Page 1 of 2 12 LastLast
Results 1 to 25 of 37
  1. #1
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467

    My site has been hacked!!!

    Dude this is some wierd ****. My site started acting wierd and i started getting all of these script errors. I contacted my host's so called 24 hour chat support and they told me to email support. After i emailed support i noticed my site was completly down and all this spyware started to come off of my site. It seems someone hacked into my site somehow and installed spyware. Can someone help me sort this out. The site i'm talking about is the on in my sig. My host won't help me so i need to come here.

    If you load my site notice the taskbar it try to load hotdeals.info and all of these crazy sites that come from my site somehow. Any feedback would be greatly appreciated.
    Last edited by a1nerd; 04-05-2005 at 07:03 AM.
    <<< Please see Forum Guidelines for signature setup. >>>

  2. #2
    Join Date
    Sep 2002
    Location
    Georgia
    Posts
    1,822
    Please do not visit the Web Site as far as it contains Trojans - Troj/Haxdor-Fam, Troj/Codebase-C. It is for your own safety.

    a1nerd,

    You should contact your customer support. If you still have access to the website have a look at it. Otherwise I would recommend changing Name Servers for the domain name, so your Users do not get infected with the Trojan. I think it is better for the web site to be down at this time and meanwhile contact the Support and ask to change the password. Later on cooperate with your hosting provider to find out how all that has happened.
    Imagination is more important than knowledge.

  3. #3
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    I called them and they said all the sites on the server have problems. How in the hell did i a trojan get on my site?


    Does this mean i lose everything on my site?
    <<< Please see Forum Guidelines for signature setup. >>>

  4. #4
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    I called my host and they said all sites on there servers are being effected. I deleted everything in my home directory and restored a backup and it seemed to fix everything on my site.
    <<< Please see Forum Guidelines for signature setup. >>>

  5. #5
    Join Date
    Sep 2002
    Location
    Georgia
    Posts
    1,822
    Does that mean that their server was hacked? What did they say, they are doing to get everything back to normal?

    Seems like someone got root access to the server and placed the infected web site in the clients' directories.

    Contact them to get as much info as possible to make sure it will not help again, otherwise I would suggest searching for another host.
    Imagination is more important than knowledge.

  6. #6
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    They told me they found and deleted the problem wich is b.s since my site is still messed up.
    <<< Please see Forum Guidelines for signature setup. >>>

  7. #7
    I would be looking around for another hosting company. If all of the sites on their server were hacked, then it is a problem with them, and not you.

  8. #8
    Join Date
    Mar 2003
    Location
    Duluth MN
    Posts
    3,863
    Sounds like an insecure server with a hacker messing with all the sites on the server. Who are you currently hosted with?

  9. #9
    Join Date
    Jul 2004
    Location
    Doylsetown, Pa
    Posts
    64
    this dosent sound good for that hosting company

  10. #10
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    I won't say because i don't want to drag there name threw the dirt. Only thing i will say is that they have been having alot of problems lately and it doesnt look good for there company when stuff like this happens. What makes me mad is that my advertisers could drop me if they say what my site was doing last night. Plus i just spent a boat load of cash on advertising.

    Last night just to save my *** and protect my customers i had to change my dns and suspend my site until this issuse is solved. The only thing wrong now when i load my site all my images have red x's where the images are supposed to be. I'm trying to restore everything wich will take some time.


    I was thinking about switching to www.site5.com anyone have anything to say about them?


    Originally posted by amish_geek
    Sounds like an insecure server with a hacker messing with all the sites on the server. Who are you currently hosted with?

  11. #11
    Join Date
    Sep 2002
    Location
    Georgia
    Posts
    1,822
    Search around WHT to find feedback regarding site5.
    Imagination is more important than knowledge.

  12. #12

    get ready for some downtime

    This sounds like the server has been rooted to me.

    your host will probably be taking this box gown to do a restore if this is the case , also was this on all pages or just on files named index?? this would define a defacement as opposed to a rooting or both.

    unless your site goes down for a bit ( host restore) i would expect more problems in the near future.

