1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Fixing Turkish hacks

Discussion in 'Security' started by celadore, Jun 17, 2007.

  1. #1
    A lot of my sites are getting hacked by some lame ass Turkish hackers. No idea why they target me and my website as I live in Kenya, Africa! Don't know what we ever did to the Turks.

    I have noticed a number of times where they insert a index.htm into a folder, except for when it has no effect - then they actually change my index.php file :(

    So I have restored the original files, changed my hosting account passwords and 644'd the files/folder they are changing.

    But every now and then I will find a new file in the images subfolder etc etc - which I have to leave as 777.

    Any idea where else they are putting these files?
    Can they install harmful files into these areas?
    How do I prevent them from accessing my site altogether? Can I ban the whole of Turkey from our server - or will they just use some other way to access the websites?



    NOTE to the Hackers!
    Why are you attacking all my websites? I am an African - not an American. We have nothing to do with your problems. Our problems are much worse than yours so grow the f* up and deal!
     
    celadore, Jun 17, 2007 IP
  2. krt

    krt Peon

    Messages:
    829
    Likes Received:
    38
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Chances are they are already using a proxy or something else in an attempt to cover their tracks so banning all of Turkey won't help.

    As a Turk, I don't see why they would be targeting you from the info given, maybe it is your host or a script you are using with known exploits.
     
    krt, Jun 18, 2007 IP
  3. chris20492002

    chris20492002 Guest

    Messages:
    1,136
    Likes Received:
    23
    Best Answers:
    0
    Trophy Points:
    0
    #3
    yea these attacks are nasty and the turks know how to bypass and hole in the system.
     
    chris20492002, Jun 18, 2007 IP
  4. celadore

    celadore Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Well, my sites are hosted on an american server - on one of thelayered servers. But my sites all have information only about Kenya on them, so I think they are attacking the whole server regardless of who is on it.
    My hosting provider doesn't have a clue what is going on as they only say that it is my fault for leaking passwords - but I know other accounts on this server have been hacked too and changing my passwords didn't help me.

    I am already moving to a new host - but the server is in the US as well (this time in the softlayer datacenter). But this host are much more fluent in server protection.

    So I should be doing this for my websites:

    Folder Permissions - 755
    File Permissions - 644
    ?? This seems to work to keep the sites going - hope it will stop the hackers being able to change our websites as it is getting very annoying now.
     
    celadore, Jun 18, 2007 IP
  5. InFloW

    InFloW Peon

    Messages:
    1,488
    Likes Received:
    39
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I imagine this is a server wide deface and has absloutely nothing to do with your site itself. If you mentioned your domain could probably back that up with a quick search through defacing websites. So I imagine your current host is running an old kernel which the hackers are taking advantage of.
     
    InFloW, Jun 18, 2007 IP
  6. freeprotect

    freeprotect Peon

    Messages:
    56
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Turkish men are stupid only. They only use bugs which are reported to exploit.
    Your ISP server maybe rooted and setup rootkit by them.
    Contact your hosting provider now, I think
     
    freeprotect, Jun 18, 2007 IP
  7. clancey

    clancey Peon

    Messages:
    1,101
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #7
    These attackers are not targetting anyone in particular. They are looking for sites running specific versions of specific software which they are able to easily break into, using known and sometimes publicly documented holes.

    There hundreds of publicly available scripts, most of which contain significant security holes, and some of which are no longer maintained. You should be looking into the security record for any scripts you may consider using -- not the marketing hype.

    You are not going to stop the attacks unless and until you improve your site security and use fully patched, actively maintained software. In addition, you need to learn about security and take steps to harden your PHP installation so that such attacks are harder to launch against you.

    I should add that you should count yourself lucky that they are interested in defacing sites -- which is a bold warning about the woeful state of security on your site and server. There are a lot of other people who install shell scripts, some of which are trojaned, so that they can silently use your server for their own purposes.
     
    clancey, Jun 18, 2007 IP
  8. krt

    krt Peon

    Messages:
    829
    Likes Received:
    38
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Must you generalise for all Turks!? And if you read, he has contacted the host already.

    BTW, good points clancey.
     
    krt, Jun 18, 2007 IP
  9. celadore

    celadore Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Thanks for the advice Clancey. Most of my sites use Joomla 1.0.12 which is very actively supported (in fact I think it is the most popular CMS at the moment). I have gone through their forums and made a few changes which seem to help. 2 of the sites also had SMF which was 'hacked' after I fixed the Joomla problems.

