similar situations (if it was a leak in their scripts, it WILL be talked about by other victims)

Be Well Cool
Bondings
For some reason, a lot of hackers/scripts are/were targetting server 2 the last few days. And as there are a lot of vulnerable scripts, a lot of them succeeded. I have implemented some harsh mod_security rules which should prevent most common bot attacks, so most of those should be prevented. However, this doesn't fix the actual vulnerable scripts.
hunnyhiteshseth
Bockman wrote:

Following this, I'd say it's a security issue in one of the files you hosted and it had a known security leak that was detected (and abused) by the script.


I am looking into it & checking each forum/website of concerned script.
I will surely post here when I will find it.

Bonding wrote:

For some reason, a lot of hackers/scripts are/were targetting server 2 the last few days. And as there are a lot of vulnerable scripts, a lot of them succeeded. I have implemented some harsh mod_security rules which should prevent most common bot attacks, so most of those should be prevented. However, this doesn't fix the actual vulnerable scripts.


Thanks for implementing harsh mod_security rules. But can you tell me what other functionalities will be affected by it?
Hogwarts
hunnyhiteshseth wrote:
Well I can rule out social engineering.
I never disclosed my password or any website details to anyone.

Yes, feedback form may be a problem because it was coded by me. Razz
And I am not confident about my coding skills.


Do you use the same password on different sites? If you sign up to a site.. And your password is stored in their database.. It can be incredibly easy to find your password. If it's possible to log in with only one password, then I'm sure that a password can be found out through a brute-force attack.

By the way - As far as I can see, your form is fine.

Could you tell me what version of PhpBB and WP you have installed and the mods installed on those? (Via PM, of course))

Hope to have helped- Tobias
oleszka
Bondings wrote:
For some reason, a lot of hackers/scripts are/were targetting server 2 the last few days. And as there are a lot of vulnerable scripts, a lot of them succeeded. I have implemented some harsh mod_security rules which should prevent most common bot attacks, so most of those should be prevented. However, this doesn't fix the actual vulnerable scripts.


http://www.frihost.com/forums/vt-73337.html

if i understand right so you've disabled parse_ini_file()... and now script of my catalog doesn't work (admin part). so what i should do now?
filet
hi,

i also want to know if the site got hacked related to installing wordpress? im thinking of installing one...do inform me!!!
wumingsden
filet wrote:
hi,

i also want to know if the site got hacked related to installing wordpress? im thinking of installing one...do inform me!!!


All software have vunrabilities in, which is why new versions are being released. As long as you keep up to date wordpress then everything should be ok .... so no, it probably hasn't got anything to do with wordpress (unless the version installed is extremely old).
friuser
wumingsden... i looked at your website and it's been hacked as well. what are you using that allowed it to be modified?
wumingsden
friuser wrote:
wumingsden... i looked at your website and it's been hacked as well. what are you using that allowed it to be modified?


All of my sites have been hacked, which indicates that it may not be security problem with my account, but the whole server, or at least parts of it.
icedrakon
sent me as many info about what you are using so i can help
operanting system , desigh software, server , pathes , applications..
Related topics
Google Hacked?
Php-Nuke Site -- How likely is it going to be hacked?
web site hacked, need help deleting files
my Wordpress hacked themes
i hacked last.fm
My website has been hacked
our site was hacekd
Is my site hacked
Is my site hacked?
My Joomla Site Hacked
My new forum with phpBB : Educational and Web and Internet
Database Error: Unable to connect to the database:Could not
Database Error and Internal Server Error
Is it security vulnerability to access cPanel through proxy
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Web Hosting Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.