I still cannot believe what happened. Its like an episode out of the twilight zone. I was petrified for a full 3 days thinking I had been framed and left "holding the bag" while some hackers walked off with thousands. I was wondering if my server had been hacked, I couldn't figure out what had happened. My host LT forwarded me one of the ebay emails and told me to shut down all my proxies or they would shut me down for good. The ebay letter stated under oath(???) that my server cooltunnel.com was running a fake ebay password harvesting site and people were being scammed by the minute through me. Their abuse department emailed LT asking them to shut me down immediately and to confiscate my hard drive and hand it over to the FBI. Then the letter called me a criminal in plain english. LT shut my server down while I wasnt aware of what was going on and then told me someone was using my proxy to run some scam. But whats wierd is they sent me a screenshot of just the index page of my proxy as "proof" and demanded I remove all my proxies immediately. But what infuriated me is the abuse department at ebay calling me a criminal based on a hallucination by a technically incompetent employee! And filing a false report with the FBI based on a lie!
The letter is just an email. It was forwarded to me from abuse @ LT and I am dead serious. I can put the letter up here lemme grab it.
On Wed, 12 Jul 2006 03:51:13 -0500, wrote: Dear Layered Technologies, Inc., We have just learned that your service is being used to display false or "spoofed": eBay.com pages, apparently in an effort to steal personal and financial information from consumers, and defraud eBay users. Specifically, it appears that a Layered Technologies, Inc. user is sending unsolicited messages which misrepresent the sender as eBay, and making false statements that encourage the recipient to go to a page hosted by you at 72.232.212.130 - http://cooltunnel.com/perl/nph-cool...grtbelM33631DDvuM012DDvgrzM220003438223DDeqM1 is asked to enter personal information. The purloined information is then sent to an email account and, based on our investigation of similar schemes, used to steal accounts and commit other fraudulent acts including international credit card and wire fraud. This matter is urgent - we believe that consumers have been falsely directed to this page and may be fooled into divulging personal information to a criminal if the page is not immediately disabled. We ask that you immediately disable the site at http://cooltunnel.com/perl/nph-cool...grtbelM33631DDvuM012DDvgrzM220003438223DDeqM1 as well as any associated email addresses, so that this fraudulent scheme can be stopped. We further request that you provide us with all contact information that you have for this user so that we may provide this information to the proper law enforcement authorities. While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of eBay's trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from eBay, the owner of the copyrighted materials. Accordingly, the information below serves as eBay's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A): I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named eBay Inc. I have a good faith belief that the website located at URL http://cooltunnel.com/perl/nph-cool...grtbelM33631DDvuM012DDvgrzM220003438223DDeqM1 as its copyright in each page of its website and associated source code. Please act expeditiously to remove or disable access to the material or items claimed to be infringing. We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist eBay and law enforcement in tracking this individual, we greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes. Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. Section 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well. eBay Inc. Audit and Investigations Get automated, real-time notifications of new phishing attacks! Join the Phish Report Network as a RECEIVER today! http://www.phishreport.net/
its very simple your site has been used by hackers to set up one of the many phishing sites that are created daily such ony is possible if YOU neglect the duty to secure your web space and to permanently monitor your sites activities and eventually test sceen your access log files. if you park your own car on a sloop without pulling the breaks - then have tea nearby or seelp overnight while your car starts rolling and overrunning a child nearby - then it still will be you held responsible since you omitted to fully secure YOUR car. same for web sites! the owner carries all legal responsibility - at least in modern countries. myself i have been victim of hackers earlier this year - fortunately my host - 1and1.com - noticed the hackers activity in a very early stage however the finaly responsibility still is mine i simply was spending a few hundred hours too little on learning about internet security and the various tools I used to run my site to keep all site and forums secure and clean. its a site owners legal responsibility to have a clean webspace. for eBay, paypal and all other financial operations that are abused by hackers setting up such proxy services have no other contact but the owner of a site. easy money in www still requires thorough knowledge about what you do. in modern times people buy a domain - set up a template, forum, etc and run a site without ever having spent months or years learning their trade. imagine a medical doctor practicing his job with so little knowledge as most webmasters have nowadays .... or a car mechanic repairing an ambulance without ever having learned to repair cars ... or a flight engineer reparing electronics in a jumbo while the only real job qualification he has might be cook or gardener ... learn from your present