Results 1 to 12 of 12

Thread: site hacked

  1. #1

    site hacked

    Hi,

    I'm helping clean my friend's site which was hacked by Hmei7.
    He has cleaned the files he know was added by the attacker.

    Any other specific files known to be created by this hacker and other possible malwares? And also what are other security measures we can take to prevent this?

    Thanks!

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Do you have shell access? It might be easier to run the find command and look for any files modified within the last seven days, or on the day the attack occurred. Something like this:

    find . -mtime -7 -type -f

    What software was the website running? WordPress?
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  3. #3
    Thanks for the response Parick,

    Unfortunately we don't have shell access.
    But thanks for the suggestion we'll try if we can do that via cpanel file manager.

    There's just a basic html page and the latest WHMCS.

  4. #4
    Join Date
    Jan 2012
    Posts
    15
    Quote Originally Posted by neo- View Post
    Thanks for the response Parick,

    Unfortunately we don't have shell access.
    But thanks for the suggestion we'll try if we can do that via cpanel file manager.

    There's just a basic html page and the latest WHMCS.
    You need to upgrade your whmcs to latest version and make sure you have a licensed copy

  5. #5
    @John Oates
    Yes the latest licensed WHMCS is the one installed.

    Anyone familiar with how Hmei7 hacked sites and to clean it? In the news he has attacked IBM, Seimens, Microsoft and auto companies.

  6. #6
    Join Date
    Apr 2008
    Location
    UK
    Posts
    239
    By any chance is the server cPanel based ? i would find another host to be honest, it may be the server - he's just a zone-h script kiddie who likes to attack vulnerable exim systems.

    Within your web root you need to find modified files or any php shells lying around, particularly within whmcs, make sure those downloads template_c and attachment folders are placed outside the webroot.
    SafeSrv.net - Secure Hosting, VPN and Management Services.
    WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  7. #7
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Quote Originally Posted by neo- View Post
    @John Oates
    Yes the latest licensed WHMCS is the one installed.
    Did you install the patch released in early December? If not, odds are that you were hacked via that.

  8. #8
    Seems to be a big issue not related to whmcs.
    zone-h.com/archive/notifier=Hmei7

    @op: what version of cpanel do you have ?
    PlotHost - Secure Web Hosting Plans - Since 2008
    Shared and Reseller Plans | 24x7 Technical Support

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Looks like most of the hosts that user has compromised were running Exim 4.69 which is vulnerable to attack... not good.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  10. #10
    Thanks for the responses guys,

    Here's the version info...

    WHM/cPanel Version 11.30.5 (build 3)
    exim-4.69-30_cpanel_maildir

    Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.

    @SafeSr
    We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.

  11. #11
    Join Date
    Sep 2003
    Posts
    3,857
    Quote Originally Posted by neo- View Post
    Thanks for the responses guys,

    Here's the version info...

    WHM/cPanel Version 11.30.5 (build 3)
    exim-4.69-30_cpanel_maildir

    Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.

    @SafeSr
    We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.
    Open a ticket and mark the issue as FAO: Chris/Rameen and one of us will have a close look at your site for you. Open it with General.

  12. #12
    Done Rameen!

    Ticket ID: FRO-547700
    As mentioned on the previous abuse ticket, we're willing to pay for the service to secure my account. But didn't get a response after days.

Similar Threads

  1. Site Up and Down... Am I Being Hacked?
    By WebDivx in forum Hosting Security and Technology
    Replies: 12
    Last Post: 06-22-2009, 01:38 PM
  2. site hacked...how to?
    By WFWH in forum Hosting Security and Technology
    Replies: 5
    Last Post: 12-12-2004, 05:44 PM
  3. Site Keeps Getting Hacked
    By Killbox in forum Hosting Security and Technology
    Replies: 14
    Last Post: 04-13-2004, 11:30 AM
  4. HELP... my site's being hacked...
    By FrzzMan in forum Web Hosting
    Replies: 24
    Last Post: 07-05-2003, 02:26 AM
  5. My Site Was Hacked!
    By carrotweb in forum Web Hosting
    Replies: 18
    Last Post: 08-07-2002, 09:12 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •