Hacker/Phisher got into my site?

Reply·Subscribe
cjordan
cjordanAdvanced
7 posts
0
 

Hello,

This was disabled, as this is the 5th phishing complaint related to this particular site within the past week, suggesting that this script has some fairly serious vulnerabilities.  This can not be opened back to the public until the code has been examined to find how these shells and phishing sites are being uploaded.  If you require development access via HTTP, please respond back with the public IP that requires access and we will be glad to arrange this for you, your public IP can be found at: http://www.hostgator.com/ip.shtml listed in red.
Alright I don't know much about programming. I know html and I installed the Dolphin script with the instructions a long time ago, but thats about as far as my programming knowledge goes. So I have no idea what is going on. I saw somebody else post about an Email exploit, but I don't know if my problem is the same so I didn't want to hijack his thread.

I have 2 sites that use Dolphin scripts, one of the sites is down and I received a few emails from Hostgator over the past few days that I just read today. I have no idea what to do about this, so if anybody knows whats going on, or mainly, how to avoid this in the future and how to protect my other site that is still up, I appreciate any help you can give me because I'm clueless at this point. Here's the information in the emails that hostgator gave me (I've replaced the name of my site with "datingsite"):

We have received complaints of a phishing site being hosted on your site as referenced above.  Upon inspection, we found that a phishing site had been installed on your account.  The vast majority of phishing sites are installed by malicious users who have found exploits in scripts previously (and legitimately) installed on the account. We have been forced to disable your site in order to prevent further malicious activities. Please contact us right away in order to resolve this matter.




[root@gator723 /home/cjordan/public_html]# chmod 0 datingsite.com/
[root@gator723 /home/cjordan/public_html]# chattr +ia datingsite.com/




The following malicious scripts were removed from your account:


./datingsite.com/BeLi.php
./datingsite.com/email.php
./datingsite.com/zpa.php
./datingsite2.com/jamess.php








The following malicious script were removed from your account:
./datingsite.com
./datingsite.com/paypal
./datingsite.com/paypal/img
./datingsite.com/paypal/img/Thumbs.db
./datingsite.com/paypal/error_log
./datingsite.com/paypal/css
./datingsite.com/paypal/cez.php
./datingsite.com/paypal/js
./datingsite.com/paypal/header.bmp
./datingsite.com/paypal/details.php
./datingsite.com/error_log
./datingsite.com/99.php
./datingsite.com/r58.php
./datingsite.com/egy_spider.php
./datingsite.com/Activation.zip
./datingsite.com/email.php
./datingsite.com/paypal.zip
./datingsite.com/1.php
./datingsite.com/Activation
./datingsite.com/Activation/PayPal
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/img
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/flows
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/fr_FR
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/fr_FR/FR
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/fr_FR/FR/i
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/fr_FR/FR/i/header
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/css
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/css/flows
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/css/fr_FR
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/css/pages
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/css/core
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/lib
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/lib/yui-0.12
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/lib/pui
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/lib/pui/pui-0.1
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/lib/yui
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/site_catalyst
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/js/hostedpayments
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/icon
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/logo
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/nav
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/pui
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/pui/scr
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/pui/core
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/pui/lightbox
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/header
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/btn
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/en_US/i/scr
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/pages
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/css/core
./datingsite.com/Activation/PayPal/webscrcmd=_login-submit&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350/paypal/js
./datingsite.com/r0b0t.php
./datingsite.com/ams.zip
./datingsite.com/c99.php
./datingsite.com/paypal1.zip

---

Reply from Hostgator

Hello,

This was disabled, as this is the 5th phishing complaint related to this particular site within the past week, suggesting that this script has some fairly serious vulnerabilities.  This can not be opened back to the public until the code has been examined to find how these shells and phishing sites are being uploaded.  If you require development access via HTTP, please respond back with the public IP that requires access and we will be glad to arrange this for you, your public IP can be found at: http://www.hostgator.com/ip.shtml listed in red.

(I have no idea what they're saying. Are they saying they are going to examine the code? Or am I expected to do that? and I don't understand what they mean by "if you require development access".)

Quote · 8 Jan 2010
mydatery
mydateryAdvanced
2234 posts
0
 

1.  Your on a shared server.  Does this host of Wordpress or something similiar on the same server?  If they do then the vulnerability of the server is huge as they can come in on one account and then move laterally across all accounts to drop phishing scripts where they want.

 

2.  What version of Dolphin are you running?  6.1.?  Is it .0, .4, .6?  Can't answer your question unless we know the answer to this question.

 

 

Quote · 8 Jan 2010
lancashiredates
lancashiredatesAdvanced
286 posts
0
 

Even though as MyDatery says your shared server could have serious vulnerabilities from other shared hosting accounts on that server.

Hostgator will expect you to investigate the cause of this and provide them with a reason why this has happened and the solution that you have to resolve this.

Try and get them to check all server logs for the dates that the phishing files where uploaded or altered and give you an explanation..

If not you will need to blag them a bit.

I presume you have no other scripts installed on this account that could be the cause of this.

  1. Give them your IP so that you can at least access your files and databases and save what you need.
  2. Backup everything at least your database and save media files etc for users.
  3. Tell them that you are going to remove everything from your server and start again.
  4. Change all passwords on the account
  5. Remove Everything
  6. Upload & Install the latest D6 or D7 software that you need and replace your database and media files

Everything should now be clean and safe, but if this does happen again then the vulnerability probably lies with Hostgator.

Dave...

Quote · 8 Jan 2010
Reply ›
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Knowledge Base
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd