Results 1 to 28 of 28
  1. #1

    I've been defaced on famous webhosting

    I've been defaced on famous webhosting

  2. #2
    Join Date
    Oct 2002
    Posts
    5,177
    You mean a site you have with a well known host was hacked?
    If you have to operate your company behind the scenes or under a fake name, maybe it's time to leave the industry and start something fresh.

  3. #3
    Yes is that one that offer huge space and traffic, but this board doesn't let me write the code that the attacker has append to my simple page. On that site there is no web application. I think their servers are not so sure.

  4. #4
    Join Date
    Oct 2002
    Posts
    5,177
    Are you sure that it wasn't a script you are running on your site? Are you aware of other customers of this host being defaced as well? Just check this particular forum and see if you're in bad company
    If you have to operate your company behind the scenes or under a fake name, maybe it's time to leave the industry and start something fresh.

  5. #5
    No, there were not scripts to serve data to the attacker. I need 1 post more to post the code (this board will let me insert the code and URL after 5 post) that has appenend to an HTML page and a simple PHP page without php code on it.

  6. #6
    Ah well, I think if you want to stay with the web host, you probably just have to wait for them to resolve the issue. Alternatively, you can move your site to another host.

    Which web host is it anyways ?
    http://www.batchimage.com - Offering Batch Image Processing and TIFF/PDF Software Solutions

  7. #7
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391
    Hi

    I would recommend contacting them asap and keep trying to get a response on this issue and if your site will be restored anytime soon etc..

    Most cases your host probably have a full backup of your site so you should be fine if they let you know the restore is in the process.

    Cheers
    CirtexHosting Providing Affordable and Quality Web Hosting & Reseller Hosting since 2003
    LINUX based cPANEL/WHM Shared and Reseller Web Hosting with Fantastico
    HostV VPS Premium Virtual Private Servers & Dedicated Servers powered by cPanel/WHM
    We transfer your sites over quickly! I eat penguins for breakfast ...

  8. #8
    I'v changed the Panel and FTP password, but I'm sure they've been enter with not a brute force attack, but from a leak of the service.

    I don't want make the name, but is a webhosting service that offer huge space and bandwidth. In the next post I can put here the code

  9. #9
    This was the code:
    << exploit code removed >>

    Attached at the end of my page

    They sniff the IP, referer and other parameter, but the problem is that they've been enter in my account.

    I discover this code navigating with mozilla on my pages that it doesn't make invisble that iframe. I've seen a big dot so i read the HTML and I've seen the code above.
    Last edited by the_pm; 09-07-2006 at 11:09 AM.

  10. #10
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,868
    Do you use Vbulletin with "Top 'X' Stats" plugin installed?
    If yes, just disable it, and you'll fix the problem.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  11. #11
    No I don't use Vbulettin at all, on that domain there are only 2 pages and (1 html and 1 php). Those page contain only html, no one line of PHP code.

    I think that their enter from another way. After examin the file atached, I think that they do a normal append to the files without entering via FTP.

  12. #12
    Join Date
    Apr 2006
    Posts
    492
    What did your hosting provider tell you exactly happened?

  13. #13
    Servage.

    That my site it's a non important site. I'm sure that on my account there aren't PHP scitpts or other program like CGI. There's only 2 file completely in HTML.

    Where they did enter?
    The only solution is a bruteforce?

  14. #14
    How strong was your ftp password? How many characters did it have?

  15. #15
    Quote Originally Posted by Arina
    How strong was your ftp password? How many characters did it have?
    Probabbly not so strong, 9 characters. Now I've changed it.
    Do you think that with a 9 characters its possible a bruteforce for a non important site?
    Last edited by Nanetto; 09-09-2006 at 10:24 AM.

  16. #16
    Quote Originally Posted by marisc
    What did your hosting provider tell you exactly happened?
    Only to change the FTP and pannel Password, they don't like take care of it.

    This is the answer:
    "Sorry for the problem caused to you.

    Please delte the contents and upload the orginal contents of your website and then changed the password of your control panel as well as the FTP account. And please restrict the use of FTP account for your other users, to avaoid the hacking of your account. "


    Then I ask:
    "Please answer to me only a these 2 questions:

    1) are they enter via FTP, or they have added the piece of code open the file remotely by a fileopen comand like?

    2) if you can tell me the way they do this attack I'll be more sure. I'm sure 100% that my computer is safe (fireall, antivirus, antispyware and antikeylogger, hijackthis, regular check to the register and more)."


    They answer:
    "Regarding your queries:

    1) This can not be predict how did your account had been hacked. Through Ftop is a another way to hack any accounts.

    2) Regarding this query it won't be possible to trace out how did your account was hacked. We are sorry not able to help you regarding this.

    Although, if you have any other query then please get back to us."