situation - the past hours I have received 3 emails from such sites being setup on insecure websites by hackers this time you may get around without spending years in jail but you surely may need to do some very thorough research about how and where the hackers entered your site and how to prevent it. and you may have to do some serious learning - all on your own - about all the server, sw and other security related aspects of running a site. all site-owners first of all always belief that their site is secure and safe until such happens the extreme professional negligence among webmasters/site owners has been seen in my earlier case of hacker intrusion even the originating sw company gave zero response to the security breach despite the fact that they sold that very software on a global level to a large number of site owners in addtition to the many free downloads of the limited edition with the very same securtiy holes. ... after I have solved the problem and found the hole, i searched the web for other site owners using - meanwhile I knew how hacker found me hence I used same method to trace the other potential victims on the hackers possible "address-list" - the exact same faulty commercial software i found lots of them contacted some 30+ instantly via their webmaster email address just to find out that most site owners have no webmaster address ( with 1 exception ) hence I spend many additional days in research to find their contact email address days of research in whois, on their sites, to find valid contact info then again I emailed all of the contacts I found some 4 of all ansered those who ansered 100% had hackers on their site after they made the few simple tests i emailed them - some apparently had many times possibly different hackers on their site ... the other remaining site owners all have a hole in their site - with a single link it was easy for me to see whether or not they secured that particular software they all have done nothing - no reply at all - either all mail lost in spam filters or just ignored hackers best friend in my case was Google the hackers knowing what SW package offered the security hole they could use to enter a site - a simple search in google for sites with that path in the url ... be happy that you have been warned by your host and ebay rather than having FBI knocking at your door stop blaming others or even ebay such phishing sites are setup to get credit card info and thus to steel money - like bank robbery - but in a more modern way - hence it IS a crime what happened and some families may have lost all their money by such hacker attacks originating from your website ! the phishing mail always points to the hosting website - all ebay did is contacting the owner of the originating wegsite - you a site owners legal responsibility is far beyong having validated html code! shut down the software that offered the backdoor for hackers study all access logs learnb about all software you currently use secure your site watch your site 24/7 for the next many weeks and months - hackers come back to sites they used successfully - may be there even is a blacklist of possible sites to be used that circulates among hackers. the phishing site tools they use are quiet professional - leading to an assuption that at least some of them are working well organized- professional cyber crime - just like mafia
This is what I thought at first too...based on what the ebay abuse person CERTIFIED in his letter. But now it seems ebay was lying! How do I know this? After a lot of cross examination of the LT techs it turns out the scam never existed because the link never worked! So the ebay guy was careless, AND HE LIED when he said my site was hosting another site because I proved to LT that this was impossible. And there was no hacking done on my server. I initially THOUGHT I had been hacked because I assumed ebay knew what they were talking about. But those people at ebay abuse seemed totally careless and totally ignorant and outright liars and slanderers! I had this paranoid attitude towards security before this incident I assure you which was why I was so shocked! I looked and there was no evidence of me being hacked, no tripwire reporting MD5 checksum changes, no config files changing, script files were not changing their checksums either. Everything was normal. Also I have a reserved laptop which boots from a knoppix CD image through which I ssh to the server. I do not ssh or communicate to the web server any other way from anywhere else. Its locked down tighter than most web servers, maybe tighter than 99% of web servers? Perhaps some of the scripts running on it have non published back doors or unpublicised buffer overflows? I don't know but I feel safe in saying the system has most certainly not been mishandled security wise. Everything is patched O/S wise too of course. Also my server is dedicated and I do not have ANY other users on it except for myself. So how could I be hacked? Now as far as the holes in the proxy scripts go with respect to hotlinking of urls and images, thats another matter and I need to work on that. But proxy scripts by nature are supposed to bounce traffic. Doesnt mean I got hacked does it? But I wasnt not warned by ebay! Ebay never warned me...ebay told the FBI I was a criminal(a lie and slander) and ebay told LT my host that I was a criminal and DEMANDED my name and contact information from LT so they could have the FBI arrest me. Ebay is still acting like I am a criminal because of their own stupidity, ignorance and arrogance. I did all that, and I cross examined the technicians and LT and my conclusion was ebay lied. Thats why I made this post because ebay lied and ebay made a false report to the FBI against me. This is why I am outraged.
