1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WARNING! my web site was hacked

Discussion in 'Blogging' started by 1nam1, Jan 31, 2009.

  1. 1nam1

    1nam1 Junior Member

    Joined:
    Mar 8, 2008
    Messages:
    139
    Likes Received:
    232
    My website was hacked !

    it's rewrite .htaccess to the below


    When the website is clicked in SERP of google aol msn altavista ask and yahoo it's will redirect to every link in website to
    This IP form Moldova , I do not know where is this country .
    ISP owner is STARNET S.R.L

    Anyone get problem same as me please share.

    How they do with my web?

    How to prevent?
     
  2. emat

    emat Newbie

    Joined:
    Jan 12, 2009
    Messages:
    10
    Likes Received:
    4
    Occupation:
    web design, seo positioning
    I think you must download your whole site and virus and spyware scan it locally.
    Also change your ftp password.
    And of course change back your .htaccess
    Your hosting can probably restore your site or .htaccess from their back-ups.
    Hope this helped a bit :D
     
    • Thanks Thanks x 1
  3. baokyrox

    baokyrox BANNED BANNED

    Joined:
    Oct 10, 2008
    Messages:
    429
    Likes Received:
    34
    your .htaccess seems hijacked , did u leak your site info out in any way?
     
  4. chickuzt

    chickuzt BANNED BANNED

    Joined:
    Apr 19, 2008
    Messages:
    112
    Likes Received:
    97
    They probably injected your recent SQL DB's with backdoors and holes. So even if you change and re-up'd the site they could get back in. I suggest you use an older backup of your DB and change most of passwords. Update your scripts aloing with your computer updates. RUn antivirus....best of luck.
     
  5. Mage

    Mage Junior Member

    Joined:
    Jan 31, 2008
    Messages:
    150
    Likes Received:
    18
    I had a similar problem for a few of my sites. They changed my address to some french email and it was anti-american.

    Sort of spoilt my christmas as I had to move my host and reset up my blogs which had big databases. I suspect it may have been hacked from my host side.
     
  6. javamax

    javamax Newbie

    Joined:
    Sep 28, 2008
    Messages:
    36
    Likes Received:
    1
    What a pity.
     
  7. booster2ooo

    booster2ooo Junior Member

    Joined:
    Jan 17, 2009
    Messages:
    104
    Likes Received:
    30
    change ALL your passwords
    check all your pages for malicious code (iframe, includes,...)
    check your website for RFIs/LFIs/SQLi etc
     
  8. mikie46

    mikie46 Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2008
    Messages:
    1,454
    Likes Received:
    1,102
    This has probably got to do with .htaccess being chmod 777. If that was the case anyone can inject anything into that file. I dont get alot of these stupid applications suggesting that people should chmod their files and directories to 777. Doing so will surely get you hacked eventually. Its not rocket science.

    Wordpress suggests it too. Dumb asses. If your going to make changes to your wordpress installation though the admin panel i then change .htaccess to 777 but after you finish up i suggst you chmod it back to 0644 and only change it when needed othewise these trolls will hijack your files.

    I also do not chmod 777 any of my templates or directories. They are all 755. I simply download via Dreamweaver the files i need to modify then upload it. I dont make templates changes though the WP interface otherwise you are forced to chmod those files to 777 where a hacker can inject them.

    Its got nothing to do with passwords and crap like that as suggested above. Its got to do with site security via permissions. Do not chmod 777 anything. Keep it all at 755, work offline and upload your changes then it will be instantly impossible to hack your files provided that there isnt a security vuln in one of the files.
     
    • Thanks Thanks x 2
    Last edited: Jan 31, 2009
  9. cooooookies

    cooooookies Senior Member

    Joined:
    Oct 6, 2008
    Messages:
    1,008
    Likes Received:
    216
    This is something I never understood.

    chmod 777 means that other people who have access to the file system can change it. But... this is mostly not the case.

    And if the permissions are set to 755, the webserver has still have write access.

    So, where exactly is the security whole where write permissions for everybody can have an impact?
     
  10. BlackBeret

    BlackBeret Regular Member

    Joined:
    Jul 12, 2008
    Messages:
    257
    Likes Received:
    61
    Location:
    Transexual, Transylvania
    I use to, and still, get this sometimes in my WP themes and/or plug-ins folder. I've never had it in my root directory, not yet anyway.

    Another one that I find a lot is the same thing, but ioncube encoded. If you are looking through your file structures and see some large, like 12K file, and you don't recognize it it's probably another redirect or something worse.

    Another tell-tale that I find a lot is an error.html or .php file in a folder. If you find one that you didn't put in there then there is probably a hack redirect in the same folder sending traffic to the error page.

    One more, now that I think about it. Sometimes when I'm reviewing my server logs I'll see something like:

    mydomain.com/folder/?query.js=viagra+cheap

    or something real close to that. That is another sign you've been hacked. You can click the referrer link and it will take you back to the search engine page that will show the hacked page in your site. You can also track it down in the folder and delete everything.

    It sucks, but it happens. I use to find aeroflighttraining.com redirects in my sites all the time. I bet there are some now just waiting for me. Always backend folders that don't get traffic, not the root......yet.
     
    • Thanks Thanks x 1
  11. DrzMedia

    DrzMedia Regular Member

    Joined:
    Sep 19, 2008
    Messages:
    445
    Likes Received:
    108
    Thanks for warning us about your website being hacked! I'll be sure to stay away from it.
     
  12. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    you cant backdoor a sql database, but they may have changed your password in there or added another admin user. They could have backdoored some of your PHP files or even your host's server. And downloading the directory and scanning for viruses as another member said won't do anything. You need to look at your apache logs and see how they got in. I'm guessing it was an RFI or a SQL injection.
     
  13. futurer

    futurer Newbie

    Joined:
    Sep 16, 2008
    Messages:
    33
    Likes Received:
    18
    One easy way to gain access to the site is by doing SQL Injection attack against your database and retrieve all logins and passwords. Often times admins use the same passwords on many systems. Once the passwors is retrieved, hacker can try to login to the ISP control panel where the site is hosted and do any damage they want...

    But in your case, unless your site is well known, the attack was fully or partially automated. This likely means that you're using unpatched or buggy software with known security vulnerability.

    Search google for name of your software, plug-in, etc. + "vulnerability " to see what's available and patch immediately! For example: "wordress vulnerability" "phpBB valnurability".

    Good luck!!!!
     
  14. 1nam1

    1nam1 Junior Member

    Joined:
    Mar 8, 2008
    Messages:
    139
    Likes Received:
    232
    Thank all for recommendation.
     
  15. scoots250

    scoots250 Registered Member

    Joined:
    Jul 23, 2007
    Messages:
    96
    Likes Received:
    134
    Some really good information there guys, will have a look into my own stuff to see whats lurking