Results 1 to 21 of 21
Thread: Hacked by Cyber-Crystal
-
12-06-2011, 04:18 PM #1WHT Addict
- Join Date
- Mar 2011
- Location
- florida
- Posts
- 158
Hacked by Cyber-Crystal
A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
-
12-07-2011, 05:34 AM #2Web Hosting Master
- Join Date
- Mar 2011
- Location
- Edinburgh, UK
- Posts
- 567
Someone has managed to upload files to your webserver directory. What OS and webserver are you using? Check your webserver logs to see how the files were added.
-
12-07-2011, 05:48 AM #3Web Hosting Master
- Join Date
- Jun 2007
- Posts
- 1,048
Indeed, you should check the server logs. Also update the script you are using (wordpress etc) to the latest version.
█ PlotHost - Secure Web Hosting Plans - Since 2008
█ Shared and Reseller Plans | 24x7 Technical Support
-
12-09-2011, 09:09 AM #4Junior Guru
- Join Date
- Jul 2011
- Location
- Sittingbourne, Kent, UK
- Posts
- 197
Check server access logs for successful logins:
last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp
Once done check for hidden dirs:
updatedb
locate "..."
locate ".. "
locate " .."
locate ". "
locate " ."
Assuming you find nothing suspicious here, start checking access logs and such for suspicious items, ensure you check for rootkits also.
I'm afraid it's more likely that your personal computer has been exploited and an FTP client that saves passwords in clear text has allowed these details to be compromised.
Failing this check the server for possible exploits / out of date software.
Good luck with your search I hope you keep us up to date.RackSRV Communications Limited
UK specialists in Dedicated Servers & Server Colocation
Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444
-
12-09-2011, 10:56 AM #5Disabled
- Join Date
- Nov 2011
- Location
- Egypt
- Posts
- 20
Check scripts on your sites that allow uploading maliciuos files
I think this hacker can't do anything except adding his index files only not sql injection or others
so I recommended to secure your server with firewall CSF and modsecurity
-
12-09-2011, 11:07 AM #6Lord of live chats
- Join Date
- Jul 2009
- Location
- UK
- Posts
- 1,312
My first port of call would be to look at the FTP logs if a lot of people have been done the same way.
My second look would be at any kind of 3rd party scripts that a lot of other people may use ( Wordpress, Mailer scripts, Monitoring scripts , etc etc.. )
Its evidently a generic hack that a lot of people are vuln for.Live Chat Support Software for your Business website - IMsupporting.com
-
12-09-2011, 09:45 PM #7Newbie
- Join Date
- Jul 2010
- Location
- Salt Lake City, Utah
- Posts
- 5
A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).
Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.
Please lemme know if you find anything I've missed!Last edited by ioTerrence; 12-09-2011 at 09:48 PM. Reason: Corrected host's url.
-
12-09-2011, 09:51 PM #8Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 79
-
12-09-2011, 10:03 PM #9Newbie
- Join Date
- Jul 2010
- Location
- Salt Lake City, Utah
- Posts
- 5
Also came across this code floating around online, thanks to the email address they left behind. I don't know anything about Python, but if I'm interpreting it right, part of it is some kind of URL fetcher?
#!/usr/bin/python
# mekad By Cyber-Crystal
#
# Cyb3r.Crystal@Gmail.com
# tryag.cc
import urllib2,re
raw = raw_input('URL CONF : ')
url = urllib2.urlopen(raw)
data = url.read()
finddata = re.findall('href="(.*?)">',data)
for cyb3r in range(len(finddata)):
try:
filecon = open(finddata[cyb3r],'a')
done = urllib2.urlopen(raw+finddata[cyb3r])
wewe = done.read()
print "Witteng ....\n"
filecon.write(wewe)
print "Done "
except IOError:
print "error"
-
12-11-2011, 12:31 PM #10WHT Addict
- Join Date
- Mar 2011
- Location
- florida
- Posts
- 158
UPDATE
Yes and in the /etc/httpd/conf they also added 5 files named 1.pl 2.pl 3.pl etc
So i figured they had to have accessed root someway and did this and added the files
in roots bash history >
ls -l /etc/valiases
cd /etc/valiases
ls -la /etc/valiases
ls -la /etc/valiases/
cd /usr/loca/apache
cd /etc/httpd/conf
cat httpd.conf | grep DocumentRoot
nano 1.pl
pico 1.pl
nano 1.pl
yum install nano
nano 1.pl
perl 1.pl
nano 2.pl
perl 2.pl
nano 3.pl
perl 3.pl
ifconfig
nano 4.pl
perl 4.pl
exit
pdw
pwd
ls
locate index.html
cd /var/www
ls
cd html
ls
cd ..
cd /usr/local/apache
cd /usr/local
ls
cd /etc/httpds
cd /etc/httpd
ls
cd conf
cat httpd.conf | grep DocumentRoot
cat /var/cpanel
cat * /var/cpanel/sessions
dec6find /home*/*/public_html -type l
........
So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding like >
rkhunter,denyhost,fail2ban,Mod_security,AIDE (Advanced Intrusion Detection Environment),and locked down httpd config (file indexing ) an / access also Made Root nologin except by SU thru a special user with a passwd of 16 char , numbers and punctuation also tightened PHP and MYSQL security
I reloaded from backup all customers websites and all is well for now
my iptables have grown quite a bit
a few country bans were atoadded and denyhost has added to deny host file also
I am a little more confident now!
-
12-11-2011, 12:36 PM #11Lord of live chats
- Join Date
- Jul 2009
- Location
- UK
- Posts
- 1,312
Probably the best thing.
