Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Join Date
    Mar 2011
    Location
    florida
    Posts
    155

    Hacked by Cyber-Crystal

    A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
    the page will say Hacked by CYBER-CRYSTALL
    I googled and have noticed thousands of sites are being currently attacked this way
    My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks

  2. #2
    Join Date
    Mar 2011
    Location
    Edinburgh, UK
    Posts
    565
    Someone has managed to upload files to your webserver directory. What OS and webserver are you using? Check your webserver logs to see how the files were added.

  3. #3
    Indeed, you should check the server logs. Also update the script you are using (wordpress etc) to the latest version.
    PlotHost - Cheap Web Hosting Plans since 2008
    24/7 Support | 99.9% Uptime | 15 Days Money Back
    Shared & Reseller Plans - Check our hosting OFFER !

  4. #4
    Join Date
    Jul 2011
    Location
    Sittingbourne, Kent, UK
    Posts
    194
    Check server access logs for successful logins:

    last
    cat /var/log/secure* | grep ssh | grep Accept
    cat /var/log/secure* |grep ftp |grep Accept
    less /var/log/messages | grep ftp

    Once done check for hidden dirs:

    updatedb
    locate "..."
    locate ".. "
    locate " .."
    locate ". "
    locate " ."

    Assuming you find nothing suspicious here, start checking access logs and such for suspicious items, ensure you check for rootkits also.

    I'm afraid it's more likely that your personal computer has been exploited and an FTP client that saves passwords in clear text has allowed these details to be compromised.

    Failing this check the server for possible exploits / out of date software.

    Good luck with your search I hope you keep us up to date.
    RackSRV Communications Limited
    UK specialists in Dedicated Servers & Server Colocation
    Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444

  5. #5
    Join Date
    Nov 2011
    Location
    Egypt
    Posts
    16
    Check scripts on your sites that allow uploading maliciuos files

    I think this hacker can't do anything except adding his index files only not sql injection or others

    so I recommended to secure your server with firewall CSF and modsecurity

  6. #6
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,305
    My first port of call would be to look at the FTP logs if a lot of people have been done the same way.

    My second look would be at any kind of 3rd party scripts that a lot of other people may use ( Wordpress, Mailer scripts, Monitoring scripts , etc etc.. )

    Its evidently a generic hack that a lot of people are vuln for.
    Live Chat Support Software for your Business website - IMsupporting.com

  7. #7
    Join Date
    Jul 2010
    Location
    Salt Lake City, Utah
    Posts
    5
    A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

    Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

    Please lemme know if you find anything I've missed!
    Last edited by ioTerrence; 12-09-2011 at 09:48 PM. Reason: Corrected host's url.

  8. #8
    Join Date
    Jan 2004
    Location
    Texas
    Posts
    79
    Quote Originally Posted by Dig1 View Post
    A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
    the page will say Hacked by CYBER-CRYSTALL
    I googled and have noticed thousands of sites are being currently attacked this way
    My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
    Holy cow. A google search renders hundreds of hacked sites. Looks like someone needs to get a life.

  9. #9
    Join Date
    Jul 2010
    Location
    Salt Lake City, Utah
    Posts
    5
    Also came across this code floating around online, thanks to the email address they left behind. I don't know anything about Python, but if I'm interpreting it right, part of it is some kind of URL fetcher?

    #!/usr/bin/python
    # mekad By Cyber-Crystal
    #
    # Cyb3r.Crystal@Gmail.com

    # tryag.cc

    import urllib2,re
    raw = raw_input('URL CONF : ')
    url = urllib2.urlopen(raw)
    data = url.read()
    finddata = re.findall('href="(.*?)">',data)
    for cyb3r in range(len(finddata)):
    try:
    filecon = open(finddata[cyb3r],'a')
    done = urllib2.urlopen(raw+finddata[cyb3r])
    wewe = done.read()
    print "Witteng ....\n"
    filecon.write(wewe)
    print "Done "
    except IOError:
    print "error"

