Hacked BY an A$$hole

[DnEbook]

Today i have discovered all my last years work is gone because some complete asshole

i have discovered my sites have all been 'hacked by scorpian'

my names are still at my server , i wonder if there is anything i can do


or are they gone forever ????

Views thoughts opinions .....appreciated

I can get to my files but don't know what to do once there ? below is one thing i discovered when i got to index.php



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style>
td {background-color: #1f1f1f; font-family: Courier New; font-size:9pt; color:#ffffff; border-color: #ffffff;border-width:1pt; border-style:solid; border-collapse:collapse;padding:0pt 3pt;vertical-align:top; }
table {border-color: #88aace;border-width:0pt 1pt; border-style:solid; }
A:Link, A:Visited { color: #88aace; }
A.no:Link, A.no:Visited { color: #88aace;text-decoration: none; }
A:Hover, A:Visited:Hover , A.no:Hover, A.no:Visited:Hover { color: #88aace; background-color:#2e2e2e; text-decoration: overline underline; }
.style1 {color: #88aace}
.style2 {color: 1f1f1f}
</style>
<TITLE>Index</TITLE>
</head>
<BODY bgColor="#000000" onload="teclear();" oncontextmenu="return false" onselectstart="return false">
<DIV align="center"><SPAN style="FILTER: blur(add=1,direction=170,strength=30); HEIGHT: 50px">
<STYLE>.layermensaje {
FONT-SIZE: 10pt; COLOR: #2e2e2e; LINE-HEIGHT: 10pt; FONT-FAMILY: "Arial"
}
</STYLE>
<FONT style="FONT-SIZE: 8pt" face="Courier New">
<center>

<img border="1" src="http://data.imagup.com/8/1124800774.gif"><br>

<br>



<table>
<tr>
<td class="row2"><span class="gensmall">


<font color="white"><pre>
_ _ ___ _____ _ _ _____ _____
| | | | / | / ___| | | / / | ____| | _ \
| |_| | / /| | | | | |/ / | |__ | | | |
| _ | / / | | | | | |\ \ | __| | | | |
| | | | / / | | | |___ | | \ \ | |___ | |_| |
|_| |_| /_/ |_| \_____| |_| \_\ |_____| |_____/
</pre></font>

 

[ezimedia]

maybe he just replaced your index.php file so if you have a back of that original file just upload it and see what happens.

 

[DnEbook]

ummmm ...... back up

just a blog didn't even consider anyone would bother hacking, no back up unless hosting has one ? .....still waiting for reply

 

[enlytend]

Looks from what you posted like just a defacement.Do you have backups? Does your host have backups? If you're on shared hosting (or VPS), contact your host's support.

Is this on Wordpress/Joomla or some other CMS or is it a plain html site?

If you want to get rid of the ugly page for now, save a copy (in case your host support wants to see it) and make a clean index file.

 

[DnEbook]

Looks from what you posted like just a defacement.Do you have backups? Does your host have backups? If you're on shared hosting (or VPS), contact your host's support.

Is this on Wordpress/Joomla or some other CMS or is it a plain html site?

If you want to get rid of the ugly page for now, save a copy (in case your host support wants to see it) and make a clean index file.

If i knew to act your advice i would but alas .....

At this point i have contacted my hosting company and will hopefully get a reply tomorrow , probably saturday night for the hosting company , some redirects back to parking put in place for a some of the sites on hosting

only two sites i am concerned about, password changed , sites were wordpress and updated only two days ago ??

Did this wanker enter via the host site i wonder ?

there were a couple of other sites affiliate sites that were not wordpress .......so must have come through the hosting i guess

shitty way to learn

 

[enlytend]

only two sites i am concerned about, password changed , sites were wordpress and updated only two days ago ??

Did this wanker enter via the host site i wonder ?

Possibly ... or it could have been through a vulnerability in a plugin ... or a script ...

This probably won't make you feel any better, but chances are it wasn't personal - bots scan, find something exploitable, scripts get deployed. That's how it happens most of the time.

Anyway, totally sucks. Hope your hosting support gets back to you quickly (if they don't have 24/7 coverage, shame on them!) Good luck!

 

[DnEbook]

no joy but a simple version of the main site (virtual books) has been put in place , bummer about bikinis.tv ......i kinda liked that one!

Lesson learned is to discover how to make backups, the simple site i have just done at least a code cut and paste of the front page and other pages saved as a document for future reference

Thanks for moral support

 

[Weber]

Access logs could give a clue as to what happened.
It's possible you have malware on your computer if they used your login credentials.

 

[DnEbook]

Access logs could give a clue as to what happened.
It's possible you have malware on your computer if they used your login credentials.

Computer is always kept up to date with virus updates, i can make my to the access logs but i know i already know what has happened, because sites are gone, i have changed tactics somewhat,

I will be taking further precautions if i think necessary in the future .....trust me

live and learn i guess :talk:

 

[Hostlatch]

If it's a year of content and work, You should of backups downloaded for your data correct?