  13. #13
    Join Date
    Sep 2003
    Location
    Washington, USA
    Posts
    3,262
    It would be best to keep a hold of your backups, and find a new host ASAP. Not only are your files at risk with a rooted server, but your account passwords, user info, etc.
    ‹‹SHAW NETWORKS›› Simple. Professional. Reliable. Web Hosting Done Right.
    Low Cost & Award-Winning: cPanel Reseller Plans ›› 24/7/365 Live Technical Support ‹‹
    Website: www.shawnetworks.com Fast Response E-mail: sales @ shawnetworks.com
    Sick of downtime? Fed up with excuses? Drop your host! Switch to Shaw Networks.

  14. #14
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    What do you mean by rooted server? Can't my host fix the problem so they wont be able to access my info?



    Originally posted by IncognitoNetworks
    It would be best to keep a hold of your backups, and find a new host ASAP. Not only are your files at risk with a rooted server, but your account passwords, user info, etc.
    <<< Please see Forum Guidelines for signature setup. >>>

  15. #15
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    My site is under attack again and my host, hostgator wont do anything because the senior admin are in bed. I'm sorry i listed there name but this is not acceptable having trojan horses and spyware come off my site from there server. They told me they had it fixed but apparently not! I have never seen anything like this before and i am very dissapointed in the way there handeling this. Now they wont even return my messages or anything! I'm sorry i'm mad but i just paid a boat load of money on adv and all my visitors are getting attacked when there visiting my site. I mean they wont even move me to a safe server that's not under attack. I would think that would be the least they can do for me to protect my business.
    <<< Please see Forum Guidelines for signature setup. >>>

  16. #16
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,990
    I can't comment on the host as I have never used it before , just that I respect the way a1nerd do things. Changing DNS and suspending of site so that others won't get infected. Hope your hosting problems can solved soon.

  17. #17
    Join Date
    Aug 2003
    Location
    san diego
    Posts
    467
    I just talked to hostgator again and they are of no help. They are telling me this virus that's comming from there servers is a new virus and there is no fix for it and i need to reinstall my os. Now isnt hostgator responsible financially for the loss of data and destruction to all my clients computers. If i wanst up to catch this 100s or maybe thousands of visitors to my site would be infected from this virus creating a huge liablity.


    Is there a virus detecting program i can use to remove this virus. I don't have a copy of xp and getting another one would cost me alot of money.

    I need someone to host my site for a few days till this gets under control. I have a full backup in my home directory. I am willing to pay $5 for a few days until the issue is resolved. I will need help transfering my site to the temp host servers.

  18. #18
    Originally posted by a1nerd
    I just talked to hostgator again and they are of no help. They are telling me this virus that's comming from there servers is a new virus and there is no fix for it and i need to reinstall my os. Now isnt hostgator responsible financially for the loss of data and destruction to all my clients computers. If i wanst up to catch this 100s or maybe thousands of visitors to my site would be infected from this virus creating a huge liablity.


    Is there a virus detecting program i can use to remove this virus. I don't have a copy of xp and getting another one would cost me alot of money.

    I need someone to host my site for a few days till this gets under control. I have a full backup in my home directory. I am willing to pay $5 for a few days until the issue is resolved. I will need help transfering my site to the temp host servers.
    I am also currently having problems with Hostgator and they have been little to no help.

    Someone is rooting my account (somehow, they have no idea and very, very vague logs) although I've changed my password 4 times in the past week, and the passwords are not easily guessable. They keep telling me I have spyware or a virus on my PC, and I have no such thing. I work in network security and my PC is locked down pretty good.

    Just to amuse them, I ran virus scans using ASAP, Stinger and Symantec EE with nothing found. I also ran spyware scans with Pest Patrol, Microsoft Anti-Spyware, Ad-Aware and Spybot and all that was returned were cookies. Finally, I ran HiJackThis! and a couple other programs I use and had clean logs, and even scanned for any known rootkits. Again, nothing found.

    I'm very frustrated with them because my account has been suspended for probably 5 or so days in the past week and a half, which has really killed my forums, not to mention cost me money since I have subscriber-based forums. And their only response: "It's your fault."

    Customer Service 101.

