Hi,
I own a website for my business. Recently I found out that my homepage was changed to a blank page reading:
"pwned By Mor-r0ver + Wizardz at email com +
gr33tz to aLL friendZ"
On googling the above line, I found out that there are many websites which have been defiled in this way.
Incidently all the linked pages on my website are working fine and can be reached directly.
I need to know:
1. How did this happen? (i do not share my cpanel password with anyone)
2. How can I undo this? (I have limited knowledge of web-developing and got someone to put the website together for me in the first place)
3. How can I prevent this in the future?
Please help me...
Thanks
Amit
Full Version: Website Hijacked/vandalised?
Are you using Joomla! CMS??
Hi Raw,
How do i know if i am running either joomla/CMS?
Have not heard of them before...
I have access to a control panel which i only use to look up website stats or check email from in case i am not using the outlook...or sometimes bump up/down email storage quota...
How do i know if i am running either joomla/CMS?
Have not heard of them before...
I have access to a control panel which i only use to look up website stats or check email from in case i am not using the outlook...or sometimes bump up/down email storage quota...
When you log in to Cpanel does it tell you Joomla! is installed?
When you visit your website does it say Joomla! anywhere? (usually near the bottom)
Reason I ask is Mor-r0ver seems to have found an exploit in the Joomla! Content
Management System.
http://www.joomla.org/
When you visit your website does it say Joomla! anywhere? (usually near the bottom)
Reason I ask is Mor-r0ver seems to have found an exploit in the Joomla! Content
Management System.
http://www.joomla.org/
Did you find an actual Joomla exploit, or maybe just a coincidence, ie, the admin password for Joomla was not changed?
Heyya Raw/Groovicus
Thanks for pitching in to help!!
No Joomla as far as I know...and I searched Cpanel..
I host through www.host.ac and lately they have been a bit of a pain in the rearside especially when it comes to renewals etc...
I am not an expert here so i will just put down what i found on Cpanel apart from the usual stuff...
Softwares/Services: CGI Centre,Perl Module,PHP Configuration,Fantastico De Luxe.
Advanced Features: Apache handlers, Image Manager, Indexx Manager,Error pages, Cron Jobs,Frontpage Extensions, MIME Types,Network Tools.
All of these things are features I have never used/Know nothing about...
Cheerio
Thanks for pitching in to help!!
No Joomla as far as I know...and I searched Cpanel..
I host through www.host.ac and lately they have been a bit of a pain in the rearside especially when it comes to renewals etc...
I am not an expert here so i will just put down what i found on Cpanel apart from the usual stuff...
Softwares/Services: CGI Centre,Perl Module,PHP Configuration,Fantastico De Luxe.
Advanced Features: Apache handlers, Image Manager, Indexx Manager,Error pages, Cron Jobs,Frontpage Extensions, MIME Types,Network Tools.
All of these things are features I have never used/Know nothing about...
Cheerio
No actual exploit, just defaced CMS sites. Could be SQL injection.
Mainly the defaces look like Joomla and Drupal sites.
Nothing on BugTraq.
Mainly the defaces look like Joomla and Drupal sites.
Nothing on BugTraq.
thats all a bit of latin to me...but i think i get the picture...
can you expain how it happend so i can avoid it in the future...
cheers
can you expain how it happend so i can avoid it in the future...
cheers
It depends; are you hosting your website, or is someone else? If someone else, then it is really their responsibility to keep their servers secured and updated (if your bank didn't have alarms and a safe, would you want to keep your money there?). Fins out from them if there is anything you can do to help.
If you are hosting your own site, then it depends on your configuration and software.
If you are hosting your own site, then it depends on your configuration and software.
QUOTE(amitinoz @ May 6 2008, 02:04 AM) 
I host through www.host.ac
No unfortunately i have not come across any logs, but you might just
look in Cpanel at your logs.(Raw Access Logs)
These logs will be completely foreign to you, but that's where they are.
It's still possible that the server your site
is on was compromised. (slim chance)
Thanks Groovicus & Raw...
I have a hosting account with host.ac whom i pay for using their space.
All this happened so close to renewal date and whoever did this also deleted my hosting account.
I have been told by the admin at the website to have a more complex password (already use an alpha numeric one and never from a public computer) to avoid a BRUTE FORCE attack in the future....
I am guessing its been sorted for now.
Now I am going to have to try to upload the homepage again. The weird bit is that all the other pages are intact!!
At least this has left me aware with the need for more hosting literacy
Cheers!!
I have a hosting account with host.ac whom i pay for using their space.
All this happened so close to renewal date and whoever did this also deleted my hosting account.
I have been told by the admin at the website to have a more complex password (already use an alpha numeric one and never from a public computer) to avoid a BRUTE FORCE attack in the future....
I am guessing its been sorted for now.
Now I am going to have to try to upload the homepage again. The weird bit is that all the other pages are intact!!
At least this has left me aware with the need for more hosting literacy
Cheers!!
No archived Logs in Cpanel.
I have saved the option to archive from hence forth.
Did someone have access to my Cpanel? Could they have accesse/deleted all my mail that is stored on the server?
I have saved the option to archive from hence forth.
Did someone have access to my Cpanel? Could they have accesse/deleted all my mail that is stored on the server?
Found this:
http://www.securiteam.com/unixfocus/5EP0M0AO0U.html
Like I said most of the sites i saw defaced were running Joomla. Your hack may be
something completely different.
QUOTE
The Joomla! component Jom Comment is vulnerable to SQL injection because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability using common SQL injection techniques to compromise data contained in the Joomla! / MySQL database. Data includes the username, password hash, and password salt of every application user including the site administrator.
http://www.securiteam.com/unixfocus/5EP0M0AO0U.html
Like I said most of the sites i saw defaced were running Joomla. Your hack may be
something completely different.
Thanks. I am currently maintaining a site that was created in Joomla. Now I need to check that out.
incidently since your posts, i have been snooping on cpanel...
i have access to a suite of programs called fantastico part of which is joomla,drupal,php & others...
but since i have never accessed these, is it possible that they might still have somehow played a part in the website becoming vulnerable?
hope i am not being too pesky!!
cheers
i have access to a suite of programs called fantastico part of which is joomla,drupal,php & others...
but since i have never accessed these, is it possible that they might still have somehow played a part in the website becoming vulnerable?
hope i am not being too pesky!!
cheers
Possible, but not likely if you never installed these apps.
Without any type of logs to analyze it's just all guessing.
I would definitely change the Cpanel password and the
mail passwords. And make sure no new users were added.
Check that no programs were uploaded to your site and you
should be fine.
Without any type of logs to analyze it's just all guessing.
I would definitely change the Cpanel password and the
mail passwords. And make sure no new users were added.
Check that no programs were uploaded to your site and you
should be fine.
cheers mate!!!
i think we can call it a wrap on this one...
i think we can call it a wrap on this one...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.