All it was, was a few hold pages.. haven’t even launched the site yet.. it’s just a portfolio/homepage for my small business..
Load it up today, and there’s google adwords under my logo and "coming soon" message!
Hosts couldn’t help, they don’t keep logs. Last modified date, for the html file, was 3am this morning.. so it was recent.
Any way I can figure out HOW they did it? Whether my entire hosting account is compromised, or if they got in through a script/etc?
Should I just wipe the hosting account in case they hid files? or am I being overly-paranoid?
I feel violated.. *calls the rape counselling helpline*..
xss vuln = sanitize inputs
permissions = 755 directories 644 files
ftp login = change it
Check your computer for malware/trojans/spyware
If you host supports it, use SFTP/SCP to upload files rather than plain FTP.
contact Google, and their account will get banned
sup
:
Permissions are all good. It’s a near-empty shared hosting account where I was just playing with a WordPress install with custom theme. No plugins.
No inputs to sanitize unless there’s an unknown WordPress issue in the latest version.
And yeah, changed my FTP password straight away, just in case.
Confusing as all fuck.. as far as I can tell, they didn’t touch anything else. I’ve gone through checking file modification dates, and looking for any new files.. nada.
Weird.
You’re never on aim
im back im back im back im back been doin the travel thaaaaang. my bad.
Bleh, seems it was them testing my site. Now they’re back, this time they ruined shit up nice and good. Wiped the front page, replaced it with one of their bullshit defacement messages exclaiming how awesome they are (some arab kids apparently), and insert all sorts of shit right through the hosting account. PHP files with uploaders, etc etc.
Fun.
Nice way to start off the week.
Little shits..
They setup subdomains, email accounts, hidden folders, hidden PHP files with uploaders, the whole works. 2 hours on and I *think* i’ve finished cleaning up.
They got into the cPanel, changed the contact email to
/* */, had setup "rox.mydomain.com", and an email "
/* */", and also put "cgitelnet.pl" into the cgi-bin folder, as well as a PHP uploader in root.
Among other things.
Still got no idea how they got in.. they wiped the access logs, and even put fake ones in with stupid shit just to be idiots.
have you googled the info you have on them? Might be able to find out how they got in by doing this
Yeah been googling for the last 2 hours while cleaning up my account.. can’t find shit except a whole crapload of other sites they’ve defaced.. always under different "group" names but with the same handles/emails..
Seems to be run by these 3:
- Flex (
/* */) - EmBrAtOuR (
/* */) - SeCur!Ty.Ev!L: (
/* */)
They’re arab, defacing sites with stuff about how evil the US is etc.
I can’t find any pattern in the sites they’re defacing either.. I run WordPress (and NOTHING else on that account), the other sites don’t seem to have WordPress installed.
I found a few that seemed to be wordpress. 2.8.3 iirc had a security issue. what are you running?
2.8.4, the only exploit i’ve found on .4 is that "reset admin password" one, but it doesn’t give them access.