My all sites hacked. Turkish boys replace only Index.html File. Please Help

I have seen many sites hacked by those Turkish guys and I believe the problem is a database vulnerability via cpanel

 

it's not a cpanel or database vulnerability, but it's php cross-script vulnerability and the only solution is mod security, as you can't control scripts of all the users or keep monitoring scripts of 100ds of users on your server who is doing what, use mod security and secure yourself

Greets

 

Gah, Its a worm that goes through and does it.

Anything thats 777 and doesn't need to be change it!

 

i just contacted my host, godaddy and i was put through to a stupid girl who did not know what she was doing. when i told her that this attack was worse than the last her reply was "oh really? thats crazy" im not used to this kind of tech support with godaddy since they are usually quite smart and know what they are doing. she created a ticket for advanced tech support and i am waiting for a response from them. i told them about the cross scripting that might have vulnerabilities on other accounts on the shared server so if that is the case they might change my server. last time i was able to just change the index files on the two sites and it got fixed. but this time i have no clue what they did so there goes my site...im deleting my whole joomla installation and hopefully i can salvage a few things from my database. btw who wants to go after those turkish "warriors"???

 

I think you need to see this.

http://forums.digitalpoint.com/showthread.php?t=278457

 

i think it is remote file include which scripts you use ? if u need help about security pm me.

and im from turkey whats they sites or nicknames ?

 

Safe mode can be turned off using following string by using it in any script.
This vulnerability effects upto PHP v4.
ini_restore("safe_mode");

So if you have old PHP version that aint gonna help.
Sometime you cant afford to CHMOD every folder to 777. So the best way to stop infiltration is get every thing updated.

 

We didnt know that you are Muslim… You are the victim of our protest, cause the server was foreign and we think that you are not Muslim. İf you contact with us we can help you about the security. Because we never hurt a Muslim…

1923Turk-Grup/TuraN​

 

set index permission to 777 chmod....n it wil wok again.

 

thanks for the solution guys this type of thing happening to one of my sites is like my worst nightmare i am glad to see that you guys have spread the knowledge this will help alot of people vauble post guys thanks for this

 

most sites are hacked without the need to ever use a password..

 

i think this guy is trying to trick us into setting index permission to 777 chmod so it will be easier to hack

 

I got hit by these guys today !!!

every 777 chmod folder got it !

 

turn on safemode in php.ini . And dont switch if off untill you find the vulnerable script

 

No wonder you're red out. This guy was asking for help.

What scripts are you using on your sites, host_planer?

 

I also had problems with this kind of guys, muslim who are so fanatically as to attack anything that's foreign. You know what you should do? on the first page put a picture with a naked woman, they will run like hell and never came back.

 

I have been hit by these cockroaches in the last few days and they have corrupted most of my websites, I guess because I have a .us domain. Perhaps the U.S. authorities should be tracking them down as I would imagine .us domains are going to be ever increasing targets.

Their front page gives the address of a portal which is in Turkish and seems to be some sort of hacking site. Anyone interested I can give you the forum address.

 

Sorry to bump an old thread but they are back up & bigger from what it seems.

My site got hit this morning. It's just my main index.html file
Claiming to be Turkish & w/e

http://www.ruinyou.com

 

Figured it out. I feel stupid that it took so long. I have an imageshack clone (picture uploader) on my site. Supposed to be for image files only but they uploaded a php file into it. Dont know if it was hidden in a picture or by itself. That allowed them into my site to change the index.html file.
If it happens to you, just look at your ftp dates to see what files were edited last. I'm sure it will help.

 

These guys are doing this because of the battles between Israel and Arabs/Muslims
www.arabic-m.com - that's their site, if you wanna see the damage they've caused.

Btw, they don't have your password, they're doing it from outside of the site...

Sources: http://israelity.com/tag/hackers/