I have been hacked!

[Hippie459MN]

Well, After being gone for about 2 weeks for work and not looking at my web site personally I noticed it got hacked. I have been logging in to my server via my FTP client and making backups so I do have a back up but seems that it looks like only my index.html files was changed. I know I have a very very sucure password that consists of like 12 random letters and numbers some caps some not with zero signifigance with anything so I dont see how anyone could guess it or get a PW gen to guess it. And as for my index.html file, There was nothing other than basic html and some small javascript code in it for like disabling right click on the page so I know thats not it.

I have sent in a ticket to security but have not heard back yet. I have also left the hackers page up untill I hear from HG on this before I restore my back up file. It seems to goto a turkish web foum for internet security (Hackers) page but I cant read turkish so I cant see anything that might pertain to hacking sites to see if maybe my site is on there. lol Ya never know.

Well, if anyone wants to check it out the url is http://www.hippie459mn.com

This stinks. lol

[Hippie459MN]

Well after browsing the site that is linked on my main page for now (The hacked page) it looks like this person that OwneZ me now likes to hack a few sites. I just wonder what his motive was for picking my site to decide to hack. Its just a personal web page. No business or anything. lol

http://www.digitalattack.org/search.php?searchid=49 That is the users posts at that forum. In the bottom left of the forum you can select english but it is still very hard for follow.

Oh well... He will get whats coming to him one of these days. Must be a 13 year old with his newbie skills. lol

[gwyneth]

Good that you notified security. Have you taken down the bad index.html page yet? It doesn't do anybody any good to keep it up, and there's always a chance of dangerous stuff you or your visitors can't see.

Are you running any blog/forum/gallery/wiki app packages? Sounds like you were exploited, not hacked, given your strong password.

[riostyles]

Did you connect to cPanel from an internet center as you was away?
Did you checked e-mails in an internet center or an unknown computer, and plug some USB device having the PWD onboard?
Do your PWD is in some external webmail (Gmail ...) in this case the webmail PWD can be the problem.

With your FTP see the update of the index.html files dates, check all files update same datetime.
This also can give a clue: the key was discovered/stolen before.
The hack is pretty easy to repare.

[Teddy Rogers]

I think it was your guestbook that let you down. There are a lot of guestbooks out there that have security holes.

It is easy for "hackers" to find sites with holes, including yours, because all they have to do is Google, "UltraGuest.com" and eventually your site will come up...

Ted.

[Xtr3meVideos]

Yes, I totally agree with Teddy. The Guestbook was the issue for sure.

[RainbowViper]

That's the reason I removed the Guestbook from one of my sites. I was hacked, too, and it appears the Guestbook was the way they got a password for the Domain admin's FTP account. Fortunately, it was easy to clean up after the little turd.

[TheExoticFish]

Was this "The Spyders Team" ?

[RainbowViper]

If you were asking me, then no.

It was a hidden link at the bottom of several pages, that pointed to a Russian Porn site ending in .tv or somesuch.

[TheExoticFish]

Oh okay. I was just curious because I was hacked the other day by that "Team". My password was also pretty complex, 6 random letters and 2 numbers.

Edit: I just looked to reference my thread and apparently HostGator staff didn't like it so it was removed. Guess this thread will be soon also.

[slapshotw]

Do you mean this thread about your hacking, which is still up? http://forums.hostgator.com/help-now...6.html?t=37276

Or a different one?

[TheExoticFish]

Uh huh... It wasn't showing up a minute ago... Even in my statistics.

[ufopsi.com]

Today, I've been hacked as well by a Turkish idiot. I think he changed cpanel and main ftp account password, then placed his index.html file. Nothing else, since forums and galleries and e-mails work fine.

I've an add-on domain on the same account that was hacked as well, yet the ftp password was not changed.

If anyone is interested, the hacker's site is: www.lanetim.com

[softwarecandy]

Quote:

Originally Posted by Hippie459MN

I have been logging in to my server via my FTP client...

I hope that you are not using standard telnet and ftp because everything you send over those links (including your password!) is in clear text... I recommend using PuTTY instead:

http://www.putty.org/

[TheExoticFish]

HostGator needs to do something about this. It seems like they're gaining our passwords from HostGator's side somehow.

[striddy]

Quote:

Originally Posted by TheExoticFish

HostGator needs to do something about this. It seems like they're gaining our passwords from HostGator's side somehow.

Are you serious ?

[TheExoticFish]

No, of course not.

[quietFinn]

Quote:

Originally Posted by TheExoticFish

HostGator needs to do something about this. It seems like they're gaining our passwords from HostGator's side somehow.

Just change your cPanel password and not anyone in HostGator will know it.

[TheExoticFish]

I'm sure a lot of people will recall when everyone was told to change their passwords as ex employees of HostGator may have had lists of them. I find this situation a little "fishy" (LoL).

Personally my password couldn't have been guessed. Only myself and HostGator (support staff I told it to) had access to it.

I'm only saying HostGator should really look into finding out why all of a sudden there are several of us that have reported being hacked recently.

From now on my password will be changed prior to speaking with HostGator support. It's sad that we cannot even trust the support team.

[GatorChrisD]

Hello,

We ran a quick scan over your account on the 22nd and requested further information from you at that time, since the initial inspection turned up as clean and no virus was apparent. We requested more detailed information, such as the URL where you are seeing this virus, but at this point we have not received this information. Please update your ticket with the URL that you are seeing this virus so that we may continue our investigation.

[TheExoticFish]

My ticket or the OP ? Security already resolved my problem, I just requested a virus scan as an extra precautionary measure.

[GatorChrisD]

Hello,

Regarding the OP, that ticket appears to have been resolved on the 24th, and was due to outdated scripts on the account. I'm not able to find an further outstanding issues related to this forum thread, and if there is anything we can assist you with please let us know.

[hiphil]

I might have the reason you were hacked.

One of my domains was hacked by Turkish hackers. I removed the infected files, and all was OK for about two weeks.

I then kept getting reports that phishing sites were being hosted on my site.

It seems the original hackers had left backdoor script files on the site, that later generated phishing files.

All but one of the malicious script files names began with "wysiwygPRO...", and were .php scripts.

I wrote a script to find all file names beginning "wysiwygPRO" and deleted them. My site has been trouble free since I deleted these files.

[Steve1943]

I got hacked in September with a fairly innocous, childish, replacement for my home page.

Only in December did I discover that the hackers left a webshell (C99) which they used to set up a phishing site targeting a UK bank. Also they ripped off my email box addresses; and those have also been used in a separate series of phishing emails.

The entry point is NOT passwords - it is an (RFI/LFI) exploit where a GET or similar command in your own script is allowing a hacker to introduce raw code to drop their webshell.

Once the webshell is in place they can access it via http just like their own cPanel - to do just about anything they want - without a password.

You can do a lot to harden up the site with htaccess - and Support have a handy script called vuln.pl which will scan your scripts for vulnerabilities.

The Security people in Support have been super helpful. Pity it took a serious Phishing incident to get my attention about the need for security.

Because my own site aren't worth a lot, I never paid security much attention. Never considered the possible use of my sites as zombies by serious fraudsters from Russia and Korea.

Scary stuff.

[GatorChrisD]

Most hacks could easily be avoided if the scripts used on the account were kept up to date. For example, joomla and wordpress are two very popular scripts that we see exploited fairly often. Due to their popularity they are highly targeted by hackers, and since exploits are published all they have to do is find an outdated version of the script and copy/paste what someone else has already figured out. It's not true hacking in my opinion, but it carries the same results.

In regards to scanning an account for vulnerabilities, this is not something that we really do. There are simply too man scripts out there for us to have a very effective way to determine if a script is exploitable. We leave it in the hands of the scripts developer to find the vulnerabilities in their code and take action to correct it.

It is highly suggested that you enable 'Raw Archive Logging' in your cpanel so that it will store the apache logs permanently on your account. We use these logs to locate the URL that the hacker used to exploit your script, which helps us to determine exactly which script was exploited. Unfortunately due to the amount of traffic/domains on our shared servers the apache logs rotate out rather quickly, and we typically only have about 24 hours worth of these logs. If you suspect you have been hacked, please do not modify the account, but instead contact us first so that we may investigate the matter and determine how your account was exploited. We can be contacted at security@hostgator.com