A lot of my sites are getting hacked by some lame ass Turkish hackers. No idea why they target me and my website as I live in Kenya, Africa! Don't know what we ever did to the Turks.

I have noticed a number of times where they insert a index.htm into a folder, except for when it has no effect - then they actually change my index.php file :(

So I have restored the original files, changed my hosting account passwords and 644'd the files/folder they are changing.

But every now and then I will find a new file in the images subfolder etc etc - which I have to leave as 777.

Any idea where else they are putting these files?
Can they install harmful files into these areas?
How do I prevent them from accessing my site altogether? Can I ban the whole of Turkey from our server - or will they just use some other way to access the websites?



NOTE to the Hackers!
Why are you attacking all my websites? I am an African - not an American. We have nothing to do with your problems. Our problems are much worse than yours so grow the f* up and deal!

Chances are they are already using a proxy or something else in an attempt to cover their tracks so banning all of Turkey won't help.

As a Turk, I don't see why they would be targeting you from the info given, maybe it is your host or a script you are using with known exploits.

yea these attacks are nasty and the turks know how to bypass and hole in the system.

Well, my sites are hosted on an american server - on one of thelayered servers. But my sites all have information only about Kenya on them, so I think they are attacking the whole server regardless of who is on it.
My hosting provider doesn't have a clue what is going on as they only say that it is my fault for leaking passwords - but I know other accounts on this server have been hacked too and changing my passwords didn't help me.

I am already moving to a new host - but the server is in the US as well (this time in the softlayer datacenter). But this host are much more fluent in server protection.

So I should be doing this for my websites:

Folder Permissions - 755
File Permissions - 644
?? This seems to work to keep the sites going - hope it will stop the hackers being able to change our websites as it is getting very annoying now.

I imagine this is a server wide deface and has absloutely nothing to do with your site itself. If you mentioned your domain could probably back that up with a quick search through defacing websites. So I imagine your current host is running an old kernel which the hackers are taking advantage of.

Turkish men are stupid only. They only use bugs which are reported to exploit.
Your ISP server maybe rooted and setup rootkit by them.
Contact your hosting provider now, I think

These attackers are not targetting anyone in particular. They are looking for sites running specific versions of specific software which they are able to easily break into, using known and sometimes publicly documented holes.

There hundreds of publicly available scripts, most of which contain significant security holes, and some of which are no longer maintained. You should be looking into the security record for any scripts you may consider using -- not the marketing hype.

You are not going to stop the attacks unless and until you improve your site security and use fully patched, actively maintained software. In addition, you need to learn about security and take steps to harden your PHP installation so that such attacks are harder to launch against you.

I should add that you should count yourself lucky that they are interested in defacing sites -- which is a bold warning about the woeful state of security on your site and server. There are a lot of other people who install shell scripts, some of which are trojaned, so that they can silently use your server for their own purposes.

Must you generalise for all Turks!? And if you read, he has contacted the host already.

BTW, good points clancey.

Thanks for the advice Clancey. Most of my sites use Joomla 1.0.12 which is very actively supported (in fact I think it is the most popular CMS at the moment). I have gone through their forums and made a few changes which seem to help. 2 of the sites also had SMF which was 'hacked' after I fixed the Joomla problems.

I am also changing hosts to a new host who have a better idea of how to run a server. I am fairly IT savvy, but it is not possible for me to learn everything about everything. It is just not efficient that way. That is why I am moving hosts. It is their responsibility to keep the server secure - not mine.

Current site has Register Globals on by default - I know that this is very bad, but my current host refuses to change this. Not a prob with the new host.

I would like to know the basics about server security - where is a good place to learn about this - (something simple and easy to absorb as my brain is already overflowing with other info lol).

There are some interesting comments about emulating register_globals off at the PHP site at the link: faq.misc.registerglobals (http://ca.php.net/manual/en/faq.misc.php#faq.misc.registerglobals)

I would not be complacent about Joomla and its level of support. A group of hackers say a security advisory will be coming about soon about the current version of Joomla. In a discussion amoung people who have gained admin access, one participant made this May 31, 2007 comment:

"So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level? Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface . . . Seems like new advisory is coming out soon"

Unfortunately, they never explain what is broken. Consequently, yoiu cannot fix it until they issue the advisory.

New Host - New problems lol!

Well I moved a couple of site to a new host - only now I have a whole different set of problems :(. Not even sure whether this is related to the Turkish Hacks - or if it is just a problem with the new host.

Every 24 hours, my MySQL databases revert back 12 hours, and then a few hours later any files that I added to my site dissappear (images and such).

