Hacking a site?

A hiking site I visit appears to been hacked. What needs to been done to correct it? Is any permanent damage done?

 

well, considering they got in, change the access password.

 

It's not my site but a friends. Unfortunately, I don't see him online or have his phone number to inform him.

Oh well.

 

Another thing..

Oddly enough I do have a web site running off his site with an extention at the end of the main URL and it appears OK.

 

then how much of a friend is he if you don't have his number or ever see him online?

 

Once a webserver is corrupted/hacked/tainted you are best off to backup data and verify all the data to ensure none of it was corrupted by the hack, then format the machine and reinstall the OS and files. You cant be sure what was infected at this point and you need to treat the whole machine as corrupted/tainted and pull the network cable until you're sure its clean. It really sucks but its the best course of action to ensure you don't have other malicious software installed such as zombies, root kits and the like (imagine your clients connecting to the box and getting infected by your server, big time suckage).

I once had one directory on my webserver hacked (my fault for not setting up the directory/script properly, nobody is perfect haha) and I had to go through this to ensure nothing else was corrupted. Man did it suck! The only thing the script kiddie did was gain read/write control over an images directory and he deleted all the images and uploaded a couple photo's of himself to prove he was there, no other directory was affected but I still nuked the box just to be sure. The script was a online store I was testing on the backend of a production server so nothing but product images were affected. I'm still not sure how he even found the store as I was still testing it before linking it.

Ah well I've rambled on enough. Good luck man =(

-Reby

 

You don't have friends here? The guy is at work. Don't worry, I was able to relay the message and someone called him.

 

Thanks Reby, I'll email him the info.

 

Looks like a vBulletin problem Hope this site doesn't find out the hard way.

http://forums.digitalpoint.com/showthread.php?t=644589&highlight=hacked

 

If the site has any kind of user list (username/passwords) for forums or whatever, it's possible that the hackers got hold of that. In that case, since people tend to be unimaginative with their passwords, it'll be possible for them to log into half the users' GMail accounts.

That happened recently to a site I visit. (I wasn't registered there, luckily. Half the users got locked out from their GMail accounts) because the hackers logged in there and changed their passwords.

Most likely, though, they simply got access to change the front page or changed a few pointless bits in the database, without stealing people's personal information. Impossible to say for sure though.

 

Is this a "hiking site" or "hacking site"?

 

The site that got hacked was a hiking site using vBulletin software. Apparently other vB site have been hacked recently.

 

Unimaginative with passwords? That would be me. maybe I'll go change mine while I have a chance.

 

For anyone's info. Here's the offending IP

212.116.220.73

 

Type in the IP to an IP lookup thingy and see who it is.

 

Who hosted the site? Usually people have a hosting provider (like an ISP). You need to alert them and ask them to investigate. Typically if you used a large provider they put multiple websites on a single physical machine. They also maintain log files of who accessed the site, in this case they probably just exploited VBulletin, or if they exploited the server itself they could have gotten in through another website hosted on the same machine.

Either way your first step should be the hosting company, if they ran the site from their house or owned and maintained the physical computer themselves you need to just unplug it from the network and analyze the disk and correct whatever they changed - if you can't do this there are plenty of linux/windows gurus who can examine the SQL database and files.

A good reason to use a big name provider is they spend a good bit of money securing their systems, so if this happens they are prepared to launch a criminal investigation.

Usually the people that do these things are just troublemakers, they will ask for a sum of money and they will restore the passwords back. What's fun if you know what you are doing is to set up a Bulletin board and intentionally leave the exploits there, and then add some booby traps for the hackers when they try the exploit, its really fun to see them compromise the system, and then begin running their scripts only to find their scripts are instead reporting everything about the hackers to you instead of vice versa lol. It's called a 'honey pot'

 

Yeah, its an ISP in Saudi Arabia, like the redirect suggests.

I don't know what I'm doing but they may, I'll pass on your idea. In the meantime, they have their site back but it's going to take a couple days to update the software.

Here's an email from vB about the vulnerabilities and how to correct it. I'm not sure if it applies here at NBR, but the Admins may want to take note.