Here is a timeline: 1) July 12th 03:51:13 ebay abuse sent an email to LT calling me a criminal and hosting a spoofed site. The url they gave for the spoofed ebay site was this: http://cooltunnel.com/perl/nph-cool...grtbelM33631DDvuM012DDvgrzM220003438223DDeqM1 Now according to ebay this was in some emails and according to ebay the above link was running a spoofed ebay website which LT was asked to immediately shut down. This later turned out to be a complete lie! Ebay lied because this link was not working and could not have worked. 2) July 12th 04:30:10 a technician at LT forwarded me the email with a screenshot of the index page of my site www.cooltunnel.com asking me to shut the proxy site down. Now you might question why did he not screenshot the actual spoof? Wouldnt that make 10 times more sense? Yes...the reason he could not screenshot the spoof was because THE SPOOFING NEVER EXISTED, EVER! Ebay lied! Originally I thought ebay was telling the truth and perhaps so did LT think that. But later on it turned out ebay was lying all along. And ebay also lied to the FBI if indeed they reported me which they must have. 3) July 12th 10:30 my server was shut down by LT without me knowing because of this nonsense created by a lazy stupid idiot at ebay. 4) LT and I communicate and they threaten to eat up all my hostin fees and shut me down for good if I dare to host that proxy again. At this point I still think I was abused due to my negligence or some other trickery by the hackers. I am stunned and agree to shut down httpd if they let me in to ssh and take my data out. 5) I start getting angry for wasting money on LT hosting fees because I had carefully checked with them before signing up and they did say proxies were perfectly fine. So I make a post on the LT forum complaining about being bullied by their abuse about running proxy servers after I paid for it with their full knowledge I was going to run proxies. And now LT was saying they dont ever allow proxies. 6) LT is still fighting with me about proxies and claiming they cannot find a record of me being allowed on their forums or in a ticket. Nonsense because I clearly asked them in pre sales questions on their forums if proxies were allowed and they said yes. Also many other people from here have hosted proxies at LT. 7) I decide to analyse my box to figure out how this alleged spoofing and hacking occured. I started by looking at the url that this moron at ebay had forwarded to LT: http://cooltunnel.com/perl/nph-cooltunnel.cgi/000110A/uggc://ptv.ronlpbz/ronlzbgbef/4-2-1-2cp-Urnqre-Nphen-Vagrten-1992-1993-92-93-EF-YF-TF_J0DDpzqMIvrjVgrzDDpngrtbelM33631DDvuM012DDvgrzM220003438223DDeqM1 Code (markup): Now look carefully at this part: uggc://ptv.ronlpbz/ That is a rot13 encoded part of the whole url. Decoded, it reads http://cgi.ebaycom ! Now when I saw this I was like, how could this be? the host ebaycom does not have a tld! So I thought maybe they hacked my server and put an ip address in my /etc/hosts file that resolves cgi.ebaycom to some server of theirs? This would be a very clever trick to leave me "holding the bag" if their crew had indeed hacked my server or done some kinda DNS poisoning of LT's own DNS servers which I use. Now this scared me because I thought I was dealing with someone who had very advanced skills...and everything pointed to me. I was terrified that now the FBI would not believe me they might accuse me of having had a mod_rewrite rule or modifying my own /etc/hosts just as I have described. Well later I concluded the cgi.ebaycom was maybe just possibly only a typo by the wannabe hackers getting careless? Still doesnt fit together though. I still don't understand it can anyone shed some light on this? 8) I talk to LT again and they say someone had seen the spoofed site in their abuse department. I began to suspect this could possibly be rubbish LT was spewing. So I created tickets with them demanding them to give me the name of any technician who had seen the spoof at all! I also demanded that if this spoof was operational at 4:30 am then why did their tech take a screenshot of my Cooltunnel.com index page instead of the spoofed page??? I asked these hard questions and waited... 9) LT replied back saying actually nobody had ever seen a spoof through my site but they just didnt like my proxy anyway because of this hassle. And one phonecall I made to LT also confirmed that a couple of their techs had definately been fooled by the rubbish and lies ebay abuse had fabcricated against me. So now do you see the whole chain reaction...I was innocent and competent all along and I was accused of being a guilty criminal fraudster, and fooled into even myself thinking I was inadequate and lax with my server security. I had to fight to clear my name of a crime I never committed because ebay made up this total lie and also apparently lied to the FBI about me. I am not very happy about this. I think I was treated unfairly.
