Hacked again

Robin posted 21st of July 2008 in Community Voice. 14 comments.

hey guys,

Just thought i share this with you.

 

I got hacked again and this time it was after  modifying the php.ini(register_globals = Off). and before installing dolphin 6.1.3 patch.

 

My site must be very importent to be hacked 3 times within the last 2 weeks..have to say,  i'm feeling kind importent...LOL

 

the first 2 times i didn't have the register_globals off.

the last hack had something to do with paypal. who ever hacked my site put in a folder/files under the chat folder(chat/www.paypal.com).

I must have changed cpanel pwd good 3 times but i have a feeling there not using my password to get into my site.

---------------------------------------------------------------------------

emails i received from pay pal

---------------
Hello.

It has come to our attention that a PayPal spoof site has been set up at
removed site info.

We believe that your website has been compromised.

We recommend that you change your password for your web hosting accounts as soon as possible, and then remove the offending material.

If you have any logs or data files that could help us track down the perpetrator of this crime, we would appreciate it if you could forward that on to us.

If you have any questions or need further assistance, please do not hesitate to ask.

Thank you.

PayPal.com
securityalerts@ebay.com

============
from Jeff
with email ftsteam@paypal.com
-------------------------------------------------------------------------
email from: phishcop
Your web server has been hacked and is being used to host this phishing site:  removed site info/folder.

Please remove the phishing files and secure your server.
============
from Patrick Klos
with email admin@phishcop.net
 
Comments
·Oldest
·Top
Please login to post a comment.
mscott
The first time I was ever hacked I took it very personally... then after much research I found out that it is completely automated and they hit thousands of people a day.

Once their "bot" adds you to their list of vulnerable servers they will hit you again and again.. if you are VERY unlucky they will post a link to the vulnerable file in a hacker forum so EVERYONE will start trying to take a crack at you.

I keep saying "you" but the bottom line is if you are using a shared see more hosting account it could be anyone on your server that is vulnerable. If another user is using a outdated script that requires register_globals to be turned on it could be THEM that is leaving the back door open.

What is happening to you is MUCH more serious that just a defacement (some silly logo on your homepage) because if they are doing bank fraud from your account at some point the finger of guilt might be pointed at you.. especially from the general public who have NO idea how hackers work and all they remember is seeing your domain name in the address bar when then entered their pin number, credit card, and socail security number.
mscott
The first time I was ever hacked I took it very personally... then after much research I found out that it is completely automated and they hit thousands of people a day.

Once their "bot" adds you to their list of vulnerable servers they will hit you again and again.. if you are VERY unlucky they will post a link to the vulnerable file in a hacker forum so EVERYONE will start trying to take a crack at you.

I keep saying "you" but the bottom line is if you are using a shared see more hosting account it could be anyone on your server that is vulnerable. If another user is using a outdated script that requires register_globals to be turned on it could be THEM that is leaving the back door open.

What is happening to you is MUCH more serious that just a defacement (some silly logo on your homepage) because if they are doing bank fraud from your account at some point the finger of guilt might be pointed at you.. especially from the general public who have NO idea how hackers work and all they remember is seeing your domain name in the address bar when they entered their pin number, credit card, and socail security number.
sammie
so you still have not applied the 6.1.3 patch?
and wonder why you get hacked?
like mscott said, its shared hosting, once you have access to any site on a shared host with register globals on, you have access to the 1200 websites that share the same host on that server. no matter if you turn globals off, they gain access via the master settings,
Technoman
not just her getting hacked many others also

i keep hearing this everyday now .........

so yes I think 100% its cause of it being on a shared server is giving the back door open to all people on that server thats being shared
sammie
emails i received from pay pal
---------------
Hello.

It has come to our attention that a PayPal spoof site has been set up at
removed site info.

We believe that your website has been compromised.

We recommend that you change your password for your web hosting accounts as soon as possible, and then remove the offending material.

If you have any logs or data files that could help us track down the perpetrator of this crime, we would appreciate it if you could forward that on to us.

If see more you have any questions or need further assistance, please do not hesitate to ask.

Thank you.

PayPal.com
securityalerts@ebay.com <<< since when does ebay write emails for paypal?
^^^^^^^^^^^^^^^^^^^^^^^^
Robin
I didn't send them anything.
gameutopia
Shared hosting don't matter. As long as you secure it and your host is decent they don't want their servers going down either.

All I ever hear is shared hosting is the problem. True it can be a problem but I wouldn't say they are any more hackable than any other.

These posts above me mention vps and dedicated but they are selling space/services which means they are sharing. So if they are not set right then they are saying they are vulnerable.

It comes down to watching your site, protecting see more it, securing it. All of this can be done at different levels with different hosting enviornments. Just because you have shared hosting doesn't mean you are more likely to be hacked.

I actually believe if you have a dedicated or vps and you don't know which files to edit you are more likely to be hacked because you are un-aware of server administration. Where as you shared host usually does know this and addresses them. There are many files that need to be tightened up in vps and dedicated environment, and if you don't know this, than all your accounts(shared) you setup will be affected by your inexperience.

So go with a top level shared host before a nobody dedicated or vps. Unless you can really verify.
vivicam
Good point GAMEUTOPIA... I think as long as you know the implications for each (shared, VPS and dedicated hosting, i.e.) then you stand a good chance. In the case of shared, well, we've heard time and time again about the risk of potential irresponsibilities of others you share servers with. For VPS and Dedicated, there is cost, the added maintenance complications, and greater authority over the server.

So, GAMEUTOPIA is on point (in my opinion) when steering the blame away from shared hosting see more specifically. After all, a person who buys into VPS or dedicated hosting who don't really know what they are doing, can actually cause more harm than good. Uncontrolled power is dangerous. Imagine what that could mean if a hacker gets those server admin priviledges.
UnivProvGroup
Hello,
I read all the above posts... and my site has also been hacked... i received the same email from "paypal" and it seems that there is no real solution..if the hackers want in they will get in...
raeshantael
I have read the posts too. Okay, so we have a shared server. Is there ANY WAY WE CAN STOP IT????

Please, dont avoid the question, just give a straight answer. My site is hacked 4 times a day.
Ricco
help my lang russia
LightWolf
shaneed, there is no reason for you to be rude, if you have nothing nice to say, then don't say anything. Gezzzz....kids.....
pcnetguru
My specialty is microsoft...but I can work my way through linux ok. I've seen and experienced many hacks that involved the hacker gaining access to the actual asp/php file and putting in an iframe or script that references some website with a virus.


I am not an expert at permissions in linux (opensuse to be exact).


What I need to know is what is the linux equivalent to IUSR in windows server? And can i give this user read-only access to my dolphin directory?

An example of the command see more would rock.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.12612700462341