I've been hacked....

hi dear friends of civilized country's
no need to fear by this type of dirty mind people and carry on the war againest the terrerist, and make more protectable our website, or try to hack the site of some big muslim person, like laden, daud, etc and give a solid answers...

 

Hmm...are trying to preach to us? because it sounds like you are.

P.S lay off the good stuff, you might have O.D on it

 

Please forgive the long post. It is, however, useful information.

I have been battling with this hacker and several others for the past 9 months. I have successfully thwarted over 10,000 attacks on my server since October of last year (2005). This started after my site was hacked twice in about 2 weeks.

I figured out that a lot, if not most, of these attacks are being automated. I have had as many as 350 attacks originating from a single IP address. This was before I added measures to block IP addresses from which attacks originate.

Regarding hosts and who is responsible for the vulnerability: These attacks exploit vulnerabilities in PHP web applications (CMS) like Mambo and phpBB. The owner of the website is responsible for these, not the host. In fact, the host could disable your account if it is determined that your site is too much of a risk to the server.

That being said, the hosting company really should disable any software packages or other sub-systems that are not being used such as Perl, TCL, Samba and others. Also, unless there is a good reason to not do so, Telnet should be disabled. Hosting companies that are running Apache can install mod_security (http://www.modsecurity.org) to check for known attacks on the web server process level, thus protecting all sites running under that instance of Apache.

Some of the more insidious kits these hackers are using can gain access to the entire machine by uploading a script of about 400 lines of code. The latest one I saw today uses PHP to create an Admin level user without a password in Samba. Samba is a linux tool that allows the linux box to be networked to and controlled by a Windows box.

Typically when these attacks are being executed, at least 2-3 machines are being used. Several scripts may be included from other compromised servers. The attacks can also be automated.

There was one earlier suggestion to keep software such as Mambo updated. Unfortunately, the Mambo development team has not completely closed the hole. The problem is in the way global variables are handled in Mambo. The mosConfig_absolute_path variable is exposed and allows the malicious file to be included in the normal operation of Mambo. Also, Mambo does not filter GET requests for characters that have significance in JavaScript, PHP, Perl or MySql. This is the first rule of web security - consider all user-supplied data to be suspect until proven otherwise.

PhpShop for Mambo has a vulnerability in it as well that allows a hacker to upload a remote file.

Detection:

1. I have a filter class that is included and executed at the very top of index.php, administrator/index.php and administrator/index2.php. The filter uses a combination of regular expressions and substring searches to look for _REQUEST, GLOBAL, mosconfig_absolute_path and http: after the ? in the URL. It is important to note that these strings do not necessarily appear as keys in the URL key->value pairs. It is possible to hide them somewhat by passing a multi-dimensional array via the URL. ?option=_REQUEST=&GLOBALS[mosconfig_absolute_path]=path/to/malicious/code.txt

2. I have a .htaccess file set up to detect access to any file ending in .php other than index.php, administrator/index.php and administrator/index2.php. There is no reason for any file other than these three to ever be accessed by the web browser. If any file other than these is requested, the request is dropped.

Protection:

1. The request is dropped using PHP's die() function.

Reaction:

1. The attack is logged.
2. An automated email is sent to me to alert me of the attack.
3. All future requests from the requesting IP are dropped.

I also, whenever I have enough information, inform all the host companies who are knowingly or unknowingly involved in the attack. Many times the attackers are using proxy servers to cloak their own IP and including files that they have distributed on other compromised servers. I even went so far as to report on hacker who I tracked down to California to the FBI.

I hope this information helps.

For the record, I am neither Muslim, Christian nor Jew. I think any proclomations of hate or acts of extremism are beneath the dignity of honorable people.

 

Dear Friends,

No offense to you American People, but sometimes I feel sad for you. Just because a MUSLIM guy hacked your website doesn't give you the right to say FUCK MUSLIMS or anything like that. That's like saying, a Jew hacked my website, fuck Jews. Just because a JEW or MUSLIM hacked your website doesn't mean ALL JEWS or ALL MUSLIMS did it or should take the blame. You should be more mature and STOP being racist.

Best Regards,
John

 

Burn bro, no backupÉ

 

I must admit i was hit by an Iranian "hacker" recently, who just used an exploit, and all this in the effort to preach his message about the Iran elections to my audience, who quite frankly couldn't give two hoots about what he had to say. It's my personal belief that if they have an issue with our governments decisions, then they shouldn't attack us and our websites, but instead make futile efforts on the government. Why should we suffer for their deluded beliefs?

Now i am in no way a racist, but it boils down the fact that these foreign hackers prefer to refer to us in detrimental terms, and yet, anybody who then uses some form of detrimental language in return, then it's you who becomes racist. Personally, if your whole host got attacked, then i'd advise moving hosts unless they're willing to boost security.

It's things like this that provide an eye opener to the world. Make regular backups etc, and remember, our government aren't going to change their decisions just because a few websites get hacked, so in the end we can't change it. Eventually these individuals are going to realise that their attacks are merely agitating us, and make us agree with our governments more to the point that we really won't care anymore. It just goes to show how futile these attacks are, when they attack those who really don't care, and use a feeble excuse to attempt to justify their actions.

 

The truth is that whenever you put your site on a shared host your are susceptible to such a thing. There is no 100% secure shared host anywhere because 1 bug in one of the hundreds of sites hosted on that box can be used as a vector to hack everything else.

If you are serious about it, host on a private server (some can be as low as 20 per month) and you can do some good security in there.

 

Your host should have the whole backup on file. Contact them