    I am also changing hosts to a new host who have a better idea of how to run a server. I am fairly IT savvy, but it is not possible for me to learn everything about everything. It is just not efficient that way. That is why I am moving hosts. It is their responsibility to keep the server secure - not mine.

    Current site has Register Globals on by default - I know that this is very bad, but my current host refuses to change this. Not a prob with the new host.

    I would like to know the basics about server security - where is a good place to learn about this - (something simple and easy to absorb as my brain is already overflowing with other info lol).
     
    celadore, Jun 18, 2007 IP
  10. clancey

    clancey Peon

    Messages:
    1,101
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #10
    There are some interesting comments about emulating register_globals off at the PHP site at the link: faq.misc.registerglobals

    I would not be complacent about Joomla and its level of support. A group of hackers say a security advisory will be coming about soon about the current version of Joomla. In a discussion amoung people who have gained admin access, one participant made this May 31, 2007 comment:

    Unfortunately, they never explain what is broken. Consequently, yoiu cannot fix it until they issue the advisory.
     
    clancey, Jun 19, 2007 IP
  11. celadore

    celadore Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    New Host - New problems lol!

    Well I moved a couple of site to a new host - only now I have a whole different set of problems :(. Not even sure whether this is related to the Turkish Hacks - or if it is just a problem with the new host.

    Every 24 hours, my MySQL databases revert back 12 hours, and then a few hours later any files that I added to my site dissappear (images and such).

    Don't know if this is the hackers as it is not their M.O., a different type of hacker or if it is just an issue with my new host. The host can't find anything wrong at all - which is very worrying. Who knew it was so difficult to run a simple website :eek:
     
    celadore, Jun 22, 2007 IP
  12. MasTorY

    MasTorY Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12

    My from turkey and I Turk

    Not stupid turkish men :mad:
     
    MasTorY, Jun 24, 2007 IP
  13. freeprotect

    freeprotect Peon

    Messages:
    56
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Sorry Mastory, My mean is not Turkey men, Turkey attackers only, Sorry again :)
     
    freeprotect, Jun 24, 2007 IP
  14. eSpenders.com

    eSpenders.com Peon

    Messages:
    1,567
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    0
    #14
    yea i am still fighting turkish hackers!
    every hacker that hacked my image hosting site was from turkey and uploaded shell's and defaced my site with political messages and promoting turkey and its leader!
    if any one can help me with my script that would be greatly appreciated! the script is just checking the header to see if its a image and i need it to check the file or something!
    Thanks
     
    eSpenders.com, Jun 25, 2007 IP
  15. eSpenders.com

    eSpenders.com Peon

    Messages:
    1,567
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    0
    #15
    as soon as i posted this i went to one of my other sites that i was editing b4 i read this thread and it got hacked by another turk jerk within 10 mins!
    they redirected my site to this url with music and ads alemking.al.funpic.de/kral.html i cant find the problem!
    no files have changed in my ftp and im searching my e107 admin panel
    i found the site where the fucts tell em how to hack and admit to hacking my site
    dumb %$$&^ put a clickable link to my site on the page!
    What can and should i do help please
     
    eSpenders.com, Jun 25, 2007 IP
  16. eSpenders.com

    eSpenders.com Peon

    Messages:
    1,567
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    0
    #16
    well i found the problem it was in my shout/chat box some how they put a redirect script in there
    and i fixed the cms/ e107 issue
    they were uploading php files as .php.jpg and executing them
     
    eSpenders.com, Jun 25, 2007 IP
  17. p2y

    p2y Peon

    Messages:
    581
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    0
    #17
    its an old apache bug.you shold update your software.
     
    p2y, Jun 25, 2007 IP
  18. MasTorY

    MasTorY Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #18
    I'm Sorry for Turk hackers :(
     
    MasTorY, Jun 26, 2007 IP
  19. p2y

    p2y Peon

    Messages:
    581
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    0
    #19
    They are not hackers , they are all lamers ;)
     
    p2y, Jun 27, 2007 IP
  20. MasTorY

    MasTorY Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #20
    No No No, some persons lamer but they are real hackers. ;)
     
    MasTorY, Jun 27, 2007 IP