  19. #19
    Join Date
    Dec 2002
    Location
    texas
    Posts
    1,333
    a1nerd it's the flame.so exploit as reported here: http://www.codecomments.com/PHP_Mirr...age434196.html as we posted on our very own forum.

    When flame.php is executed it invokes the flame.so module during it's runtime all requests serve the code/page specified in the script. We are unable to find anything on the bug traq about it. But it definitely affects php 4.3.10 and this has been confirmed on several posts around the web. It looks like it was reported to the guys at php, but was brushed off. We doubt php 4.3.11 has addressed the issue either. Everyone was woken and we were working on it however it was not easy to trace since we had no idea what to look for and had to investigate everything.
    so....

    The server is not rooted
    This can be ran on any linux server running PHP (everyone is at risk)
    We have encountered this on a single server out of hundreds that we manage.
    There does not seem to be any available fixes out there to prevent this from happening. We suspended the site being exploited which will solve the problem however this can happen again anywhere at any time. If anyone knows a fix please do post it for the world to see.


    Svoboda we are not going to attempt to help you any further now since you have decided to make this a public matter. (following through with your threats)

    There is nothing more we can do for you. We have already given you five chances and have already told you what the problem is. When someone connects to your FTP with your password daily and does phishing scams that would have nothing to do with us. I'm going to post our root password on wht everyday then get mad at the datacenter when our server is hacked..... they're getting your password somehow and it is not from us. If it was you would not be the only person affected, and if it is from one of your scripts we cannot figure out which. If you are in network security you should understand your scripts would be your responsibility. If there was any evidence of your scripts giving out your password we would've told you. We have been more than helpful with you, and I understand your frustration however blaming the people who are trying to help you is not the answer.

  20. #20
    Join Date
    Dec 2002
    Location
    texas
    Posts
    1,333
    btw I also respect how a1nerd handled this. I wish everyone could think before they posted as he did. It was handled very professionally, thank you.

  21. #21
    Originally posted by hostgator.com
    Svoboda we are not going to attempt to help you any further now since you have decided to make this a public matter. (following through with your threats)

    There is nothing more we can do for you. We have already given you five chances and have already told you what the problem is. When someone connects to your FTP with your password daily and does phishing scams that would have nothing to do with us. I'm going to post our root password on wht everyday then get mad at the datacenter when our server is hacked..... they're getting your password somehow and it is not from us. If it was you would not be the only person affected, and if it is from one of your scripts we cannot figure out which. If you are in network security you should understand your scripts would be your responsibility. If there was any evidence of your scripts giving out your password we would've told you. We have been more than helpful with you, and I understand your frustration however blaming the people who are trying to help you is not the answer. [/B]
    Glad to see you value a customer that has been hosting with you for almost two years. But honestly, what other recourse do I have? I've sent three emails since 7am this morning, and haven't received a response on any of them... however, you have the time to log onto this forum and post? You'd think you'd be looking into my issue or at least providing me with my backups like I asked... I don't think that is too much to ask for.

    Just answer a couple things for me here:

    1) I've made requests for full server logs to share with the vBulletin staff since you claim my scripts were insecure. Why haven't these been provided?

    2) What have YOU done to look into this issue besides blame my password, my vBulletin, my PC. It has always been me, me, me, yet I've received little help and insight from you, you, you.

    Sample email from you:

    "Obviously you have a virus on your computer or your scripts are insecure

    Thank you for allowing me to work with you!

    Sincerely,
    Brent"

    Wow, thanks for looking into the problem. I'm convinced it is my PC now!

    3) I've requested a backup of my domain three times now and haven't received it, yet you had no problems charging me for April hosting fees already. Why haven't you done this? I mean, you have time to come on here and post.

    4) Lastly, since you are now threatening me to not assist me any further when my hosting fees are paid through the end of April, when I asked for your postal address to file a complaint with the BBB because of your poor support, why did you call me "the lowest of scum"?

    I believe it went like this:

    "If you post anything bad about us regarding this you would be lower than scum. This has nothing to do with us we cannot control your computer having viruses on it."

    Again, I'm not your typical noob. I know computers inside and out, unlike your support staff. My computer is as clean as a whistle, and when I sent you this information, you balked and returned to blaming my password and/or scripts.

