1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone Hacked My Mother F'in Site

Discussion in 'BlackHat Lounge' started by nam6641, Sep 4, 2009.

  1. nam6641

    nam6641 Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,477
    Likes Received:
    914
    Location:
    East Coast
    if anyone here owns mybookface.net i am about to rip your mother f'in head off.


    anyone who is good with coding can you solve this for me...


    my site's homepage is redirecting to that mother f'ers site. so i took down the index.php page and put up a regular index.html page saying that the site is currently down. i upload this file to my server.

    i access my homepage and somehow this get added to my homepage web address:

    /%3C?=base64_decode($_REQUEST)?> I delete the index.html, c... getting added into the header. any ideas?
     
  2. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    hire someone half decent to fix ur site properly, u only have the right to complain if ur code is good, if ur code is so shit u got hacked u deserve it
     
  3. IamNomad

    IamNomad Junior Member

    Joined:
    Mar 27, 2009
    Messages:
    135
    Likes Received:
    22
    Location:
    ┌∩┐(◕_◕)┌∩┐
    there needs to be more info added here. And there lots of ways to append a url. scripted redirect ,apache redirect,.htaccess redirects...

    I do agree with troph however, your shit got hacked because


    • you most likely wrote terrible code
    • got a virus on and your ftp pw got swiped
    • your server isnt kept up to date and someone exploited it.
     
  4. ty180sx

    ty180sx Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 29, 2007
    Messages:
    170
    Likes Received:
    183
    Location:
    The place i call home
    Home Page:
    http://wordpress.org/support/topic/263014

    http://www.google.com.sg/search?q="...=s&rls=org.mozilla:en-US:official&hs=wfj&sa=2

    Domain Name: mybookface.net
    Registrar: ENOM, INC.
    Whois Server: whois.enom.com
    Referral URL: http://www.enom.com
    Status: clientTransferProhibited

    Expiration Date: 2009-12-17
    Creation Date: 2008-12-17
    Last Update Date: 2008-12-21

    Name Servers:
    ns1.byethost.org
    ns2.byethost.org

    IP: 209.51.195.115
    IP Location: Marina Del Rey, United States

    Domain name: mybookface.net

    Registrant Contact:
    WhoisGuard
    WhoisGuard Protected ()

    Fax:
    8939 S. Sepulveda Blvd. #110 - 732
    Westchester, CA 90045
    US

    Administrative Contact:
    WhoisGuard
    WhoisGuard Protected (Email Masking [email protected])
    +1.6613102107
    Fax: +1.6613102107
    8939 S. Sepulveda Blvd. #110 - 732
    Westchester, CA 90045
    US

    Technical Contact:
    WhoisGuard
    WhoisGuard Protected (Email Masking [email protected])
    +1.6613102107
    Fax: +1.6613102107
    8939 S. Sepulveda Blvd. #110 - 732
    Westchester, CA 90045
    US

    whois is protected.
    you may want to contact your host also
     
  5. bzy39

    bzy39 Regular Member

    Joined:
    Jan 15, 2009
    Messages:
    439
    Likes Received:
    240
    i think you use free hoting from byethost or from someone else that use byethost as a server, its will happen if some script in your site not working, or not found.
     
  6. nam6641

    nam6641 Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,477
    Likes Received:
    914
    Location:
    East Coast
    it's not 'my code', it's simplemachines forum code.

    thanks for the kind words though, just cuz ur an expert in website security doesn't mean every one is dude.
     
  7. gundamwing

    gundamwing Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 18, 2008
    Messages:
    1,275
    Likes Received:
    913
    you need to read this if you want revenge
    Code:
    http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=phpfox+&type=archives
     
  8. Sweetfunny

    Sweetfunny Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 13, 2008
    Messages:
    1,749
    Likes Received:
    5,040
    Location:
    ScrapeBox v2.0
    Home Page:
    Check through your FTP logs, you will probably see logins. Most likely your FTP details got swiped off your machine.

    * Login to your cPanel or whatever.. "On a clean PC"
    * Change your FTP passwords
    * Firewall this from your server: 209.51.195.115 (and any strange IP's in your FTP logs)
    * Remove the malicious code from your index files, also look in login, admin and similar URL's in all extensions html, php, html, asp etc.

    Actually it's probably best to just check all your files last modified dates and dump the whole filesystem to your desktop and do a "find in files" for "base64" and other common encoding patterns. Also scan them, most AV's detect shells like c99, r57 etc.

    Clean the logger off your PC.
     
  9. mr4army

    mr4army Regular Member

    Joined:
    Nov 23, 2008
    Messages:
    459
    Likes Received:
    80
    Home Page:
    your site normally get redirected when your site get suspended im guessing your on byte host or a reseller of them thats where they redirect it to
     
  10. zorphee

    zorphee Registered Member

    Joined:
    May 16, 2009
    Messages:
    71
    Likes Received:
    7
    Occupation:
    What's this? Lol..
    Location:
    Singapore LAH.
    Why not ask your host/server to restore back to the last good configuration?
     
  11. surajprakash31

    surajprakash31 Regular Member

    Joined:
    Oct 7, 2008
    Messages:
    261
    Likes Received:
    459
    Home Page:
    I'm 99.99% sure your site is not hacked, your site has been suspended by your host or the registrar. Mail and ask them why's this happening and they tell you that they suspended your site due to some complains.
     
  12. geezer101

    geezer101 Junior Member

    Joined:
    Mar 15, 2009
    Messages:
    139
    Likes Received:
    121
    Location:
    UK
    Hey, I use bytehost free hosting, and if a page is not found etc it redirects to mybookface. Also if it's a banned file extension (not that this applies to your case) such as .zip or .rar that will also be blocked and redirect to that page. In fact, if a page fails to load for whatever reason, it is redirected. On a normal post, you'd just get a page cannot be found etc, but they obviously have this in place to try and make more money.

    Sure it's not an error in the code somewhere? You say this gets added:
    /%3C?=base64_decode($_REQUEST)?> But I can't see why the first ... Check .htaccess file for anything strange..
     
  13. safaristyle

    safaristyle Regular Member

    Joined:
    May 4, 2008
    Messages:
    449
    Likes Received:
    82
    Location:
    Blocked
    Yea..this is the case..I once tried blackhatstuff with that free host and later my site also redirected to the same site which OP mentioned in this thread