1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked by badsectqr - Anyone else experienced this?

Discussion in 'Forum Suggestions & Feedback' started by cunningstunts, Jan 3, 2011.

  1. cunningstunts

    cunningstunts Registered Member

    Joined:
    May 7, 2009
    Messages:
    69
    Likes Received:
    13
    I wasn't sure where to post this - so posting here.

    All 11 sites were hacked by "badsectqr" - the link left on site is imhatimi(dot)org


    Just curious how they did this - did they hack each individual wp and joomla site backend?

    Or has my PC been comprimised?

    Thanks if anyone can advise.[COLOR=black][COLOR=red][COLOR=black][COLOR=red][COLOR=black][COLOR=red][COLOR=black][COLOR=red]
    [/COLOR][/COLOR][/COLOR][/COLOR][/COLOR][/COLOR][/COLOR][/COLOR]
     
  2. oxonbeef

    oxonbeef BANNED BANNED

    Joined:
    Jan 4, 2009
    Messages:
    2,242
    Likes Received:
    7,872
    They could've got in numerous ways.
    Your pc, script in a template, they could
    be inside your whole C block.
    Have you bought this to the attention of your hosts?
    There may be other sites on that server hacked as well.
    Now you need to secure yourself and fix any damage.
     
  3. macdonjo3

    macdonjo3 Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 8, 2009
    Messages:
    5,562
    Likes Received:
    4,317
    Location:
    Toronto
    Home Page:
    As beef had said already, it could have been a number of ways. I am guessing the most common way: Using a keylogger or istealer or something. What kind of virus softwares are you using?
     
    • Thanks Thanks x 1
  4. cunningstunts

    cunningstunts Registered Member

    Joined:
    May 7, 2009
    Messages:
    69
    Likes Received:
    13
    Yes - been onto my hosts - namecheap and they have an internal back up ready to go.

    So this is interseting - my anti-virus has been completely removed. PC was left on over New Years Eve.

    I've been away for last few days.

    Latest software I instaled was AMR.

    Not sure what to do - reinstal antivirus software or reinstal OS.
     
  5. oxonbeef

    oxonbeef BANNED BANNED

    Joined:
    Jan 4, 2009
    Messages:
    2,242
    Likes Received:
    7,872
    Looks like your box is compromised.
    If you have nothing on there to loose
    by all means reinstalling is simpler than
    searching for a virus Avs don't detect.
    What AV are you using anyway?
    Was the last execution from a legitimate source?
     
    • Thanks Thanks x 1
  6. nexozeon

    nexozeon Junior Member

    Joined:
    Sep 9, 2009
    Messages:
    190
    Likes Received:
    56
    Occupation:
    Owner of a auto site.
    Location:
    Saint Louis
    I personally would blow away the drive and just re-load the OS, actually as cheap as HD's are i would brick the drive and buy a new one and start all over.. Not having a good AV and being on all these sites, is not a good idea.
     
  7. cunningstunts

    cunningstunts Registered Member

    Joined:
    May 7, 2009
    Messages:
    69
    Likes Received:
    13
    I was using Norton.

    You mean the last exe software instal?

    It was AMR - Article Marketing Robot

    Yeah - will buy new HD and start again. Cheers for the FB.

    And Happy New Year!
     
  8. ivictus

    ivictus Regular Member

    Joined:
    Jan 26, 2010
    Messages:
    223
    Likes Received:
    31
    I got hit once by confirming directory submission emails. The directory site was infected with some java program that started a download in my browser. I immediately shut down Firefox but it was too late. The software was installed and scanned my hard drive for stored password in WS-FTP and Dreamweaver. It then infected my hosting accounts so it could infect who ever visited them.

    What a pain. Never save your passwords to your hosting account in ftp programs.
     
  9. baDsectQr

    baDsectQr Newbie

    Joined:
    Jan 24, 2011
    Messages:
    0
    Likes Received:
    0
    Home Page:
    The problem , server is not secure
    easily reachable your file config , Let give an example command the pull config

    ln -s /home/username/public_html/configpath ex.txt

    Change the path your config file and encrypt
    good luck
     
  10. aReJay

    aReJay Power Member

    Joined:
    Apr 29, 2009
    Messages:
    736
    Likes Received:
    237
    Location:
    Down under
    This works as long as you have access inside the server. In order for that you need to get access somehow.

    The most common way is via faulty Joomla/WP plugins. There are literally thousands (probably tens of thousands) of WP/Joomla sites waiting for me to upload my shell and do what ever I like to your site.

    When you have the choice, don't use open source software.
    -aReJay
     
  11. baDsectQr

    baDsectQr Newbie

    Joined:
    Jan 24, 2011
    Messages:
    0
    Likes Received:
    0
    Home Page:
    joomla - wordpress makes no difference :) first index file pulled , require_once or are there ways to include command
     
  12. Gigusx

    Gigusx Newbie

    Joined:
    Jun 26, 2010
    Messages:
    10
    Likes Received:
    5
    I haven't, it could be your mistake probably.

    And change your AV, norton sucks :)
     
  13. aReJay

    aReJay Power Member

    Joined:
    Apr 29, 2009
    Messages:
    736
    Likes Received:
    237
    Location:
    Down under
    That's a little too obvious and would be the first place that people look for redirects/defacements.

    You need to look deeper into your application, and usually the code will be obfuscated with base64_encode which makes it impossible to do an fgrep search for the code alteration.

    -aReJay