This is why backups are a needed solution for every server or hosting account online, your data is important to you, so you should pay the extra few bucks to have your data and files backed up or you should do it your self at least once a week.

I feel sorry for what happen, but if you didn't have data backups it's kinda your fault also if you lost your content and work. We run full DATA/HDD backups every night on our production servers, and for our clients we run a weekly R1SOFT data snapshot backup for all clients just to protect the clients information also - we also recommend you take your own backups or purchase extra backup space or nightly backups from us which is not very expensive.

I wish the best of luck, and if the hacker deleted your data and you have no backups, there is no way to bring your data back unless your provider does backups and you ask them to backup your account or restore it.

I know on our web hosting servers - we are able to backup a users account and restore it from a previous day (maximum: 2 days prior to the day requested)

 

[DU]

The page Scorpion loaded claimed to do a a logon/delete/upload of defacement page.

Most backups on shared servers (on request) will keep a backup within your account unless you explicitly download/email to yourself. This won't help if they deleted everything.

Three things to check and one to hope.

1) Backup is usually NOT stored on the public_html path so may be not deleted. He could have just taken the public_html path down. It's usually not automatic and has to be turned on.

2) You probably still have all the MySQL if you are using WP/Joomla/Drupal/ etc which is 90% of what you need. You should be able to backup the WP data, reinstall WP and just reload the data back.

3) Your hosting company may have a backup

4) Hope the guy/gal gets hit by a truck or his parents throw him out of their basement.


My secondary hosting site got hacked too... luckily all they did was steal Gigs of bandwidth with some .htaccess rewrites and some strange upload.

I don't think many of these kids are experts at anything - they download scripts from the internet and run them and cause havoc. What they don't realize is that they probably got taken by someone bigger...

---------- Post added at 11:41 AM ---------- Previous post was at 11:36 AM ----------

I once had a friend who lost their external HDD and called me to ask me what to do. I had to explain that a BACKUP is only a BACKUP if you have it as a COPY and it's on or in a DIFFERENT place. They seemed to think backing up just meant putting it somewhere safe once. It's an easy concept but difficult to explain sometimes

General comment:
It's important if you have life, homeowners insurance etc that you have copies at ANOTHER location to your home. No point having a copy that can get washed away - a lot of people in NOLA learned this.

 

[enlytend]

or his parents throw him out of their basement.

+1

Backups are boring and even big companies have been known make the mistake of treating them as unimportant ... until they need one! *

no joy but a simple version of the main site (virtual books) has been put in place , bummer about bikinis.tv ......i kinda liked that one!

Glad you know what went wrong and ard starting to get things on track again. Any chance you can salvage any of it from archive.org? From cached pages in Google?

 

[RogueWriter]

I posted on here a couple months ago about an issue with wordpress being hacked.....there were some suggestions within the article I posted as to how to prevent future attacks.

If you were using wordpress, click here , my post should pop up. Don't know if that was the issue of not, hope it helps.

 

[DnEbook]

thanks for that .......advice taken onboard , repped thank you

 

[RazorNF]

More often than not, these hacks are just to show off that they got in, and they usually leave everything intact, and rename the index.php/html

 

[DU]

I posted on here a couple months ago about an issue with wordpress being hacked.....there were some suggestions within the article I posted as to how to prevent future attacks.

If you were using wordpress, click here , my post should pop up. Don't know if that was the issue of not, hope it helps.

Thanks for the link back. That plugin seems a nice addition.

Can't rep because I'm too fond of you even though I don't recall repping you that recently ?!

 

[RogueWriter]

defaultuser- I been hacking into your account and repping myself. Sorry about that.

 

[DnEbook]

Ok after installing wordpress firewall 2 i am getting this notice over the last couple of days (below) now the thing is that i am a affiliate of smashwords and cant help but wonder if it is related to them (all three sites are book sales sites being attacked)

It seems strange that all three book sales sites are getting the same massage

It seems they are trying to do something via the pic form what i am reading ??

However of course i don't have a great knowledge so i would be grateful if someone can interperit the below a bit better for me ::

WordPress Firewall has detected and blocked a potential attack!



Web Page:

virtualbooks.com.au/wp-content/themes/books-and-imagination-10/scripts/timthumb.php?src=/g0../0d1.gif
Warning: URL may contain dangerous content!



Offending IP:

83.103.119.239 [ Get IP location ]



Offending Parameter:

src = /g0../0d1.gif





This may be a "Directory Traversal Attack."

 

[RazorNF]

The timthumb resize code used in alot of wordpress themes and plugins has a security vulnerability that was recently discovered.

This could be the issue.

 

[DnEbook]

seems to be each site that has pics which are being attacked and if it was not for the suggestion of using wordpress firewall 2 these sites would probably be gone now, luckily i was shown how to export the content to my computer which i now do regularly just in case