hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : site hacked
Reply

Forum Jump

site hacked

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-02-2012, 11:49 AM
neo- neo- is offline
Newbie
 
Join Date: Aug 2011
Posts: 25

site hacked


Hi,

I'm helping clean my friend's site which was hacked by Hmei7.
He has cleaned the files he know was added by the attacker.

Any other specific files known to be created by this hacker and other possible malwares? And also what are other security measures we can take to prevent this?

Thanks!



Sponsored Links
  #2  
Old 01-02-2012, 11:53 AM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,741
Do you have shell access? It might be easier to run the find command and look for any files modified within the last seven days, or on the day the attack occurred. Something like this:

find . -mtime -7 -type -f

What software was the website running? WordPress?

__________________
Patrick William | RACK911 Labs | Software Security Auditing
300+ Vulnerabilities Found - Get a Quote @ http://www.RACK911Labs.com

www.HostingSecList.com - Security notices for the hosting community.

  #3  
Old 01-02-2012, 12:07 PM
neo- neo- is offline
Newbie
 
Join Date: Aug 2011
Posts: 25
Thanks for the response Parick,

Unfortunately we don't have shell access.
But thanks for the suggestion we'll try if we can do that via cpanel file manager.

There's just a basic html page and the latest WHMCS.

Sponsored Links
  #4  
Old 01-02-2012, 12:15 PM
John Oates John Oates is offline
Temporarily Suspended
 
Join Date: Jan 2012
Posts: 13
Quote:
Originally Posted by neo- View Post
Thanks for the response Parick,

Unfortunately we don't have shell access.
But thanks for the suggestion we'll try if we can do that via cpanel file manager.

There's just a basic html page and the latest WHMCS.
You need to upgrade your whmcs to latest version and make sure you have a licensed copy

  #5  
Old 01-02-2012, 12:25 PM
neo- neo- is offline
Newbie
 
Join Date: Aug 2011
Posts: 25
@John Oates
Yes the latest licensed WHMCS is the one installed.

Anyone familiar with how Hmei7 hacked sites and to clean it? In the news he has attacked IBM, Seimens, Microsoft and auto companies.

  #6  
Old 01-02-2012, 03:21 PM
SafeSrv SafeSrv is offline
Junior Guru
 
Join Date: Apr 2008
Location: UK
Posts: 235
By any chance is the server cPanel based ? i would find another host to be honest, it may be the server - he's just a zone-h script kiddie who likes to attack vulnerable exim systems.

Within your web root you need to find modified files or any php shells lying around, particularly within whmcs, make sure those downloads template_c and attachment folders are placed outside the webroot.

__________________
SafeSrv.net - Secure Hosting, VPN and Management Services.
WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  #7  
Old 01-02-2012, 03:58 PM
brianoz brianoz is offline
Web Hosting Master
 
Join Date: Nov 2004
Location: Australia
Posts: 1,527
Quote:
Originally Posted by neo- View Post
@John Oates
Yes the latest licensed WHMCS is the one installed.
Did you install the patch released in early December? If not, odds are that you were hacked via that.

  #8  
Old 01-02-2012, 05:25 PM
PlotHost-Max PlotHost-Max is offline
Web Hosting Master
 
Join Date: Jun 2007
Posts: 997
Seems to be a big issue not related to whmcs.
zone-h.com/archive/notifier=Hmei7

@op: what version of cpanel do you have ?

__________________
PlotHost - Cheap Web Hosting Plans since 2008
24/7 Support | 99.9% Uptime | 15 Days Money Back
Shared & Reseller Plans - Check our hosting OFFER !


  #9  
Old 01-03-2012, 08:41 AM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,741
Looks like most of the hosts that user has compromised were running Exim 4.69 which is vulnerable to attack... not good.

__________________
Patrick William | RACK911 Labs | Software Security Auditing
300+ Vulnerabilities Found - Get a Quote @ http://www.RACK911Labs.com

www.HostingSecList.com - Security notices for the hosting community.

  #10  
Old 01-03-2012, 11:10 PM
neo- neo- is offline
Newbie
 
Join Date: Aug 2011
Posts: 25
Thanks for the responses guys,

Here's the version info...

WHM/cPanel Version 11.30.5 (build 3)
exim-4.69-30_cpanel_maildir

Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.

@SafeSr
We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.

  #11  
Old 01-04-2012, 01:25 AM
IH-Rameen IH-Rameen is offline
.
 
Join Date: Sep 2003
Posts: 3,637
Quote:
Originally Posted by neo- View Post
Thanks for the responses guys,

Here's the version info...

WHM/cPanel Version 11.30.5 (build 3)
exim-4.69-30_cpanel_maildir

Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.

@SafeSr
We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.
Open a ticket and mark the issue as FAO: Chris/Rameen and one of us will have a close look at your site for you. Open it with General.

__________________
InnoHosting Ltd || US: 1-888-522-INNO UK: 0800 612 8075
UK and USA Reseller Hosting & Managed VPS | High Spec Dedicated Servers
WHMCS | Preloaded KB Articles | Domain+SSL Reseller| RapidSSL | Legal Document Templates
Reliable Sales/Billing/Tech End-user Support - We can provide support to your customers!

  #12  
Old 01-04-2012, 02:05 AM
neo- neo- is offline
Newbie
 
Join Date: Aug 2011
Posts: 25
Done Rameen!

Ticket ID: FRO-547700
As mentioned on the previous abuse ticket, we're willing to pay for the service to secure my account. But didn't get a response after days.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Site Up and Down... Am I Being Hacked? WebDivx Hosting Security and Technology 12 06-22-2009 01:38 PM
site hacked...how to? WFWH Hosting Security and Technology 5 12-12-2004 05:44 PM
Site Keeps Getting Hacked Killbox Hosting Security and Technology 14 04-13-2004 11:30 AM
HELP... my site's being hacked... FrzzMan Web Hosting 24 07-05-2003 02:26 AM
My Site Was Hacked! carrotweb Web Hosting 18 08-07-2002 09:12 PM

Related posts from TheWhir.com
Title Type Date Posted
Hackers Steal User Login Information from AVAST Anti-Virus Forum Web Hosting News 2014-05-27 13:46:25
WiredTree Listing 2014-09-20 20:45:43
GCHQ, Not NSA, Behind Belgian Telecom Attack: Report Web Hosting News 2014-05-01 08:22:23
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?