as long as you take this incident serious just relax and start using all brain power to find the hole the key in my own research were my own access_log files one help i got from my host was the files that hackers uzploaded when i looked at those files i saw - without verifying the actual code - that the main page of the hacker's proxy install is a file that included a link "deleteme" which lets me assume that hackers NORMALLY may have planned to delete the once uplocaded files to erase all trases on actual server space except of course they leave traces in the access_log files i recommended the known victims to search thru logs way back to last year adn one found first hacker abuse as early as mid last year me too i had earlier hacker abuse by other programs used for mass mailing lets first of all assume that ebay says the truth lets assume that hackers have been there find an email find an uploaded file - anything your host may have and have removed already my host did the right thing - they instantly chmod 0 all files and folders relating to the hacker they left all files hence i had a clue how to search ask your host for help ask ebay for help in that research tell ebay that yoiu have no trace and no evidence of any hacker abuse of your site but that you would appreciate their cooperation in securing your site by providing an original view / page of one such proxy page on your site by default ebay and paypal get such pages emailed from recipients of such phishing mails myself too i forward most of these mails to their respective email address spoof at paypal dot com spoof at ebay dot com hence MOST likely they acted after receiving a forwarded mail pointing to oyur webspace research ALL your log files - many months back hackers normally use - forums to enter - hence hacker may have a regular user account - php scripts on yoiur site - perl scripts on your site - most likely many other means as well look into all those folders to see any file that does NOT belong there files often are renamed to look similar to normal files USED by you i remember roughly having had a file phpinfo.pho or so ... a file many use on their server to get php server info except that file contained OTHET code disguised in a neutral filename hakcers SW another file was just called index.php but i had NO php in that folderv.... SEARCH above all assuming that they all said the truth in a rough way but efficient enough to wake you up the mail from ebay WAS a WARNING normal high tech research methods that are available on the HIGH end market would allow knowing at your door without email .... wihtin minutes after a phishing site is setup it also is detected by the thousands of recipients if you have a large site and wish to search all your logs for file names used by hackers -. then EMAIL me ( NO PM pls ) and give me your URL I then may send you a set of file names to search your logfiles for that are commonly used ( but may be renamed at any time ) also check for installed root kits - i have no idea what that is but one of the victim-sites found a root kit installed in addition to all other stuff IF YOU are the one running that proxy as your site then pls keep in mind that proxy are the key tool to all cyber crime as a honest person i see absolutely NO reason to have or use a proxy. without proxy servers on the net the cyber crime rate most likely would drop some 80 or more % instantly proxy servers may be the most questionable invention of the entire www besides free email accounts ALL the hackers i had used proxys all the other victims' hackers also used proxys ... if you delete your proxy site and create a content site you earn money and have peace of mind
Hans you are giving ebay too much credit. Look at the facts. At 03:51:13 ebay swore there was a spoof and gave the url. At or before 4:30:10 which is just 38 minutes after ebay swore there was a spoof...a technician at LT was unable to view the spoofed site. Can a spoofed site just make itself dissappear in less than 38 minutes because the hackers that designed the whole system are so clever? Or ebay was a stupid inconsiderate liar? Which is more plausible. I would say 1% ebay was right and I was dealing with superhuman genius hackers and 99% the guy at ebay did not have a properly functioning brain and carelessly was sending out mass emails with lies because he was too lazy to actually click the link himself. So he lied and said he had verified it was a spoofed site because he was sloppy, lazy and a liar.
Actually, yes. Why not? If the referrer is monitored for a range of known 'agents' or sites, for example, ebay or the fbi, by whatever scamware is on the server a self-delete routine would take care of the tracks.
