Hacked! Need help ASAP.

Status
Not open for further replies.
Download "catchme" and scan your Server for rootkit! Check if you have ftp open on the server, I'm sure they got in by ftp.

Sory for my English! I'm Russian
 


More and more this does not sound like a server hack. It sounds like your shared hosting account has been hacked. If that is the case you can get a new shared hosting account someplace in 15 minutes and move everything.
 
Jesus, this is alarming. Keep us posted on how it goes.

EDIT: what are some good ways to prevent this in the future? Is there anything?
 
xmcp123 said:
*If you can get a dedi/ip for each major site and the site is loading slow*
Nothing worse than getting all your moneymakers yanked because you were using a dedicated IP. On a shared the signal to noise ratio is a good kind of protection.
Click to expand...

Your english no to good? Pliz esplain this comment.

Yanked by who?
 
One thing I'd do is actually use myipneighbors.com or whatever to pull the other sites on your server. Run through the list and see if they're having similar problems. That could tell you if someone rooted the server, or if someone just got into your account specifically.
 
MyOwn: shoot me a IM on AIM (my SN is public) and I'll do an audit on some of your sites if you want. I'm not a pro, but it's free for ya.

If you want also, I'm a part of a security group (hacking..) they can probably help me audit your server if you want. They do it for the fun. :)
 
It's common to have sites exploited without the attacker gaining root access. The most common exploit is through existing vulnerable web facing software. (like fourm, blog or CMS systems)

Always update your software - always!
 
I'd get the hell off 1 and 1 right now. I've dealt with their support while trying to assist clients and they MUST be the most retarded support people I've ever dealt with.

Sounds like THEIR server is compromised and they can't figure it out. It could be another account on the same server, a rootkit (that you can't see or do anything about), or a dozen other things out of your control.

How many sites you dealing with here? Get a VPS or a shared account somewhere else and just move.

If once you move you get hacked again you will at least have someone qualified in the support department to help you.

1and1 isn't meant for guys and gals like us. They cater to complete beginners usually and can get away with "it's your insecurities" not our servers.....

My guess is they aren't even checking.

You might also ask to speak to a support supervisor and let them know what's going on. Might get somewhere that way. Pick up the phone if you have to and don't want to move.
 
Tensegrity said:
Looks like they're based in Russia. We may need to book some tickets and kick some ass personally - Skull kid style. Unfortunately the only russian phrases I can speak are "How are you", "My name is..." and "Thank You".
Click to expand...

I think that's all you really need.

"How are you" ... *punch* *kick* ... "My name is ..." *punch* *kick* ... "Thank You" ... *punch* *kick*

But seriously ... is your /tmp partition set to executable? That's the easiest way.
 
shitzu said:
I think that's all you really need.

"How are you" ... *punch* *kick* ... "My name is ..." *punch* *kick* ... "Thank You" ... *punch* *kick*

But seriously ... is your /tmp partition set to executable? That's the easiest way.
Click to expand...

I was going to post about how stupid a host would be to leave /tmp or /dev/shm executable but then again, we're talking about 1 and 1 here. I probably secured boxes better @ 14.
 
There could be a hole in your arcade script. There are tons, and I mean tons, of poorly written arcade scripts floating around for free or for a small fee (less than $30).

If you are using any of these there could easily be a hole in the DB queries or code, and the hackers could have a copy of the code and that is what allowed them to locate the hole.

This is what happens when a bunch of 15 year old read one book on HTML and PHP and decide they are good enough to make scripts to sell on eBay....

Also, get off 1and1. You should've known that by now. Switch over to BlueHost or Site5 <-- I highly recommend both of them. Been using BlueHost for 2 years without problems and Site5 for a month (but the support has been tremendous for my reseller package even in this short amount of time).
 
DewChugr said:
They only wanted to sell them through Sharper Image.
Click to expand...

I'm not quite sure what that means Drew, but to clarify something way the hell off topic.....

Pencils were deemed a hazard, because the tips could be broken off with little effort. Thus, small pieces of lead would be floating around the capsule.
 
turbolapp said:
Jesus, this is alarming. Keep us posted on how it goes.

EDIT: what are some good ways to prevent this in the future? Is there anything?
Click to expand...

Here's an UPDATE on what happened:

Last night we backed up and then removed a forum running on one of the sites, as that seems to be how they exploited me. For anyone interested, it was a myBB forum - and obviously I won't be using that forum software anymore. After we removed it, there has no been activity on their part, so I'm almost positive that's how they were able to gain access.

So, if you're using MyBB - you might want to double check and make sure it's secured. The shitty thing is that now I have to transfer all this forum data to a new platform. It was a fairly active forum, so I've got my work cut out for me.

All in all, I ended up changing all the passwords again for everything - FTP, Hosting, Admin accounts on all my websites, etc. 12 hours of work to restore everything and now my network is back up and running.

Wickedfire fucking rocks. Within minutes of me asking for help, I was flooded with IMs and PMs from people offering to help. It's good to know everyone around here has got each other's backs. I owe all of you guys a round of beer. :) :bowdown:
 
Status
Not open for further replies.
Top Bottom