Re: [vox-tech] my site was hacked

[Hai Yi]

Gandalf: Thank you for the detailed explaination, I'll read it again.
I checked my pages, only index.html was replaced, what really upset me
is that now it's 48 hours after I sent the request to the ISP, still
no response; I can understand now hacking does happend and I can fix
the problem myself, but their services disappoint me.

On Tue, Jan 26, 2010 at 12:32 AM, Gandalf  Parker gand...@any1can.net wrote:

 Ive worked as admin for ISPs. And one of those was owned by a law firm.
 I will take a stab at this.

 On Mon, 25 Jan 2010, Hai Yi wrote:
 The website hasn't been restored yet, even I wrote an urgent email to
 the support of my ISP, lunarpages.com, no response after 24 hours
 except for an automatic email. This host used to be a good one,
 responding to the requests in time and to the point; however it's
 becoming a disappointment in recent years, I think it's time for me to
 move my business else where.

 Hacks happen. The defenses for hacks are developed and distributed after
 hacks occur. One event by itself is not a good reason to move. In fact,
 its rather like a lightening strike. The fact that they got a wakeup call
 means that moving to one that is still asleep could be a bad move.

 On the other hand, this is a simple attack with a simple fix. From the
 sound of it I would expect that every index.htm, index.html, main.html,
 home.html and a long list of other main pages were simply overwritten with
 the signature webpage for bragging rights. A simple script should be able
 to go to the backups and restore every modified page. Any ISP that is slow
 on this might be worth moving away from.
 Id recommend Sonic.net

 Anyway, I hope someone here can help me with a few questions: does the
 ISP bear responsibility for such a security breach?

 Yes and no. You copied your pages to their server. Your alternative was
 doing your own. They would only have to show reasonable effort. But they
 can be sued for loss of business if you can show the amount prior and
 after.

 My homepage is replaced by the hacker's page of some crap, is that the
 best he can do? what kind of attack it is? are they able to access my
 data? I checked that my files are still there, but not sure if the
 hacker has made a copy.

 They got into someones account. That account could be highly compromised
 but its unlikely they bothered looking thru everyones stuff on the server.
 Once they plant their flag (the replaced index pages) they usually delete
 every trace they can behind them and leave. The account they got into
 might have lost everything in their directories in the cleanup/escape.

 Do you have a copy of the webpage on your machine? You really should no
 matter what ISP you go to. Just upload the page back to your account.

 DISCLAIMER: these are of course my one opinions of what I would do if this
 was me. The safe and appropriate instructions would be much harsher.
 Usually something like delete everything, reformat, start over.

 Gandalf  Parker
 --
 Saying your system is secure should be considered the same as saying
 your food is too hot. Its a temporary condition which is going away even
 as you speak.

 ___
 vox-tech mailing list
 vox-tech@lists.lugod.org
 http://lists.lugod.org/mailman/listinfo/vox-tech

___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] my site was hacked

[Scott Miller]

You can alter a site's home page (or do more) with types of injection.
:( This random article has pictures of an example:

http://www.technicalinfo.net/papers/CSS.html
(See: Putting It All Together)

So depending on the site's places of 'input' - (search boxes, comment
boxes, even the address bar can be used) it is possible to inject code
and potentially do whatever you want.

Depending on the situation it may or may not be a security problem of
the hosting company but could be a vulnerability in a specific site's
code. Especially with PHP. PHP calendars, guestbooks, blogs, etc are
constant targets.

If this was an injection, and if you have access to the apache logs
you can see what exact ip address made the injection, and such. Look
for POST in the logs. A lot of times hackers will try again and again
for several days (weeks) posting random scripts until they get it. So
there can be a long track record recorded in the apache logs.

On Tue, Jan 26, 2010 at 04:31, Hai Yi yihai2...@gmail.com wrote:
 Gandalf: Thank you for the detailed explaination, I'll read it again.
 I checked my pages, only index.html was replaced, what really upset me
 is that now it's 48 hours after I sent the request to the ISP, still
 no response; I can understand now hacking does happend and I can fix
 the problem myself, but their services disappoint me.

-- 
Scott
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] my site was hacked

[Hai Yi]

Tony: I use dreamweaver to edit my files locally and use its internal
ftp to upload them. lunpages's OS is Linux (they might provide Windows
too but mine is Linux)

On Tue, Jan 26, 2010 at 7:51 AM, Tony Cratz cr...@hematite.com wrote:
 Hai Yi wrote:
 The website hasn't been restored yet, even I wrote an urgent email to
 the support of my ISP, lunarpages.com, no response after 24 hours
 except for an automatic email. This host used to be a good one,
 responding to the requests in time and to the point; however it's
 becoming a disappointment in recent years, I think it's time for me to
 move my business else where.



        I have a couple of questions which might help use to find
        out how your site was hacked.

        How do you make changes to your site? Do you send the
        file to the ISP and they put the file into position or
        do you somehow transfer the file and put it into place?

        If you transfer the file yourself, what method do you use
        to transfer the file?

        Do you have shell access to your site?

        What OS does the ISP use for your site?

                                                        Tony
 ___
 vox-tech mailing list
 vox-tech@lists.lugod.org
 http://lists.lugod.org/mailman/listinfo/vox-tech

___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] my site was hacked

[Rick Moen]

I inadvertantly sent this comment offlist, the first time.  My
apologies!



Hai Yi (yihai2...@gmail.com) wrote:

 Tony: I use dreamweaver to edit my files locally and use its 
 internal ftp to upload them.
  

So, are you sending your password unencrypted across the open Internet?


___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech