Turkish Hacker ??

[P Crabtree]

Last night I checked my website to feveral of my main pages had been "hacked" I was left with a black screen with a ghostly figure of a child which looked like it was from the Vietnam war and some sort of reference to that fact that I had been hacked - there was a haunting type music to go along with it.
After a little investigation there were several fresh files installed on the website all called "default" - htm, php and css type pages.

I removed all of these and the problem has now gone away.

I am now of course very concerned that my website security has been compromised, do they know my password etc, any suggestions on best course of action greatfully recieved . I am satisfied that no-one has had access to my computer apart from myself and no-one else knows any of the website settings.

[Jacob]

Hi,

Your best course of action for the moment is to open a ticket so that we can investigate the problem for you. A likely source of the problem is an unprotected upload script. This works by someone uploading a script via your upload script and then running that code once their file is on the server.

All users must ensure that upload scripts are well protected to ensure that all sites are kept secure.

Kind Regards,

Jacob

[WhiskyFudge]

As a matter of course I would also recomend you change your FTP passwords.

[P Crabtree]

All noted - ticket taken out and reply recvd

cheers
Paul

[P Crabtree]

Quote:

Originally Posted by WhiskyFudge

As a matter of course I would also recomend you change your FTP passwords.

Where do I change my password ?

tks
Paul

[Jacob]

Paul,

If you login to helm, then click on domains, click on your domain, click on FTP accounts, click on the FTP account you want to edit. Then change the password in both boxes and click save.

Regards,

Jacob

[P Crabtree]

Thnaks for the help - I had seen this section ( honest ) but it looked so simple to change I didnt think it was right !!

Website sorted now I think bogus pages removed - a warning to everyone out there on what others are prepared to do, good job my site isnt a large company etc - would have caused chaos.

If you do have the name and address of the person responsible for the intrusion please pass it on - I woulndt mind calling to see him one day,

regards
Paul

[Tim Marshall]

I've had issues with one of my sites along these lines too and have managed to check a whole range of IP's to a selection of Turkish ADSL accounts.

Unless they are very clueless hackers i'd guess they have found their way into people's accounts somehow so probably not worth reporting to the ADSL supplier....

I had a few files on my server, the culprit for removing files etc was called DB.asp which was a rather crude asp page that enabled viewing of files in your directory, root paths to the server etc. Enough to do the damage though; oh did i mention it had an editor too!! Great!

Anyway, i believe the hackers and annoying email incidents people are reporting are related as my hacked site has been and still is having emails sent through it's contact pages that use JMAIL. I've got a solution to check the referer but to be honest if they are going to this much trouble they could spoof the referer too so not sure what to do but i will give it a try....

If you want an example of where you can 'try' and secure you're online mailing page you can visit this site which should help you out - http://www.brainjar.com/asp/formmail/default.asp

Tim Marshall

[WhiskyFudge]

Quote:

Originally Posted by P Crabtree

If you do have the name and address of the person responsible for the intrusion please pass it on - I woulndt mind calling to see him one day,

You've got a long way to go!

[P Crabtree]

I was that annoyed - I would have gone anywhere ! - calmed down a little now
tks
Paul