Results 1 to 12 of 12
Thread: site hacked
Hybrid View
-
01-02-2012, 11:49 AM #1Newbie
- Join Date
- Aug 2011
- Posts
- 25
site hacked
Hi,
I'm helping clean my friend's site which was hacked by Hmei7.
He has cleaned the files he know was added by the attacker.
Any other specific files known to be created by this hacker and other possible malwares? And also what are other security measures we can take to prevent this?
Thanks!
-
01-02-2012, 11:53 AM #2Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Do you have shell access? It might be easier to run the find command and look for any files modified within the last seven days, or on the day the attack occurred. Something like this:
find . -mtime -7 -type -f
What software was the website running? WordPress?RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
01-02-2012, 12:07 PM #3Newbie
- Join Date
- Aug 2011
- Posts
- 25
Thanks for the response Parick,
Unfortunately we don't have shell access.
But thanks for the suggestion we'll try if we can do that via cpanel file manager.
There's just a basic html page and the latest WHMCS.
-
01-02-2012, 12:15 PM #4Temporarily Suspended
- Join Date
- Jan 2012
- Posts
- 15
-
01-02-2012, 12:25 PM #5Newbie
- Join Date
- Aug 2011
- Posts
- 25
@John Oates
Yes the latest licensed WHMCS is the one installed.
Anyone familiar with how Hmei7 hacked sites and to clean it? In the news he has attacked IBM, Seimens, Microsoft and auto companies.
-
01-02-2012, 03:58 PM #6Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
-
01-02-2012, 03:21 PM #7Junior Guru
- Join Date
- Apr 2008
- Location
- UK
- Posts
- 239
By any chance is the server cPanel based ? i would find another host to be honest, it may be the server - he's just a zone-h script kiddie who likes to attack vulnerable exim systems.
Within your web root you need to find modified files or any php shells lying around, particularly within whmcs, make sure those downloads template_c and attachment folders are placed outside the webroot.SafeSrv.net - Secure Hosting, VPN and Management Services.
WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.
-
01-02-2012, 05:25 PM #8Web Hosting Master
- Join Date
- Jun 2007
- Posts
- 1,048
Seems to be a big issue not related to whmcs.
zone-h.com/archive/notifier=Hmei7
@op: what version of cpanel do you have ?█ PlotHost - Secure Web Hosting Plans - Since 2008
█ Shared and Reseller Plans | 24x7 Technical Support
-
01-03-2012, 08:41 AM #9Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Looks like most of the hosts that user has compromised were running Exim 4.69 which is vulnerable to attack... not good.
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
01-03-2012, 11:10 PM #10Newbie
- Join Date
- Aug 2011
- Posts
- 25
Thanks for the responses guys,
Here's the version info...
WHM/cPanel Version 11.30.5 (build 3)
exim-4.69-30_cpanel_maildir
Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.
@SafeSr
We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.
-
01-04-2012, 01:25 AM #11Web Hosting Master
- Join Date
- Sep 2003
- Posts
- 3,857
-
01-04-2012, 02:05 AM #12Newbie
- Join Date
- Aug 2011
- Posts
- 25
Done Rameen!
Ticket ID: FRO-547700
As mentioned on the previous abuse ticket, we're willing to pay for the service to secure my account. But didn't get a response after days.
Similar Threads
-
Site Up and Down... Am I Being Hacked?
By WebDivx in forum Hosting Security and TechnologyReplies: 12Last Post: 06-22-2009, 01:38 PM -
site hacked...how to?
By WFWH in forum Hosting Security and TechnologyReplies: 5Last Post: 12-12-2004, 05:44 PM -
Site Keeps Getting Hacked
By Killbox in forum Hosting Security and TechnologyReplies: 14Last Post: 04-13-2004, 11:30 AM -
HELP... my site's being hacked...
By FrzzMan in forum Web HostingReplies: 24Last Post: 07-05-2003, 02:26 AM -
My Site Was Hacked!
By carrotweb in forum Web HostingReplies: 18Last Post: 08-07-2002, 09:12 PM