YES a spoofed site can disappear as outlined below the script set i found on my server seems to be a hackers professional toollset that has a deleteme button to make all files disappear after job done or after a time they consider safe before discovery after all the repeated hacker experiences i had in the past i clearly would say the chance ebay is right may be 100% and the risk that hackers have been on your site also 100% be cool allow yourself the chance that you HAVE a security hole as long as you deny that possibility your mind may be more blurred than a hackers mind and unfit to trace the hackers entry into your system I had to as well and i was working some 2+ weeks about 20hrs a day day and night to study to reasearch my SW to anylize my log MANUALLY using a few tools such as grep to surf for security alerts to contact SW developer of the commercial package that had the hole and then to secure all for a few months half - to honeycomb then full
I thought so too initially. And in fact that is what I was strongly suspecting but one more time lets look at the hostname my proxy script was connecting to: cgi.ebaycom Now the tld is missing or non standard. This can only be resolved through either a compromised /etc/hosts or a poisoned upstream DNS server don't you agree? Let me repeat for emphasis...my proxy script was forwarding to a site that began with the hostname of cgi.ebaycom NOT cgi.ebaycom.com or anything else. And I did not detect any rootkits or even any changes in the checksums of the binaries and scripts from the / mountpoint and upwards. Config files were unaltered too. So how would you explain the hackers did this? backdoored tripwire? Ran a routine that they embedded in the BIOS of my server? Or the firmware of my NIC? This would have to be a pretty sophisticated system compromise leaving no traces and being so well triggered. You are saying ebay's own IP address did not trigger the self-destruct of this alleged system yet it self destructed when LT tried to view it? Now compare this to the possibiliity that ebay was full of it and screwed up and lied when they sent out that canned email to LT abuse.
You found signs of intrusion. I did not even see any changes in checksums before, during and after July 12th. None of my binaries were touched, not my config files. Were you monitoring your system binaries for changes prior? Nope...but I was. Were you watching your config files for changes? I was. If that same hacker HAD managed to guess my ssh passwd or rooted the box from some weak script or unpublished exploit in php or mysql then I would have noticed the footprints most likely because he would have had to change at least ONE binary and/or essential script file to establish presence right? The risk is always there. But evidence and proof are not in this case. Also, it is looking more and more that ebay was full of it because they said the site was up and spoofing...and then 38 minutes later LT could not find the spoof. I was thinking EXACTLY like you are right now in the beginning because LT had told me I was being used for spoofing. But when I cross examined LT they retracted their claim and admitted not a single tech had actually seen the spoof. Are you saying the spoof was designed to self destruct as soon as it detected an IP range from the LT technician pool coming in at port 80? I mean compared to the ebay abuse being moronic this is a but far fetched. It looks now like the ebay guy thought this WOULD PROBABLY be a spoof...but was too lazy and incompetent to actually verify it. I think the hackers made some silly typo possibly? I am not taking this lightly. I know this all COULD have happened just as I feared initially. For that reason I am becoming even more paranoid and careful and thinking twice about running proxies. I am playing around with perl and apache logs to analyze and look for patterns. But despite all this I am seriously doubting ebay because all the evidence indicates this spoof wasnt working and its just some link in an email that was typod. Yes it could be true there were genius level hackers but I am thinking its more likely a complete idiot was doing sloppy work at ebay.