    Point blank, your company has provided the worst customer service and technical support of ANY company I've ever dealt with on the Internet.

    Now, as I requested at 7:58AM, please provide me with my backups so I can get my domains over to a new host. I don't feel as if I am asking too much.

  22. #22
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    798
    Originally posted by hostgator.com
    We are unable to find anything on the bug traq about it.
    Then why don't you report it, since you've had some experience with it? If it's not posted to their own bugtracker how could they have addressed it?

  23. #23
    Join Date
    Dec 2002
    Location
    texas
    Posts
    1,333
    Svoboda how about you tell wht why you gave us a fake number on signup, and ignored us when we requested a real number before ever posting on wht?

    also why did you ignore us when we gave you the ip that uploaded the files........


    "Apr 5 13:20:00 gator4 pure-ftpd: (kaoboda@81.198.231.78) [NOTICE] /home/kaoboda//public_html/chat/m/foot.php uploaded (217 bytes, 1.17KB/sec)
    Apr 5 13:20:01 gator4 pure-ftpd: (kaoboda@81.198.231.78) [NOTICE] /home/kaoboda//public_html/chat/m/head.php uploaded (337 bytes, 1.86KB/sec)
    Apr 5 13:20:03 gator4 pure-ftpd: (kaoboda@81.198.231.78) [NOTICE] /home/kaoboda//public_html/chat/m/index.php uploaded (5349 bytes, 13.05KB/sec)
    Apr 5 13:20:12 gator4 pure-ftpd: (kaoboda@81.198.231.78) [INFO] Logout."


    Amazing that is the same ip your account signed up from!!! As we've told you 100x times you have a virus or trojan on your pc! Or perhaps you don't as you keep saying, and playing the denial game is how you get someone like us to give you 5 unsuspensions to send out more phishing emails. We have no control over your infected computer, so posting about it everywhere that it is our problem and we are a bad host etc is completely uncalled for. Since you find the need to run us down and bash us over something we have no control over, perhaps we should contact your boss / customers and show him this thread since you said "I work in network security"
    I believe you have a duty to let him/them know your computer is infected and networks under you supervision might be at risk as well.

    USWEB-Darren we are searching for more information on this and we'll be doing so shortly. If anyone has a fix please do share =)

  24. #24
    Originally posted by hostgator.com
    Svoboda how about you tell wht why you gave us a fake number on signup, and ignored us when we requested a real number before ever posting on wht?
    When I signed up, I used the number 812-298-XXXX, which was my current place of employment at the time. However, that was over two years ago.

    You requested a new number yesterday, and when I called in to speak with you, you were already gone for the day. If you would like, i can give my old boss a call and she would be more then happy to verify that I indeed worked at that number. However, that is neither here, nor there.

    Originally posted by hostgator.com

    also why did you ignore us when we gave you the ip that uploaded the files........

    "Apr 5 13:20:00 gator4 pure-ftpd: (kaoboda@81.198.231.78) [NOTICE] /home/kaoboda//public_html/chat/m/foot.php uploaded (217 bytes, 1.17KB/sec)
    Apr 5 13:20:01 gator4 pure-ftpd: (kaoboda@81.198.231.78) [NOTICE] /home/kaoboda//public_html/chat/m/head.php uploaded (337 bytes, 1.86KB/sec)
    Apr 5 13:20:03 gator4 pure-ftpd: (kaoboda@81.198.231.78) [NOTICE] /home/kaoboda//public_html/chat/m/index.php uploaded (5349 bytes, 13.05KB/sec)
    Apr 5 13:20:12 gator4 pure-ftpd: (kaoboda@81.198.231.78) [INFO] Logout."

    Amazing that is the same ip your account signed up from!!! As we've told you 100x times you have a virus or trojan on your pc! Or perhaps you don't as you keep saying, and playing the denial game is how you get someone like us to give you 5 unsuspensions to send out more phishing emails. We have no control over your infected computer, so posting about it everywhere that it is our problem and we are a bad host etc is completely uncalled for. Since you find the need to run us down and bash us over something we have no control over, perhaps we should contact your boss / customers and show him this thread since you said "I work in network security"
    I believe you have a duty to let him/them know your computer is infected and networks under you supervision might be at risk as well.