  17. #17
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    From the sounds of it, I would say the hacker got in through another account and hacked the Index page of many accounts on the Server. Even if they did get through your site, only the 'php' page would be vunerable and even then, only if the 'php' file was in a dir. with permissions of 777 and/or the 'php' file itself had permissions other than 644.

    You should post in the Hoster's Forum if anyone else has the same problem or find out another way, if other accounts on the Server were also defaced.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  18. #18
    Thank you Website for your explanation.

    A site can be defaced because attacker get FTP access, or it can do the defacement without aceess to the server?

  19. #19
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    A hacker can upload their by attaching certain code at the end of a file.

    http://somedomain.com/index.php?hackerfile_upload

    That's a basic example. If your Control Panel provides it, look in your Error logs to see other attempts -- which failed and thus, show as an error -- then look in your Access logs or Latest Visitors as Cpanel calls it -- which should show a successful hacker file upload.

    And that is where Server security comes in. Regardless of whether someone can "piggyback" on a file, to upload their hacker file into someone's account, good Server security will prevent the hacker file from running and most times, prevent the upload as well.

    All these posts about sites being defaced have little to do with any one Hosting account and everything to do with the Server security. We had two attempts today on one Server alone and from two seperate sources. Both were stopped cold. If you search the Forum using "Website Rob" you'll find another post where I gave a more detailed post -- and it's a situation same as yours but different Hoster.
    Last edited by Website Rob; 09-10-2006 at 12:27 AM.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  20. #20
    Quote Originally Posted by Nanetto
    Probabbly not so strong, 9 characters. Now I've changed it.
    Do you think that with a 9 characters its possible a bruteforce for a non important site?
    all attacker got to do is get a wordlist generator. i got one to see how it works. it does every possible combo. they get it if they want it bad enough. that if whoever they brute force doesn't shut them down first.

    does your host have DOS protection?

  21. #21
    Thnak you Website,
    There isn't log file on servage. I've search for "Website Rob" and I've seen the other post.

    Thank you very much for your help

    Quote Originally Posted by Website Rob
    A hacker can upload their by attaching certain code at the end of a file.

    http://somedomain.com/index.php?hackerfile_upload

    That's a basic example. If your Control Panel provides it, look in your Error logs to see other attempts -- which failed and thus, show as an error -- then look in your Access logs or Latest Visitors as Cpanel calls it -- which should show a successful hacker file upload.

    And that is where Server security comes in. Regardless of whether someone can "piggyback" on a file, to upload their hacker file into someone's account, good Server security will prevent the hacker file from running and most times, prevent the upload as well.

    All these posts about sites being defaced have little to do with any one Hosting account and everything to do with the Server security. We had two attempts today on one Server alone and from two seperate sources. Both were stopped cold. If you search the Forum using "Website Rob" you'll find another post where I gave a more detailed post -- and it's a situation same as yours but different Hoster.

  22. #22
    Quote Originally Posted by JeremyES
    all attacker got to do is get a wordlist generator. i got one to see how it works. it does every possible combo. they get it if they want it bad enough. that if whoever they brute force doesn't shut them down first.

    does your host have DOS protection?
    For DOS you mean Denail of Service?
    I don't know if Servage has DoS protection

  23. #23
    How long will it it take to crack a 9-character password ? 100 years? and if if the site isn't important IMHO your problem might be 'cause of the script you're running.

  24. #24
    Quote Originally Posted by Arina
    How long will it it take to crack a 9-character password ? 100 years? and if if the site isn't important IMHO your problem might be 'cause of the script you're running.
    There is not script on that domain. I've already said in previous post. I don't know how long it takes to crack that password, it was an alfanumerical password

  25. #25
    Join Date
    Aug 2002
    Location
    London, UK
    Posts
    9,037
    They may have got access to the server from another clients script, and defaced all the indexes on the server or many of them.

    It may not be your fault or the fault of your login or pages at all - just unfortunate.

  26. #26
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Nanetto, here is another example of an exploit attempt which failed due to good Server security. As you will see, even though good Server security does not stop every upload attempt, it will stop almost every attempt at making the hacker file(s) run.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  27. #27
    Join Date
    May 2005
    Location
    Chicago, IL USA
    Posts
    1,428
    I have to agree with WebSite Rob's earleir post. They likely hacked into someone elses account, and defaced many domains. However, you keep asking here how it was done. None of us can tell you for sure, only your host can tell you.
    ||| Mike Bowers - Marketing Director
    ||| atOmicVPS LTD
    ||| OnApp Powered Linux & Windows Cloud Hosting ► [Shared] ► [Reseller] ► [VPS]
    ||| Follow the atOmicVPS Blog

  28. #28
    Thank you for your support. Servage does not care what happens to my index page. They don't know.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •