HomeDesigning Your WebsiteWebmaster's Corner

I've been bloody hacked.

davecoventry posted this at 05:44 — 7th January 2010.

davecoventry's picture

He has: 112 posts

Joined: Jun 2009

I have an account with Hostmonster with 7 subdomains.

The main site has only one index.html file with the hostmonster affiliates javascript banner.

4 of the subdomains use Drupal and should be fairly secure and up to date.

1 of the subdomains uses Simplemachines, but it is not the latest version and needs to be updated. There is no activity on this site.

1 of the subdomains is HTML but it does have a perl form email script.

It appears that I have been hacked.

There are 2 new directories added to the public_html directory:
direct2=bankofamerica.com.i5
direct2=bankofamerica.com.n1

Does anyone know how I might have been hacked?

Also, is there anything that can be done to catch the subhuman turds that ransack a person's legitimate business with their despicable activities? I have downloaded copies of the scripts; is there some law enforcement agency that might be interested in them?

pr0gr4mm3r posted this at 12:11 — 7th January 2010.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

It looks like they set up your site for a spoofing operation. I would be curious as to what those scripts contained. I'm guessing it was collecting Bank of America passwords and emailing them to the hacker. If you know PHP, you should be able to find the email address for the hackers in those scripts.

One time, I found a similar script that emailed that information to someone. What I did was redirect that email to myself and submit the form to see what that email looked like, and then sent several emails of that format to the hacker's account, flooding him with bogus information. I'm not recommending it, but if you are looking for payback... Wink

As far as your site, I would update everything to the latest version and check your file permissions. If your server setup has suPHP or suExec running, ALL files should only be writable by you (not 0777).

Shaggy posted this at 20:14 — 7th January 2010.

They have: 121 posts

Joined: Dec 2008

In cases I've investigated like you describe, the culprit is often a popular third party script someone has installed that they've not kept updated, or just was not well written.

Usually the attacker first takes advantage of an open upload function that allows them to put their own scripts on the server that they access via http(s).

Some are just gateways that allow them to run commands on the shell via passthru / etc. Others are quite sophisticated and scan for other vulnerable services / libraries on the machine. Check your upload directories / web roots for anything the webserver created /owns. Anything that could be executed is a candidate.

Once you are clean secure those upload functions... and make sure anything uploaded can:
1) Only be written to a single place
2) Nothing in that place can ever be executed.

Cheers,
Shaggy.

JeevesBond posted this at 23:48 — 8th January 2010.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

As others have pointed out, this is mostly caused by out-of-date third-party scripts. Since scamming has become big business, attacks are almost all automated these days; for example, I can guarantee that since you posted this our server has been probed for Wordpress, Joomla!, phpBB vulnerabilities (among others) by bots.

As for the action to take, I’m not so sure. You could ask your hosting company if they’re interested in seeing your log files and the scripts uploaded by the crackers.

Another avenue of attack is a weak SSH or FTP password, so make sure you change those.

a Padded Cell our articles site!

jj1 posted this at 15:26 — 22nd February 2010.

They have: 39 posts

Joined: Jan 2009

When you say third party scripts, could a content management system be the host for scams like this? I ask as we're just looking into getting a CMS and have wondered about security.

Renegade posted this at 03:33 — 24th February 2010.

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Yes, CMSs can be targets/hosts of scams - which is why it is a good idea to throughly research the CMS you want to use and keep up with security updates from them.

This of course doesn't mean that you should not use CMSs at all though because generally speaking, any website can be the host or target, it just depends on what security models you have employed.

Best way of not getting targeted which is 100% effective is to not have it up in the first place Wink

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.