please help...my site got hack

hi

some evil person hack into my site tonight and i manage to get his/her ip

what should i do now?

thanks

 

I've been hacked before.. and it sux! before worrying about their IP, did you find the entrance and get that closed up? Were you able to back the site up... sorry to hear about it .. As for the IP, it's likely a proxy...

Cathy

 

so it's a proxy ip? so there is nothing i can do about it?

i have no ideal how the hacker mange to get in

 

I don't know for sure if it is or not, more than likely it is, try searching for it in google, sometimes you can find them that way, It's been so long since I've looked up an IP I really don't know how.. I'm sure someone here does though..
You do need to find out how they got in ASAP though, or theyll just do it over again tomorrow.. the next day.. etc.

 

the hacker attack again

ip

 

read the other threads HERE on this topic
there are enough details published for your next steps to do


fi he using always same IP ( proxy or other )

then add to your .htaccess

deny from 203.220.100.155

add any OTHER IP he was/is using as soon as you know of them
then STUDY your SW and secure it all

 

if you know his ip starts with "203.220" then just put :

deny from 203.220

and this will stop any ips that start with 203.220


by the way, that 'hacker' is surfing from Australia.

 

since i had the "pleasure" of being unsuccessfully hacked for a full 8 hrs last night - it was time to study the iptables solutions to below htaccess solution as well.

actually quiet simple - hence here a ready to copy / apply precise example from my today's hacker's IP - just replace the IP for your individual usage

in bash/shell enter

iptables -A INPUT -s 194.249.56.4 -j DROP

but since my hacker used a dial-up IP I did the entire IP-block with below syntax

iptables -A INPUT -s 194.249.56.0/24 -j DROP

then to save all that in the config file

iptables-save >/etc/iptables.conf

to list all active iptable rules

iptables -L

to flush ( i.e. delete ) all active rulea again

iptables -F


ONE more important point using my earlier mentioned

deny from 194.249.56.4

method in .htaccess

this did NOT work for me today because it was an ongoing 8 hrs lasting attempt - 115'000+ logfile lines - and the normal default procedure to either enter that line in domain root/ .htaccess

or

in apache2 global conf file does NOT work for following reason i experienced today

FAILED - see / read below

IF your hacker is in a subfolder and stays there repeated time
ONLY the .htaccess OF THAT subfolder is read by apache2 each time hacker requests a new file - hence the .htaccess in the top level domain/.htacess is UNREAD all the time of hack attemps IN a subfolder until the hacker woudl change thur the top level again - he did NOT for some 7 hrs on my site ...

hence apache2 never goes to top level or global level config while the ONE visitor stays permanently in a SUB-folder !!!

even a rcapache2 reload ( graceful restart of apache2 ) did NOT solve that issue

then when i entered the deny from ... line into the .htaccess file INSIDE the hacker visited subfolder - the deny rule instantly denied any further access.

a NEW revisit will be verified on top level htaccess - but ongloing hacks need to be answered in the hacked subfolder to act instantly and efficiently
thus
an ongoing hacker visit inside a subfolder needs to be denied IN that subfolder OR by using iptables as ABOVE

caution:
--------
iptables as above acts until next reboot as far as I know
there is a method unknonw to me to automatically reread the /etc/iptables.conf file

 

http://www.dnsstuff.com/tools/whois.ch?ip=203.220.101.62 from Australia but maybe a proxy

 

email me with all info and ur site addi k? ill help u

 

ha, that looks promising

 

And only a year late

 

Block the IP in your firewall and find where is he coming from. Is there any directory having 777 permissions, there can be a possibility the hacker came in from there.