1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Need Help] My site is hacked by dbuzz... what should I do?

Discussion in 'BlackHat Lounge' started by srb888, Jul 2, 2012.

  1. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    My site is being hacked by dbuzz. There are plenty of such instances on the internet and I am baffled at what to do to save my site and kick the bast*ard out of it, at least for some more time -- like the next 10,000 years.:)

    I've already asked the hosting service to look into it just a few moments ago and am awaiting his email....

    Of course I had a complex password in place -- but that's no help at this stage after the calamity has struck in spite of that. As the site being a very important site, there were no malicious scripts or themes, etc., installed. I design my own theme/template and use clean codes.:) My PC (used for FTP up/downloads) is also clean as per my AV. But I know that statement is not a great help now!

    I need all the info on how to get through it (getting rid of the hacker from my site and preferably keeping him and his breed out) from our esteemed members here.

    I appreciate your inputs on this.

    Thanks all!
     
  2. HostStage

    HostStage Jr. VIP Jr. VIP Premium Member UnGagged Attendee

    Joined:
    May 20, 2010
    Messages:
    1,773
    Likes Received:
    1,730
    Occupation:
    BHW - CEO of Webhosting Company
    Location:
    BWH from France
    Home Page:
    What CMS are you using ? Are they up to date ?

    Do you have filezilla with your websites saved in it, within any computer,VPS, server, VA's computer without AVG installed ?

    Is SSH enabled within your shared hosting account ?

    Also, look within your FTP, in all the folders if you see something like _p.php, or h.php which is outside the public_html folder. (php trojan)
     
    • Thanks Thanks x 1
  3. -ReX-

    -ReX- Power Member

    Joined:
    Apr 26, 2012
    Messages:
    707
    Likes Received:
    274
    Location:
    Manly, Australia
    If you are using wordpress, make sure it it the latest version. It has tons of exploits.
     
    • Thanks Thanks x 1
  4. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    Wordpress (almost the latest versions used) with not too many plugins on the 3 sites present on the shared hosting.

    Host is US, new, but reliable. This is a new host that I tried about 6 months ago. No problems whatsoever since then. (My main sites aren't on this host though and they are hosted in UK.)

    AVG installed on my system. Regular scans done.

    SSH - don't know... no idea. :(

    Will look for those trojans... but my host has already began or will begin working very shortly on my site as per his last email to me.

    Thanks.


    Using Core FTP Le.
     
  5. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    Checked WP just now. Fantastico on the hosting uses the WP 3.3.1 version at present -- I used that to install my 3 sites.
     
  6. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    OK, just got an imp update from the host >>

    Code:
    Hello,
    We also detected 6 websites hacked on the Free Cloud Server and all were
    by the same hacker. After intensive research, our Network Security Department
    has detected the cause for this problem and the cause was because of Customers
    WordPress Themes using vulnerable timthumb script. Please read below....
    ... ... [lots of text here] ... You should have your customers make sure their version 
    of WordPress is kept up to date, and to avoid themes which make use of the default 
    timthumb script.
    
    Here is an article about the vulnerability, which also contains links to
    themes which make use of the script:
    
    [URL]http://wpcandy.com/reports/timthumb-security-vulnerability-discovered[/URL]
    
    [URL]http://www.youtube.com/watch?v=i5EzZKCB-H4[/URL]
    
    IMPORTANT STUFF:
    [URL]http://wpmu.org/how-to-protect-your-wordpress-site-as-hackers-exploit-timthumb-security-hole/[/URL]
    [URL]http://wordpress.org/extend/plugins/wordpress-firewall-2/[/URL]
    [URL]http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/[/URL]
    --------------------
    
    Read this article to fix the problem [URL]http://brianwong.com/blog/how-to-clean-up-the-timthumb-wordpress-hack/[/URL]
    
    Hope this helps our members if needed...



    I am going through all that text now. I thought my host would give me a clean site in minutes though! :D
     
  7. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    So Timthumb may be the possible problem here... hmm... I had been aware of that little fu*ng thumb before and on this forums it was well dissected by our members.

    For members needing more info in this regards, please Google this >> "site:blackhatworld.com timthumb" with or without quotation marks.
     
  8. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,260
    Likes Received:
    5,067
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    Just checked for "timthumb" on my sites and only the theme Colorway (I've a paid version) is using it. Hmm... will clean and then recheck... but would that help me get the hacker entirely out though?

    But funny! >>>
    That theme (ColorWay) is installed on my 2 sites and not installed on the hacked root site (both are sub-domains, all three have their own Wordpress instances) , and still the root is hacked and not the 2 subdomains! May be that has given the access to the hacker to the root... how? and why not these 2 sub-domains?

    Code:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://codex.wordpress.org/Hardening_WordPress
    

    P.S.:
    Hopefully, my sites are cleaned now!!!
     
    Last edited: Jul 2, 2012