    Now, to put the final dagger in you because it is very obvious that you are not only a fraud, but incompetent and a liar as well. The day I registered my account, I registered it at my old place of employment. The network there, since I managed it, was 12.166.XX.XXX, and that would have been the IP address associated with my registration. To say anything else would be a flat out lie.

    If you want more to go on, trace it, alone with the "fake" phone number listed in my registration and both will trace back to Terre Haute, Indiana, where I had lived and worked.

    Further, lets take a look at the IP address you "claim" I registered with, 81.198.231.78.

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\XXXXXXXXX>tracert 81.198.231.78

    Tracing route to 81.198.231.78 over a maximum of 30 hops

    1 <1 ms <1 ms <1 ms 192.168.35.1
    2 <1 ms <1 ms <1 ms nokiafw2.*********** [192.168.1.13]
    3 1 ms <1 ms 1 ms 205.144.127.7
    4 1 ms 1 ms <1 ms OCI-Colo-7200-Fe-3-145.OneCall.Net [216.37.2.145
    ]
    5 1 ms <1 ms 1 ms Enoch-2-MrRogers.OneCall.Net [216.37.0.81]
    6 2 ms 2 ms 2 ms IndyX-AADS-OC48.OneCall.Net [216.37.1.1]
    7 68 ms 69 ms 68 ms 166-49-173-101.eu.bt.net [166.49.173.101]
    8 140 ms 139 ms 139 ms t2c1-p4-0.uk-ilf.eu.bt.net [166.49.208.162]
    9 139 ms 140 ms 140 ms t2c2-ge7-0.uk-ilf.eu.bt.net [166.49.208.78]
    10 156 ms 156 ms 156 ms t2c1-p8-0.uk-lon1.eu.bt.net [166.49.208.2]
    11 140 ms 141 ms 140 ms t2a2-ge8-0-0.uk-lon1.eu.bt.net [166.49.135.50]
    12 172 ms 172 ms 171 ms 166-49-212-14.eu.bt.net [166.49.212.14]
    13 * 175 ms 172 ms apollo-gw.customer.lattelekom.lv [195.13.173.22]

    14 * * * Request timed out.
    15 * * * Request timed out.
    16 * * * Request timed out.
    17 * * * Request timed out.
    18 * * * Request timed out.
    19 * * * Request timed out.
    20 * * * Request timed out.
    21 * * * Request timed out.
    22 * * * Request timed out.
    23 * * * Request timed out.
    24 * * * Request timed out.
    25 * * * Request timed out.
    26 * * * Request timed out.
    27 * * * Request timed out.
    28 * * * Request timed out.
    29 * * * Request timed out.
    30 * * * Request timed out.

    Trace complete.

    Hmm, looks like it traces to a box somewhere in Latvia. Pssst, that's over in Europe. Lets just double check this on Geobytes IP Locator, shall we? Yep, points to Latvia, Riga in particular. Hmm, that's in Europe... I'm in Indiana. Bottom line, you're lying.

    As for contacting my employer, be my guest. I'm fully aware of my personal rights, and if you would like to harass me at my place of employment, I'll exercise my rights to the fullest extent with due dilligence.

    Bottom line is you are a business, that was paid "provided" me a service. You took my money for well over two years and never said a word until this past week. You always find out the true worth of a business when a problem arises, and I think it is clear how you conduct business.

    All I asked for, from the very beginning, was help in pinpointing how my site was being hacked. At NO time, did I ever receive any help besides sarcastic comments saying simply "It's your script, your password, your PC."

    I'm done with you. As soon as I get my data, I'll rid myself of Hostgator. However, if its my right as a consumer to make sure others do not have to deal with companies such as yours.

    Good day.
    Last edited by Svoboda; 04-06-2005 at 01:19 PM.

  25. #25
    Join Date
    Jul 2002
    Posts
    3,734
    Brent,

    Disabling the dl() function in php.ini will render flame.so useless. This way the redirection will stop while you guys investigate the ftp logins.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •