 Website Hijacked/vandalised?, website homepage changed |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
  May 3 2008, 02:52 PM
Post
#1
|
|
 Member  Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216  |
I own a website for my business. Recently I found out that my homepage was changed to a blank page reading: "pwned By Mor-r0ver + Wizardz at email com + gr33tz to aLL friendZ" On googling the above line, I found out that there are many websites which have been defiled in this way. Incidently all the linked pages on my website are working fine and can be reached directly. I need to know: 1. How did this happen? (i do not share my cpanel password with anyone) 2. How can I undo this? (I have limited knowledge of web-developing and got someone to put the website together for me in the first place) 3. How can I prevent this in the future? Please help me... Thanks Amit -------------------- True Blue Never Stains
- Anonymous |
 |
 
|
|
May 3 2008, 07:55 PM
Post
#2
|
|
 Bleeping Hacker Group: BC Advisor Posts: 1,745 Joined: 14-April 04 From: Texas Member No.: 151 |
Are you using Joomla! CMS??
-------------------- |
|
|
|
|
May 4 2008, 03:52 AM
Post
#3
|
|
|
Member Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216 |
Hi Raw,
How do i know if i am running either joomla/CMS? Have not heard of them before... I have access to a control panel which i only use to look up website stats or check email from in case i am not using the outlook...or sometimes bump up/down email storage quota... -------------------- True Blue Never Stains
- Anonymous |
|
|
|
|
May 5 2008, 07:09 PM
Post
#4
|
|
|
Bleeping Hacker Group: BC Advisor Posts: 1,745 Joined: 14-April 04 From: Texas Member No.: 151 |
When you log in to Cpanel does it tell you Joomla! is installed?
When you visit your website does it say Joomla! anywhere? (usually near the bottom) Reason I ask is Mor-r0ver seems to have found an exploit in the Joomla! Content Management System. http://www.joomla.org/ -------------------- |
|
|
|
|
May 5 2008, 08:02 PM
Post
#5
|
|
 Hail Groovicus! Group: Site Admin Posts: 5,676 Joined: 5-June 04 From: Vermillion, SD Member No.: 689 |
Did you find an actual Joomla exploit, or maybe just a coincidence, ie, the admin password for Joomla was not changed?
-------------------- |
|
|
|
 May 6 2008, 02:04 AM
Post
#6
|
|
|
Member Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216 |
Heyya Raw/Groovicus
Thanks for pitching in to help!!   No Joomla as far as I know...and I searched Cpanel.. I host through www.host.ac and lately they have been a bit of a pain in the rearside especially when it comes to renewals etc... I am not an expert here so i will just put down what i found on Cpanel apart from the usual stuff... Softwares/Services: CGI Centre,Perl Module,PHP Configuration,Fantastico De Luxe. Advanced Features: Apache handlers, Image Manager, Indexx Manager,Error pages, Cron Jobs,Frontpage Extensions, MIME Types,Network Tools. All of these things are features I have never used/Know nothing about... Cheerio -------------------- True Blue Never Stains
- Anonymous |
|
|
|
|
May 6 2008, 06:42 AM
Post
#7
|
|
|
Bleeping Hacker Group: BC Advisor Posts: 1,745 Joined: 14-April 04 From: Texas Member No.: 151 |
No actual exploit, just defaced CMS sites. Could be SQL injection.
Mainly the defaces look like Joomla and Drupal sites. Nothing on BugTraq. -------------------- |
|
|
|
 May 6 2008, 01:38 PM
Post
#8
|
|
|
Member Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216 |
thats all a bit of latin to me...but i think i get the picture...
can you expain how it happend so i can avoid it in the future... cheers 
-------------------- True Blue Never Stains
- Anonymous |
|
|
|
|
May 6 2008, 03:08 PM
Post
#9
|
|
|
Hail Groovicus! Group: Site Admin Posts: 5,676 Joined: 5-June 04 From: Vermillion, SD Member No.: 689 |
It depends; are you hosting your website, or is someone else? If someone else, then it is really their responsibility to keep their servers secured and updated (if your bank didn't have alarms and a safe, would you want to keep your money there?). Fins out from them if there is anything you can do to help.
If you are hosting your own site, then it depends on your configuration and software. -------------------- |
|
|
|
|
May 6 2008, 04:42 PM
Post
#10
|
|
|
Bleeping Hacker Group: BC Advisor Posts: 1,745 Joined: 14-April 04 From: Texas Member No.: 151 |
QUOTE(amitinoz @ May 6 2008, 02:04 AM)  I host through www.host.ac No unfortunately i have not come across any logs, but you might just look in Cpanel at your logs.(Raw Access Logs) These logs will be completely foreign to you, but that's where they are. It's still possible that the server your site is on was compromised. (slim chance) -------------------- |
|
|
|
|
May 7 2008, 03:44 AM
Post
#11
|
|
|
Member Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216 |
Thanks Groovicus & Raw...
I have a hosting account with host.ac whom i pay for using their space. All this happened so close to renewal date and whoever did this also deleted my hosting account. I have been told by the admin at the website to have a more complex password (already use an alpha numeric one and never from a public computer) to avoid a BRUTE FORCE attack in the future.... I am guessing its been sorted for now. Now I am going to have to try to upload the homepage again. The weird bit is that all the other pages are intact!! At least this has left me aware with the need for more hosting literacy  Cheers!! -------------------- True Blue Never Stains
- Anonymous |
|
|
|
|
May 7 2008, 03:53 AM
Post
#12
|
|
|
Member Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216 |
No archived Logs in Cpanel.
I have saved the option to archive from hence forth. Did someone have access to my Cpanel? Could they have accesse/deleted all my mail that is stored on the server? -------------------- True Blue Never Stains
- Anonymous |
|
|
|
|
May 9 2008, 07:07 AM
Post
#13
|
|
|
Bleeping Hacker Group: BC Advisor Posts: 1,745 Joined: 14-April 04 From: Texas Member No.: 151 |
Found this:
QUOTE The Joomla! component Jom Comment is vulnerable to SQL injection because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability using common SQL injection techniques to compromise data contained in the Joomla! / MySQL database. Data includes the username, password hash, and password salt of every application user including the site administrator. http://www.securiteam.com/unixfocus/5EP0M0AO0U.html Like I said most of the sites i saw defaced were running Joomla. Your hack may be something completely different. -------------------- |
|
|
|
|
May 9 2008, 08:54 AM
Post
#14
|
|
|
Hail Groovicus! Group: Site Admin Posts: 5,676 Joined: 5-June 04 From: Vermillion, SD Member No.: 689 |
Thanks. I am currently maintaining a site that was created in Joomla. Now I need to check that out.
-------------------- |
|
|
|
|
May 9 2008, 12:56 PM
Post
#15
|
|
|
Member Group: Members Posts: 54 Joined: 12-June 07 Member No.: 136,216 |
incidently since your posts, i have been snooping on cpanel...
i have access to a suite of programs called fantastico part of which is joomla,drupal,php & others... but since i have never accessed these, is it possible that they might still have somehow played a part in the website becoming vulnerable? hope i am not being too pesky!! cheers -------------------- True Blue Never Stains
- Anonymous |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th July 2008 - 10:25 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.