Hacked!

Look at this,
My whole site got taken down.
150000 members DELETED.
2 years of work.

Owned SysTem By Akrep__KraL
Owned SysTem By Akrep__KraL
Owned SysTem By Akrep__KraL
Owned SysTem By Akrep__KraL
Owned SysTem By Akrep__KraL

Is all I can see, and on one of my pages, i got this:



I found out that its some big hacker group from turkey, obviously.


I need help.
If you can help in any way, shape or form please let me know.
I'm quite helpless.

 

yeah, sorry to hear man. I generally try to do backups at least once a week, just as preventative maintenance.

 

http://www.spygrup.org/showthread.php?p=122097#post122097

I found this.
They're going on about my site, because I see the URL mentioned multiple times there.

Any help? I can't read turkish and cant find out how to translate it.

 

I have backups, and I make backups daily. Thats not the point.
The point is someone managed to get into my site, take it down, and delete the players.
There's no point in restoring the players until this issue is sorted, is there?

 

What are you meaning when you say they deleted the site? Are you saying that it was a forum hack, or are you saying they took down a normal web site?

 

what is your CMS ?

 

The game is an online RPG.
Its quite big, and has , as I said, over 150,000 members.
We do not have any CMS or any backend to it - we use only SSH / phpmyadmin / ftp.


They took down my site by Deleting the players table, and all 150,000 members.
They then overwrote the cache page to be what I showed you in the first picture.
Akrep__KraL is the person or alibi of the guy who hacked the site.
Just google his name :/

I found al ot of info about my site here:
http://www.spygrup.org/showthread.php?p=122097#post122097

If someone could help translate it form turkish to english it'd be great. Any other help?


Also I figure its an SQL injection. The thing is, I recently hired someone to overhaul the site and secure it..
We're looking into it now.

 

The same people hacked my site about 6 months ago. I got a public apology and also got his ip address from my host. They can get in ALOT of trouble if you find out who did it.

I'll have my friend translate it when he gets off work.

 

Yeah, being able to read what they say would probably give a more difinitive view.

My best guess is that:

1. Maybe they performed some kind of Apache hack

or

2. Your PHP was opened up to some form of cross site scripting or sql injection.

Have you been able to get in contact with your web host?

 

Thanks,
We know who did it. The site I posted, the guy who posted "MIssion Passed" is a "super moderator" on the forums.

None of the access logs were deleted. We're getting all the info we can.

 

XSS Is probably what it'll be.. But I'm hosting it directly at Layeredtech, no middle man.
I'm putting a database restore on it now.

 

Block SSH/FTP and PHPMyAdmin by IP so only you and you only can access it. Restore the back-up so your audience isn't affected too much. Then start digging in log files and start talking to the host. Search for any files that are publicly writable and CHMOD them back to a secure setting. Then start sanitizing all SQL GET/POST input.

 

We started multiple times. There are hundreds and hundreds of pages that need securing.
I wish I had more experience in such things.

The thing that shames me about this, is seeing the Islamic Star next to their name.
How can they even go by that?
People like this are who drag the name of Islam down as a whole.
I am a believer in Islam, and don't believe that ANYTHING radical or illegal done 'in the name of islam' is right.

 

Well, just as a little update I spoke to him thanks to another DP member, and he will leave my sites alone from now on, apparently.

Until it got to this a number of my other sites got taken down, along with several PHPBB forums (Which were just installed 2 days ago..).
My VBulliten forum is still standing though

 

I hope he told you how he got in, and how to fix it. It's only courteous. He didn't have to kill all your 150,000 users to deface the page... that's just malicious.

 

Sorry to hear that, hope you get it sorted

 

I just found out he also deleted EVERY single backup we had on the server.
2 years of work.
Gone.

 

oh man, no off site storage or hard copies on a disk?