1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Site hacked ~ Check your Google cache NOW!

Discussion in 'Site & Server Administration' started by SEbasic, Feb 8, 2006.

  1. frankm

    frankm Active Member

    Messages:
    915
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    83
    #81

    Anyone who has or can get his sysadmin to do this for him, should just deny all traffic from/to that IP address. Probably even block it in your router.
    SEMrush
    nothing good can come from that site
     
    frankm, Feb 8, 2006 IP
    SEMrush
  2. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #82
    That's the thing though, I wonder how many of these sites are out there?

    That's just one URL... They could have loads.
     
    SEbasic, Feb 8, 2006 IP
  3. Skinny

    Skinny Peon

    Messages:
    1,865
    Likes Received:
    93
    Best Answers:
    0
    Trophy Points:
    0
    #83
    Hey guys,

    Okay I just checked this thread again.

    1 question. If I throw this:

    php_flag display_errors off
    php_flag register_globals off

    into my .htaccess file is that going to do anything to my blog?

    I apologize for my ignorance of databases and how they work.

    Skinny
     
    Skinny, Feb 8, 2006 IP
  4. Dekker

    Dekker Peon

    Messages:
    4,185
    Likes Received:
    286
    Best Answers:
    0
    Trophy Points:
    0
    #84
    lol shutup :p i saw all the php.ini stuff and my eyes glazed over :p
     
    Dekker, Feb 8, 2006 IP
  5. GADOOD

    GADOOD Peon

    Messages:
    1,745
    Likes Received:
    241
    Best Answers:
    0
    Trophy Points:
    0
    #85
    Marvelous. Another item to add to the 'Why making money on the Internet can be a pain in the arse and fuck your hard work and revenue up over night' list.

    I aren't technically minded. I don't want to have to learn how to deal with this shit, and I certainly can't afford to pay anyone to do it for me.

    [​IMG]

    Pete
     
    GADOOD, Feb 8, 2006 IP
  6. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #86
    LOL, databases have almost nothing to do with this :)

    Save off your current .htaccess as old.htaccess and save the new one when you know traffic is slow. It either completely disintegrates or it's fine. You'll soon find out. If they coded it badly, it may require register_globals = on. Then your app will fail miserably.
     
    T0PS3O, Feb 9, 2006 IP
  7. Dio

    Dio Well-Known Member

    Messages:
    725
    Likes Received:
    55
    Best Answers:
    0
    Trophy Points:
    120
    #87
    I tried it briefly with VB and it killed it. :D
     
    Dio, Feb 9, 2006 IP
  8. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #88
    So really, who should I be contacting about this...

    I'm pretty confident the attack didn't come through the site as I can't see anything in the logs, so I guess it could have been a vonurability with any of these...

    The FTP Server, Cpanel, Apache, or an infected box...

    I've told the host and pointed them to this thread ~ But it's not just restricted to that server, so I guess I should tell the Cpanel guys and The rest too right?
     
    SEbasic, Feb 9, 2006 IP
  9. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #89
    Get FTP logs. Get logs of Cpanel access. If they got yo via keystroke logging, it didn;t even require hacking in, just logging in.
     
    T0PS3O, Feb 9, 2006 IP
  10. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #90
    I've got it all ~ I can't see anything... :/

    I know the IP's that login on a regular basis and there doesn't seem to be anything out of the ordinary...
     
    SEbasic, Feb 9, 2006 IP
  11. Dio

    Dio Well-Known Member

    Messages:
    725
    Likes Received:
    55
    Best Answers:
    0
    Trophy Points:
    120
    #91
    the one exploit I've seen mentioned is via CubeCart - but Ethan's Blog picked it up through PHP Nuke. It sounds more like and exploit than a FTP issue from what I'm reading.
     
    Dio, Feb 9, 2006 IP
  12. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #92
    Then it's an exploit in a number of different systems, becuase I've seen it on pbpBB, WordPress, Gallery, CubeCart and a number of other publishing systems...

    My guess is it's a slightly more deep rooted issue that that.

    But I don't *know*...
     
    SEbasic, Feb 9, 2006 IP
  13. Dio

    Dio Well-Known Member

    Messages:
    725
    Likes Received:
    55
    Best Answers:
    0
    Trophy Points:
    120
    #93
    Dio, Feb 9, 2006 IP
  14. GeorgeB.

    GeorgeB. Notable Member

    Messages:
    5,696
    Likes Received:
    288
    Best Answers:
    0
    Trophy Points:
    280
    #94
    Sucks man... we're out here trying to make a living and these punks come along and do this.

    I guess its the equivalent to being a brick and mortar shop owner and getting vandalized or robbed... :(
     
    GeorgeB., Feb 9, 2006 IP
  15. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #95
    that's exactly what it's like...

    It's pretty horrible to see the drop in rankings the sites have taken and worse than that, the drop in revenue I've seen (It's huge)...
     
    SEbasic, Feb 9, 2006 IP
  16. mcfox

    mcfox Wind Maker

    Messages:
    7,527
    Likes Received:
    716
    Best Answers:
    0
    Trophy Points:
    360
    #96
    I spoke to a guy who 'knows' these sorts of things and he said the exploit to gain access to the server is via Cubecart. Apparently, there are a number of exploits that target that particular software because, and I quote, 'it's so badly written'.

    On a shared server, or even a server which has Cubecart installed, it's possible the entire server gets compromised via the one route, or like Dio says, it's possibly connected to:
    http://www.eweek.com/article2/0,1895,1885811,00.asp
     
    mcfox, Feb 9, 2006 IP
  17. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #97
    I'm not running it anywhere.

    If another site hosted on the server is infected could they have access to mine?

    Thank god if that's what it is, but I'm not sure it's the only possibility...
     
    SEbasic, Feb 9, 2006 IP
  18. forkqueue

    forkqueue Guest

    Messages:
    401
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    0
    #98
    It really rather depends how good your shared hosting provider is, but the answer is generally yes.

    Your files are probably writeable by the Apache user. As the exploited script is being run as the Apache user they can easily trawl the box adding their code to every single .php file.

    This is one of the reasons I've been setting up Lighttpd for customers who offer shared hosting - you can easily chroot each site, meaning the worst they can do is screw up the site they break into.

    I'd second the recommendation to get your own server. I only host my sites on boxes I have set up myself. Added to that, over the longer term co-location is usually cheaper than purchasing a dedicated server anyway.
     
    forkqueue, Feb 9, 2006 IP
  19. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    210
    #99
    I hate shared hosting and would not keep a site that I deem important on it. And YES because you are on shared hosting your site potentially can be exploited with a bad script. This is why some hosts have refused to allow phpbb hosting since it's their opinion that phpbb will only open the server up for attack. A good host will jail each user but even that isn't 100% secure.
     
    RectangleMan, Feb 9, 2006 IP
  20. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #100
    That's interesting. Maybe if indeed they entered via another site's CubeCart you can sue them for negligence.
     
    T0PS3O, Feb 10, 2006 IP