Don't know if this is the hackers as it is not their M.O., a different type of hacker or if it is just an issue with my new host. The host can't find anything wrong at all - which is very worrying. Who knew it was so difficult to run a simple website :o

Turkish men are stupid only. They only use bugs which are reported to exploit.
Your ISP server maybe rooted and setup rootkit by them.
Contact your hosting provider now, I think


My from turkey and I Turk

Not stupid turkish men :@

Sorry Mastory, My mean is not Turkey men, Turkey attackers only, Sorry again :)

yea i am still fighting turkish hackers!
every hacker that hacked my image hosting site was from turkey and uploaded shell's and defaced my site with political messages and promoting turkey and its leader!
if any one can help me with my script that would be greatly appreciated! the script is just checking the header to see if its a image and i need it to check the file or something!
Thanks

as soon as i posted this i went to one of my other sites that i was editing b4 i read this thread and it got hacked by another turk jerk within 10 mins!
they redirected my site to this url with music and ads alemking.al.funpic.de/kral.html i cant find the problem!
no files have changed in my ftp and im searching my e107 admin panel
i found the site where the fucts tell em how to hack and admit to hacking my site
dumb %$$&^ put a clickable link to my site on the page!
What can and should i do help please

well i found the problem it was in my shout/chat box some how they put a redirect script in there
and i fixed the cms/ e107 issue
they were uploading php files as .php.jpg and executing them

its an old apache bug.you shold update your software.

I'm Sorry for Turk hackers :(

I'm Sorry for Turk hackers :(
They are not hackers , they are all lamers ;)

No No No, some persons lamer but they are real hackers. ;)

Most of Turk attackers are Script Kiddies (Kiddies = Kid Dies :D) 99% I am sure

No No No, some persons lamer but they are real hackers. ;)
just give me 2-3 name ?

I think you must care of your word while talking about turkish people. I'm also turkish. If you are very clever close your bugs . If you continue to talk like that you will be banned i think . Now i reported you
Turkish men are stupid only. They only use bugs which are reported to exploit.
Your ISP server maybe rooted and setup rootkit by them.
Contact your hosting provider now, I think

I think you must care of your word while talking about turkish people. I'm also turkish. If you are very clever close your bugs . If you continue to talk like that you will be banned i think . Now i reported you

i second that

I think you must care of your word while talking about turkish people. I'm also turkish. If you are very clever close your bugs . If you continue to talk like that you will be banned i think . Now i reported you
Oh i ve missed that post . You shouldn't speak generally .You can't say all Turkish people stupid because of some lamers.I m also from Turkey.

Sorry Mastory, My mean is not Turkey men, Turkey attackers only, Sorry again :)
Have some mistaken, my meaning is not my typing

i dont agree at all that all Turkish people are or could be what evea who ever said!tho everybody can be trained/brainwashed etc including me & you
i dont know many people from Turkey
but i cant say that i get mad at Turkey cuz my sites mostly 9/10 times get hacked or attempted to get hacked its by people from Turkey!
and every tyme i get hacked they search for a script key word in google etc!
I always track that!
and i usually dont show up high is serp for that key word! and i search the hackers tags etc and every site they hacked had the same script!
i tracked alot of them down!
got alot of info about them and them admitting to hacking my site!
just dont know how i can do anything to them!
any one got any suggestions???
please let me know!

if you are having problems with script kiddies and it a problem you cant immediately identify, configuring your firewall so that ftp port access is only accesible from certain ip ranges might be a good idea.

If you dont have a firewall, then you will probably need to get one.

Usually most web hostswill charge you a bit extra to have a managed firewall but in terms of embarrassment and headache its usually worth it!

Then, get a decent server admin to fill the security holes for you.

Any host that says "oh its your fault for leaking passwords" is lying or they are just stupid or just plain dont care about your account.

Script kiddies have been around a long time and still exist ebcasue of lazy server admins.

Well, I just got hacked on three of my sites by a Turkish hacker... I saved a copy of the page just so I can do something about it....

http://emulysianfields.wabuf.com/files/bitchface.html

EDIT: I found some extremely valuable info!!!
http://turk-h.org

That seems like a to-do list

I got hacked by the turks and having trouble finding what they did, I guess I will reload the site if I can't find the hack.

http://blueridgetexas.us

If anyone knows where I should look for the hack please post here,


Thanks,

The Turkish script kiddies got me recently by exploiting a bug in MSCMS (A MySpace Resource Script). I've since replaced the script.

During the attack, they deleted all of the web sites on my server.

Thankfully I had a good backup. :)

same with me http://www.propertyhogs.com/ what does that asshole want?

In general, people like that just want to not feel powerless.