- You have identified whats going on and what level of compromise you have had.
- You have taken the best action possible and re-installed now knowing what to look out for.
Only if everyone followed the same method. I see too many posts about people "fixing" a hacked server and leaving it running..Live Chat Support Software for your Business website - IMsupporting.com
-
12-11-2011, 02:15 PM #12WHT Addict
- Join Date
- Mar 2011
- Location
- florida
- Posts
- 158
ty yup yup
-
12-12-2011, 06:25 AM #13Web Hosting Master
- Join Date
- May 2010
- Posts
- 658
█ Ashton Allen | FuseWeb Limited
█ Premium UK Webhosting
█ | Shared Hosting | VPS | Reseller Hosting | VOIP |
█ FuseWeb.co.uk Or follow us on Twitter
-
12-12-2011, 07:26 PM #14Junior Guru
- Join Date
- Apr 2008
- Location
- UK
- Posts
- 239
If he can switch directories and read files your server is not setup properly - and just installing the server software you mentioned may not even be enough, it all has to be configured correctly to be effective.
And btw - this certainly looks like a real SKIDSafeSrv.net - Secure Hosting, VPN and Management Services.
WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.
-
12-12-2011, 07:36 PM #15Disabled
- Join Date
- Feb 2006
- Location
- Global
- Posts
- 1,642
-
12-16-2011, 12:15 PM #16New Member
- Join Date
- Dec 2011
- Posts
- 1
Affordable Multimedia
Hi -- I tried to contact you directly, but it won't let me! Anyway, I had FOUR sites hacked by this butthead, and all were hosted with afmu.com. I have been trying to get in touch with someone, anyone at this company every day over the past week and no one seems to care. I'm just curious if you contacted the company and anyone got back to you on this issue.
Thanks!
-
12-16-2011, 12:19 PM #17Newbie
- Join Date
- Jul 2010
- Location
- Salt Lake City, Utah
- Posts
- 5
Hey FireHippie, unfortunately I still have an open ticket with them. I'm trying not to be a demon customer and give AFMU.com the benefit of the doubt- it's the holiday season, and it looks like they may have been hit disproportionately hard by the script-kiddie. That being said, I do find myself browsing other service providers' offerings...
-
12-18-2011, 06:48 PM #18Junior Guru
- Join Date
- Apr 2008
- Location
- UK
- Posts
- 239
If the host was compromised i wouldn't be sticking around either - theres so many things that can be done to keep access to a host if the hacker was that savvy, this guy mentioned in this thread was just a little skid it sounds like..
SafeSrv.net - Secure Hosting, VPN and Management Services.
WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.
-
12-20-2011, 06:08 AM #19New Member
- Join Date
- Dec 2011
- Posts
- 1
I too have multiple sites hosted with AFMU.com. This hacker has taken down 3 Wordpress sites and I'm going to take my business elsewhere asap! I'll move my sites and deal with cutting off my automatic payment somehow.
It's a shame because I've been with AFMU for 7 years now and they've always been very responsive. However an email I just sent them bounced back and there's no way to open a support ticket.
I feel bad for AFMU too, but I must say their uptime has been shaky at best lately. They crashed back in September for several days also. I don't know what's going on with them, but it irks me that there is NO phone number to get a hold of anyone.
My question is, how can I get to my MySQL databases that house the Wordpress posts? I must confess I don't know where they are stored in the hierarchy. Can anyone shed some light here? I am able to log in via FTP.
-
12-21-2011, 04:47 PM #20Junior Guru Wannabe
- Join Date
- Feb 2002
- Location
- Dallas, Texas
- Posts
- 43
If you can access FTP, you may be able to access your control panel via yourdomain.com/cpanel or cpanel.yourdomain.
I would take a full site backup if possible and then give that file to your new host to restore, provided they use cPanel too. That will preserve all of your data, including email accounts and emails stored on the server, databases, etc. Once restored to another cPanel host you should be back up and running without any loss of data.
We've had a customer come from AFMU a couple days ago, and we managed to transfer his site this way. I'd be happy to do likewise for you or anyone else affected.
WHMCS released a security patch on December 1 to protect against this exploit. From the sounds of it, AFMU did not apply the patch in time. It was an easy, single file patch that we applied within minutes of receiving the security alert from WHMCS.
Once WHMCS is exploited, root access to all servers is available to the hacker, which would explain why so many AFMU sites had subsequent problems.
-
12-22-2011, 01:58 PM #21Temporarily Suspended
- Join Date
- Feb 2006
- Location
- India
- Posts
- 858
If you have a fixed IP, your websites seem more likely to be hacked.
Similar Threads
-
eCloud Hosting Cyber WEEK Blowout | Cyber Monday is now Cyber Week | HUGE SAVINGS!
By Dedispec in forum Dedicated Hosting OffersReplies: 0Last Post: 11-30-2010, 04:46 AM -
Twitter's been hacked by "Iranian Cyber Army"
By Funkadelic in forum Providers and Network Outages and UpdatesReplies: 4Last Post: 12-18-2009, 04:04 AM -
Crystal reports
By Pablasso in forum Programming DiscussionReplies: 0Last Post: 02-13-2005, 10:30 PM -
Crystal Stream Co-op
By csnetcrystal in forum Web Site ReviewsReplies: 1Last Post: 09-23-2004, 04:09 PM -
crystal Ball
By islandmarket in forum Web HostingReplies: 6Last Post: 10-07-2002, 04:43 PM