ok , first thing you should do is RELAX and your friend too
lets see some info about your friend site
domain : coloradoevo.com
registrar : GODADDY.COM, INC.
Nameserver: ns1.hostican.com
Nameserver: ns2.hostican.com
hosting provider : hostican.com
hostican.com is a jumpline company (
http://jumpline.com/ )
may be hostican.com is acquired by jumpline company or they are partners
and your friend site domain is well protected
http://who.godaddy.com/whois.aspx?domain=coloradoevo.com&prog_id=GoDaddyprivate registration so no one can know the real person details who really own this domain and try to social engineering him or hack his email to hijack domain
lets ping coloradoevo.com , you will find that server ip is : 199.204.248.104
now lets try to scan it online with centralops.net
HTTP - 80 HTTP/1.1 200 OK
Date: Tue, 27 Dec 2011 00:38:44 GMT
Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
and
FTP - 21 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 4 of 50 allowed.
220-Local time is now 19:38. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
220 Logout.
so hosting server OS is linux and web server is apache 2.2.19
lets try this
199.204.248.104:2086
it works and you see cpanel ( WHM ) > so this is linux Centos OS as cpanel only works on Centos OS
lets find your neighbours
go to bing.com and put this "ip:199.204.248.104"
you will find many cool sites actually many many sites , so your site is on shared server that is really high risk and you can be hacked any time
lets see hacked websites in this server 199.204.248.104
type in bing "ip:199.204.248.104 hacked" , you will see many hacked websites like :
http://nwmasssmedia.com/http://vmrmackay.org.au/http://www.camelotpm.com/http://www.iseeyouhq.com/forums/http://texasturkeyhunts.com/http://al-carmel.com/?p=6http://www.pendantall.com/http://aerodomo.com.ar/blog/http://www.perfectpunting.co.uk/http://mariborlive.com/http://bladefishusa.com/http://www.courtneydavisjewelry.com/http://nwmasssmedia.com/oh that is alot
and may be more .....
okay , i think all sites hacked by hacking one weak site in same server by exploiting sql injection , blind sql injection , file upload , remote file ( old ) , local file include , xss , csrf , brute forcing cpanel accounts
after hackers are in one site in server they will see how server is secure
safe mode off or on ? if off it is good to hack if it is on > we need to make it off by using some tricks like writing new fake php,ini ,
disabled_functions = none it is really really cool so hackers can run any cmd they like with user privileges
if there is disabled functions they will write a fake php.ini file and bypass all disabled functions
and if no thing works they will try different bypassing techniques with symlink and exploit php vulns to manipulate files
and will try to upload perl web shell that will bypass that php security on server and do what they want , like reading your friend config.php file and get all info like db name and users name and password and try to access this database and change admin password by inserting hacker email address and request new password to login in admincp and change index.php to hacked page
if there is a firewall on admincp they will remove it
and enter with success
so to secure your site friend you may find a database backup and remove all vbulletin php scripts and find a new version of it as your friend site is using
Powered by vBulletin™ Version 4.1.3
Copyright © 2011 vBulletin Solutions, Inc. All rights reserved.
and this version ( 4.1.3) is vulnerable to sql injection vulnerability
see exploit >
http://www.exploit-db.com/exploits/17555/hackers may be hacked your friend site by exploiting this vuln and found admin ( user name , email , password hash ( md5+salt ) and cracked it and enter admincp and change index.php to hacked page here >
http://www.zone-h.org/mirror/id/16235342so you must find another secured hosting company to host your friend site and forget hackers
pm me if you want me to give you a well secured hosting company
best regards
Networking : certificationkits
Hadnagy : [Article]-An Insider`s Look at the Social-Engineer.Org SE CtF at DEFCON
Editor-In-Chief : Free Webcast: Don't Pick the Lock, Steal the Key - PW Auditing with Metasploit
Links to cool sites. : Ninja-Sec Challenge You !