  10. #10
    Join Date
    Mar 2011
    Location
    florida
    Posts
    155

    UPDATE

    Yes and in the /etc/httpd/conf they also added 5 files named 1.pl 2.pl 3.pl etc
    So i figured they had to have accessed root someway and did this and added the files
    in roots bash history >
    ls -l /etc/valiases
    cd /etc/valiases
    ls -la /etc/valiases
    ls -la /etc/valiases/
    cd /usr/loca/apache
    cd /etc/httpd/conf
    cat httpd.conf | grep DocumentRoot
    nano 1.pl
    pico 1.pl
    nano 1.pl
    yum install nano
    nano 1.pl
    perl 1.pl
    nano 2.pl
    perl 2.pl
    nano 3.pl
    perl 3.pl
    ifconfig
    nano 4.pl
    perl 4.pl
    exit
    pdw
    pwd
    ls
    locate index.html
    cd /var/www
    ls
    cd html
    ls
    cd ..
    cd /usr/local/apache
    cd /usr/local
    ls
    cd /etc/httpds
    cd /etc/httpd
    ls
    cd conf
    cat httpd.conf | grep DocumentRoot
    cat /var/cpanel
    cat * /var/cpanel/sessions
    dec6find /home*/*/public_html -type l
    ........
    So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding like >
    rkhunter,denyhost,fail2ban,Mod_security,AIDE (Advanced Intrusion Detection Environment),and locked down httpd config (file indexing ) an / access also Made Root nologin except by SU thru a special user with a passwd of 16 char , numbers and punctuation also tightened PHP and MYSQL security
    I reloaded from backup all customers websites and all is well for now
    my iptables have grown quite a bit
    a few country bans were atoadded and denyhost has added to deny host file also
    I am a little more confident now!

  11. #11
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,305
    Quote Originally Posted by Dig1 View Post
    So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding
    Probably the best thing.

    - You have identified whats going on and what level of compromise you have had.
    - You have taken the best action possible and re-installed now knowing what to look out for.

    Only if everyone followed the same method. I see too many posts about people "fixing" a hacked server and leaving it running..
    Live Chat Support Software for your Business website - IMsupporting.com

  12. #12
    Join Date
    Mar 2011
    Location
    florida
    Posts
    155
    ty yup yup

  13. #13
    Quote Originally Posted by Dig1 View Post
    A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
    the page will say Hacked by CYBER-CRYSTALL
    I googled and have noticed thousands of sites are being currently attacked this way
    My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
    If it only a number of sites been hacked it could be due to unsecure versions of software. If it was all of the sites im sorry to say but you have been rooted.

    - Ashton
    Ashton Allen | FuseWeb Limited
    Premium UK Webhosting
    | Shared Hosting | VPS | Reseller Hosting | VOIP |
    FuseWeb.co.uk Or follow us on Twitter

  14. #14
    Join Date
    Apr 2008
    Location
    UK
    Posts
    235
    If he can switch directories and read files your server is not setup properly - and just installing the server software you mentioned may not even be enough, it all has to be configured correctly to be effective.

    And btw - this certainly looks like a real SKID
    SafeSrv.net - Secure Hosting, VPN and Management Services.
    WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  15. #15
    Join Date
    Feb 2006
    Location
    Global
    Posts
    1,629
    Quote Originally Posted by ioTerrence View Post
    A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

    Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

    Please lemme know if you find anything I've missed!
    I liked that song.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 11-30-2010, 04:46 AM
  2. Twitter's been hacked by "Iranian Cyber Army"
    By Funkadelic in forum Providers and Network Outages and Updates
    Replies: 4
    Last Post: 12-18-2009, 04:04 AM
  3. Crystal reports
    By Pablasso in forum Programming Discussion
    Replies: 0
    Last Post: 02-13-2005, 10:30 PM
  4. Crystal Stream Co-op
    By csnetcrystal in forum Web Site Reviews
    Replies: 1
    Last Post: 09-23-2004, 04:09 PM
  5. crystal Ball
    By islandmarket in forum Web Hosting
    Replies: 6
    Last Post: 10-07-2002, 04:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •