Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website Hijacked/vandalised?


  • Please log in to reply
16 replies to this topic

#1 amitinoz

amitinoz

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 03 May 2008 - 02:52 PM

Hi,

I own a website for my business. Recently I found out that my homepage was changed to a blank page reading:
"pwned By Mor-r0ver + Wizardz at email com +
gr33tz to aLL friendZ"

On googling the above line, I found out that there are many websites which have been defiled in this way.
Incidently all the linked pages on my website are working fine and can be reached directly.

I need to know:

1. How did this happen? (i do not share my cpanel password with anyone)
2. How can I undo this? (I have limited knowledge of web-developing and got someone to put the website together for me in the first place)
3. How can I prevent this in the future?

Please help me...

Thanks
Amit

BC AdBot (Login to Remove)

 


m

#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:12 PM

Posted 03 May 2008 - 07:55 PM

Are you using Joomla! CMS??

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 amitinoz

amitinoz
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 04 May 2008 - 03:52 AM

Hi Raw,
How do i know if i am running either joomla/CMS?
Have not heard of them before...
I have access to a control panel which i only use to look up website stats or check email from in case i am not using the outlook...or sometimes bump up/down email storage quota...

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:12 PM

Posted 05 May 2008 - 07:09 PM

When you log in to Cpanel does it tell you Joomla! is installed?
When you visit your website does it say Joomla! anywhere? (usually near the bottom)
Reason I ask is Mor-r0ver seems to have found an exploit in the Joomla! Content
Management System.

http://www.joomla.org/

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:12 AM

Posted 05 May 2008 - 08:02 PM

Did you find an actual Joomla exploit, or maybe just a coincidence, ie, the admin password for Joomla was not changed?

#6 amitinoz

amitinoz
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2008 - 02:04 AM

Heyya Raw/Groovicus
Thanks for pitching in to help!! :thumbsup: :flowers:

No Joomla as far as I know...and I searched Cpanel..
I host through www.host.ac and lately they have been a bit of a pain in the rearside especially when it comes to renewals etc...

I am not an expert here so i will just put down what i found on Cpanel apart from the usual stuff...

Softwares/Services: CGI Centre,Perl Module,PHP Configuration,Fantastico De Luxe.
Advanced Features: Apache handlers, Image Manager, Indexx Manager,Error pages, Cron Jobs,Frontpage Extensions, MIME Types,Network Tools.


All of these things are features I have never used/Know nothing about...

Cheerio

#7 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:12 PM

Posted 06 May 2008 - 06:42 AM

No actual exploit, just defaced CMS sites. Could be SQL injection.
Mainly the defaces look like Joomla and Drupal sites.
Nothing on BugTraq.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#8 amitinoz

amitinoz
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2008 - 01:38 PM

thats all a bit of latin to me...but i think i get the picture...
can you expain how it happend so i can avoid it in the future...

cheers :thumbsup:

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:12 AM

Posted 06 May 2008 - 03:08 PM

It depends; are you hosting your website, or is someone else? If someone else, then it is really their responsibility to keep their servers secured and updated (if your bank didn't have alarms and a safe, would you want to keep your money there?). Fins out from them if there is anything you can do to help.

If you are hosting your own site, then it depends on your configuration and software.

#10 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:12 PM

Posted 06 May 2008 - 04:42 PM

I host through www.host.ac

No unfortunately i have not come across any logs, but you might just
look in Cpanel at your logs.(Raw Access Logs)

These logs will be completely foreign to you, but that's where they are.

It's still possible that the server your site
is on was compromised. (slim chance)

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#11 amitinoz

amitinoz
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 07 May 2008 - 03:44 AM

Thanks Groovicus & Raw...

I have a hosting account with host.ac whom i pay for using their space.

All this happened so close to renewal date and whoever did this also deleted my hosting account.

I have been told by the admin at the website to have a more complex password (already use an alpha numeric one and never from a public computer) to avoid a BRUTE FORCE attack in the future....

I am guessing its been sorted for now.

Now I am going to have to try to upload the homepage again. The weird bit is that all the other pages are intact!!

At least this has left me aware with the need for more hosting literacy :thumbsup:

Cheers!!

#12 amitinoz

amitinoz
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 07 May 2008 - 03:53 AM

No archived Logs in Cpanel.
I have saved the option to archive from hence forth.

Did someone have access to my Cpanel? Could they have accesse/deleted all my mail that is stored on the server?

#13 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:12 PM

Posted 09 May 2008 - 07:07 AM

Found this:

The Joomla! component Jom Comment is vulnerable to SQL injection because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability using common SQL injection techniques to compromise data contained in the Joomla! / MySQL database. Data includes the username, password hash, and password salt of every application user including the site administrator.

http://www.securiteam.com/unixfocus/5EP0M0AO0U.html

Like I said most of the sites i saw defaced were running Joomla. Your hack may be
something completely different.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:12 AM

Posted 09 May 2008 - 08:54 AM

Thanks. I am currently maintaining a site that was created in Joomla. Now I need to check that out.

#15 amitinoz

amitinoz
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 09 May 2008 - 12:56 PM

incidently since your posts, i have been snooping on cpanel...
i have access to a suite of programs called fantastico part of which is joomla,drupal,php & others...
but since i have never accessed these, is it possible that they might still have somehow played a part in the website becoming vulnerable?

hope i am not being too pesky!!

cheers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users