WEB I got hacked.. they inserted google ads into my pages!

Discussion in 'OT Technology' started by Insert Tokens, Oct 1, 2009.

  1. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    All it was, was a few hold pages.. haven't even launched the site yet.. it's just a portfolio/homepage for my small business..

    Load it up today, and there's google adwords under my logo and "coming soon" message!

    Hosts couldn't help, they don't keep logs. Last modified date, for the html file, was 3am this morning.. so it was recent.

    Any way I can figure out HOW they did it? Whether my entire hosting account is compromised, or if they got in through a script/etc?

    Should I just wipe the hosting account in case they hid files? or am I being overly-paranoid?

    I feel violated.. *calls the rape counselling helpline*.. :mamoru:
     
  2. pharmokan

    pharmokan OT Supporter

    Joined:
    Oct 18, 2002
    Messages:
    102,246
    Likes Received:
    472
    Location:
    L.A.
    xss vuln = sanitize inputs

    permissions = 755 directories 644 files

    ftp login = change it
     
  3. pharmokan

    pharmokan OT Supporter

    Joined:
    Oct 18, 2002
    Messages:
    102,246
    Likes Received:
    472
    Location:
    L.A.
    anon ftp access disabled hopefully :mamoru2:
     
  4. pharmokan

    pharmokan OT Supporter

    Joined:
    Oct 18, 2002
    Messages:
    102,246
    Likes Received:
    472
    Location:
    L.A.
  5. pharmokan

    pharmokan OT Supporter

    Joined:
    Oct 18, 2002
    Messages:
    102,246
    Likes Received:
    472
    Location:
    L.A.
    [move]:mamoru2:[/move]
     
  6. Phasm

    Phasm OT Supporter

    Joined:
    Sep 20, 2005
    Messages:
    9,680
    Likes Received:
    0
    Location:
    Michigan
    they took our adddddddddds
     
  7. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    Check your computer for malware/trojans/spyware

    If you host supports it, use SFTP/SCP to upload files rather than plain FTP.
     
  8. Tony Stark

    Tony Stark John McCain has an illegitimate mexican baby

    Joined:
    Jun 27, 2003
    Messages:
    40,060
    Likes Received:
    0
    contact Google, and their account will get banned
     
  9. shaitaan

    shaitaan New Member

    Joined:
    Jul 12, 2002
    Messages:
    49,620
    Likes Received:
    0
    Location:
    Bay Area, CA / NYC

    sup
     
  10. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    ::mamoru:
     
  11. pharmokan

    pharmokan OT Supporter

    Joined:
    Oct 18, 2002
    Messages:
    102,246
    Likes Received:
    472
    Location:
    L.A.
  12. shaitaan

    shaitaan New Member

    Joined:
    Jul 12, 2002
    Messages:
    49,620
    Likes Received:
    0
    Location:
    Bay Area, CA / NYC
  13. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    Permissions are all good. It's a near-empty shared hosting account where I was just playing with a Wordpress install with custom theme. No plugins.

    No inputs to sanitize unless there's an unknown Wordpress issue in the latest version.

    And yeah, changed my FTP password straight away, just in case.

    Confusing as all fuck.. as far as I can tell, they didn't touch anything else. I've gone through checking file modification dates, and looking for any new files.. nada.

    Weird.
     
  14. Phasm

    Phasm OT Supporter

    Joined:
    Sep 20, 2005
    Messages:
    9,680
    Likes Received:
    0
    Location:
    Michigan
    You're never on aim :mad:
     
  15. shaitaan

    shaitaan New Member

    Joined:
    Jul 12, 2002
    Messages:
    49,620
    Likes Received:
    0
    Location:
    Bay Area, CA / NYC
    im back im back im back im back :o been doin the travel thaaaaang. my bad.
     
  16. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    Bleh, seems it was them testing my site. Now they're back, this time they ruined shit up nice and good. Wiped the front page, replaced it with one of their bullshit defacement messages exclaiming how awesome they are (some arab kids apparently), and insert all sorts of shit right through the hosting account. PHP files with uploaders, etc etc.

    Fun.

    Nice way to start off the week.
     
  17. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    Little shits..

    They setup subdomains, email accounts, hidden folders, hidden PHP files with uploaders, the whole works. 2 hours on and I *think* i've finished cleaning up.

    They got into the cPanel, changed the contact email to [email protected], had setup "rox.mydomain.com", and an email "[email protected]", and also put "cgitelnet.pl" into the cgi-bin folder, as well as a PHP uploader in root.

    Among other things.

    Still got no idea how they got in.. they wiped the access logs, and even put fake ones in with stupid shit just to be idiots.
     
  18. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,465
    Likes Received:
    10
    have you googled the info you have on them? Might be able to find out how they got in by doing this:o
     
  19. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    Yeah been googling for the last 2 hours while cleaning up my account.. can't find shit except a whole crapload of other sites they've defaced.. always under different "group" names but with the same handles/emails..

    Seems to be run by these 3:
    • Flex ([email protected])
    • EmBrAtOuR ([email protected])
    • SeCur!Ty.Ev!L: ([email protected])
    They're arab, defacing sites with stuff about how evil the US is etc.

    I can't find any pattern in the sites they're defacing either.. I run Wordpress (and NOTHING else on that account), the other sites don't seem to have Wordpress installed.
     
  20. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,465
    Likes Received:
    10
    I found a few that seemed to be wordpress. 2.8.3 iirc had a security issue. what are you running?
     
  21. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    2.8.4, the only exploit i've found on .4 is that "reset admin password" one, but it doesn't give them access.
     

Share This Page