Also look at their email again. They are accusing cooltunnel.com of being involved in spam emailing AS WELL as hosting a spoof. I did not even have my cooltunnel.com MX server linked to LT it was on another hosting package where my emails were handled. Now think of something else. The link they sent LT started with cooltunnel.com right? Right... now if my system had indeed been hacked and for example my /etc/hosts file had an IP address added to it to resolve to cgi.ebaycom then when ebay clicked on the url...they would have seen THIS in the url window of cgiproxy: http://cgi.ebaycom/ebaymotors/4-2-1-2pc-Header-Acura-Integra-1992-1993-92-93-RS-LS-GS_W0QQcmdZViewItemQQcategoryZ33631QQihZ012QQitemZ220003438223QQrdZ1 Code (markup): Why do I say that? Because that is the rot13 decoded version of that url. Thats the actual url that my proxy was trying to reach. Now if ebay had actually seen that url they would have mentioned in their abuse email to LT that this is the actual "url" that is running the spoof. If the person at ebay is so clever that you say its 100% he is right then why did he not mention this in his email to LT? Also if this ebay person is so smart why did he not say something like "even though this person is running a proxy we believe the content is being hosted at an IP address that is being resolved by the web server in your company blah blah blah". After all...if this person at ebay is not a moron but is actually a genius who is 100% right like you suggest then why would he not mention this in his letter to the LT staff? The proxy always tells you which url it is going to. Is this person at ebay not familiar with what a proxy is? Does he think the LT techs do not know what a proxy is...cuz most people who look at this situation will think....that the proxy is just being used to bounce to the real spoofed site automatically right? Everyone knows proxy servers are used to bounce websites. So when the genius at ebay looked at the index page of cooltunnel.com why did he not realize that this was a proxy? I mean...do you think he even bothered to think about all this? Or just skipped over it due to ignorance, arrogance and laziness?
Actually, I'm saying quite the opposite - that any referral from a known ebay address (or other 'white' addresses) results in the instantaneous removal of the scamware and a clean-up to disguise any tracks. I don't believe eBay lied - why would they? What I do believe is that their abuse / spoof department were forwarded phishing emails purporting to be from eBay containing that url and they acted accordingly using an established and set out mandatory procedure, including informing the FBI (most likely they are required to by law) and asking the host to seize the HD for examination. I don't think they are saying you are a criminal, only that the site was being used in an unlawful way by persons unknown.
Sorry but if the IP address that this ebay abuse person connected to this site from was actually a trigger IP then the spoof mechanism would not have shown him the spoof. It would have shown an error and self destructed if indeed it was so well written. But ebay insisted that this spoof was still up and running when they wrote that letter to LT abuse. Its clear in the letter that the link is up and running and they want it DISABLED. Uhmmm...they lied when they said they had actually seen a spoof. Some guy got a report of a fishy looking email and he copied and pasted that link and then picked a generic letter relating to phishing sites that are supposed to be working. I mean look at that letter, it doesnt even look like a human wrote it. So the person that clicked SEND was a liar because he sent a letter that had incorrect facts in it. Do you see any signs of actual original THINKING in that letter? Just a standard template with an URL. An URL that they claim works but never did work. we believe that consumers have been falsely directed to this page and may be fooled into divulging personal information to a criminal if the page is not immediately disabled. We further request that you provide us with all contact information that you have for this user so that we may provide this information to the proper law enforcement authorities.
a script can be made to self-delete by time ( cron job or similar ) or by a click hackers may have been waiting a few minutes or so to run all then delete all imagine scenario where hackers have 100k addresses to mail a few are instantly online - may be 5% = 5k 10% AT LEAST are stupic enough to enter data = 500 may be 1% are instantly online = 50 that's all they want or need for a successful hackers run a few dozen or hundreds of accounts then self delete then cash the accounts then wait a while and start all over on anothe or same host again i would say that's simple hackers math i remember in much earlier years i had NO idea about www and phishing, etc i usually checked into my paypal - but fortunately using my bookmards all it needs is a few & to be profitable even worst hackers succeed even with zero $ they DE-stabilize society and create suspicion among all www users and ruin reputation - or at least try to do so if your site is just a few months are years old - they may succeed like terrorists no precise goal - just destruction of whatever to cause damage for a reason or without a reason did you verify ALL your access log files from the past many months ?? there can be NO peace of mind until YOU found the hole they found did you research in G and Y ALL security alerts of the past months related to ANY and every peace of SW you have on your server ?? what file names did you search your logfiles for ? if you run a proxy - then it's just a matter of days or weeks until next time and after one more time your host may risk to lose HIS entire hosting business! instead of defending the security of your system SEARCH for the hole search for traces and proof UNTIL you found it you are too much focusing in having a fail save system proxy server ALWAYS attract criminals and cyber crime may have a few million $ more for development of their tools than you have to secure your site. while you argue about how impossible hackers can abuse your site istead of searchig day and night until you found the hole - in the mean time hackers may enjoy a second free run on your site