Web page hacked. See if you can help?

Viewing 15 reply threads
  • Author
    Posts
    • #7169
      Joshsevo
      Participant

      So many of you know who I am but what you don’t know is that I am a moderator on another forum that deals with my hobby outside of work.  It’s a car forum my friend set up for the people like myself that own a specific type of car ( Mitsubishi Evolutions or also called Evo’s)

      Recently the site was hacked by a Sudan Security Team and my friend is having a hard time getting the site back under his control.  The company that owns the Vbulliten has  a back-up but it is of the pirated version that you see here. 

      The site’s address is called Coloradoevo.com

      So is there anything that any of you can suggest or do for us.  There is around 400 members and this site has been a great palce for us to get together and talk about topics regarding our cars.  If anyone could help please let me know.

    • #44777
      Anonymous
      Participant

      Who hosts the site ? do they have any logs ? I would get the backup and take look at what they changed ? Is it just the main page that has been defaced ? The first step it trying to find how they got in so you can fix it. They do have email address have you tried to contact them ?

    • #44778
      l33t5h@rk
      Participant

      Was the database backed up?

    • #44779
      Joshsevo
      Participant

      The company that has the backups only has a backup of the hacked webpage.  So the owner is saying they may have lost everything.

      I emailed the guy today and am waiting for a response.  They also have a facebook page that I may go on as well.

    • #44780
      l33t5h@rk
      Participant

      Vbulletin looks like it is all db driven. I’m thinking if you get the latest version of the software, install it, then have them restore the database you might be out of the woods. This is pending their attack isn’t on the db tier.

    • #44781
      l33t5h@rk
      Participant

      I (hesitantly) went to the site and it does look like they just defaced it instead of actually hacking the thing, likely somebody just found a leak in the vBulletin software and exploited it that way. I’d say if you can restore the database w/ the updated software that’s probably the most you can do for now.

      FYI – this thing sadly happens a lot and is more annoying than damaging. I once had a phpBB site of mine undergo a similar treatment and I found that the time I spent being pissed about it was significantly less than the time it took me and my hosting provider (Verio) to fix it.

    • #44782
      Joshsevo
      Participant

      Good heads up.  I looked into VBulliten defacing and found a few things that I sent to the owner to look into.

      Also give me a opinion on this.

      I reported their Facebook acct to FB as I feel that with them having a FB acct that FB is allowing them to run a criminal enterprise.  They clearly do this for fun/money as it’s not just this webpage but many others and have a large outreach program to get others to join their efforts.  So hopefully FB will inquire why I reported them and then I can go into detail further.

      All about making the hackers job more diffuclt to communicate with others.

    • #44783
      cd1zz
      Participant

      Was the box that was hosting it rooted or was the site just defaced?

    • #44784
      Joshsevo
      Participant

      Looks like it was just defaced.  Seems the VB that my buddy using is less secure than the most recent updates and the version that we have currently is one that everyone else stays away from.

      Getting on the VBulletin looks like the admin’s made a toold to help get rid of the defacing problems.  I forwarded the link to my buddy and let him help and then I will help out where I can.

    • #44785
      l33t5h@rk
      Participant

      That’s good news, have you got any info on whether or not the db was backed up?

    • #44786
      Joshsevo
      Participant

      According to my friend that told me a few days the DB was backed up with the defaced version.  He said they back it up every month and maybe that month ticked down seeing as this has been like this for maybe a week or so.

    • #44787
      l33t5h@rk
      Participant

      That’s interesting I figured it was just a php vuln that was exploited.

      Best of luck

    • #44788
      Joshsevo
      Participant

      So my buddy has gotten into the admin panel and has removed the screen that you saw when you logged onto the site.  He’s working on it slowly but seems like he is getting there.

    • #44789
      Anonymous
      Participant

      Cool any news on how it was done ?

    • #44790
      MaXe
      Participant

      Even though I thought you were using phpBB, as that was what the cached version said, if you’re using vBulletin, there’s a few things to check in case of compromises:
      1) Go through ALL plugins, there may be new ones that contain malicious code / backdoors.
      2) Scan all templates for “eval” or similar commands. A PHP backdoor in vBulletin templates often begins with { or eval( , I think in vB4 backdoors can look like this: {vb:raw eval($_GET) } (Not 100% sure but I’ve seen backdoors hidden in templates. It is _even_ possible to make a template look like it was never modified, meaning you can’t assume a “red” color on a template means it was edited by a hacker.)
      3) Make sure HTML is still disabled for all forum sections (this can pose a threat too).
      4) Even if you have removed all backdoors from the admincp, INCLUDING the “cron” scripts, they can still be in a “cache” version of the entire site which I’ve experienced. This often occurs when one performs manual edits of the database as it seems vBulletin also uses the somewhat confusing “datastore” table as well for almost everything.

      Okay, you’ve gone through templates, plugins, forum sections, cron scripts, and perhaps even the database. What now?

      5) Now, you look for .php files that shouldn’t be there, or altered php files that contains backdoors. Don’t use the timestamps as a method of finding out whether a file was changed or not, as that can easily be tampered with as well. If the hackers weren’t smart, they didn’t change the timestamp to match the rest of the files. Sometimes, they also set the timestamp to a random date, where you perhaps, wasn’t even near a computer. Such files should be checked.

      6) You’re not done yet, as some hackers change or add .htaccess files to make other extensions, often in subdirectories, executable as PHP. Meaning if you find a .htaccess file that shouldn’t be there, it could contain a “php-handler” setting that all .jpg files in that directory should be executed as php, and the actual directory, could be new as well, but named something that could be a part of the original installation.

      7) You’ve gone through almost everything, well, almost. There’s also the php.ini file, where the setting auto_append_file appears to be the newest trick they’re using. The setting appears to be “Off”, even though it is set to be “0ff” (Zero f f), meaning it reads a file named “0ff” in /tmp/.. Reference: http://blog.sucuri.net/2011/12/malware-getting-called-from-php-ini.html

      As you can see, it’s often better to start with a fresh set of PHP files, and delete _everything_ from the HTTP directory.

      First and always, you take backup of the files, even if they’re backdoored. It’s a good learning experience, and it gives you insight into how the hackers work too, esp. if you study the access.log’s which are often only deleteable by the root user, which are somewhat often left behind and not deleted.

      The access.log is huge. Which is why you should always determine a point in time, where the attack may have occurred. Often a couple of hours if possible is best, and then you study the log, often for strange GET requests, or POST requests to files that shouldn’t accept POST-requests at all, which may take time as well  🙂

      Merry X-mas, I hope you enjoyed this info as these are most of the tricks I’ve seen used  😉

    • #44791
      mohaab
      Participant

      ok , first thing you should do is RELAX and your friend too

      lets see some info about your friend site

      domain : coloradoevo.com

      registrar : GODADDY.COM, INC.

      Nameserver: ns1.hostican.com
      Nameserver: ns2.hostican.com

      hosting provider : hostican.com

      hostican.com is a jumpline company ( http://jumpline.com/ )

      may be hostican.com is acquired by jumpline company or they are partners

      and your friend site  domain is well protected

      http://who.godaddy.com/whois.aspx?domain=coloradoevo.com&prog_id=GoDaddy

      private registration so no one can know the real person details who really own this domain and try to social engineering him or hack his email to hijack domain

      lets ping coloradoevo.com , you will find that server ip is : 199.204.248.104

      now lets try to scan it online with centralops.net

      HTTP – 80 HTTP/1.1 200 OK
      Date: Tue, 27 Dec 2011 00:38:44 GMT
      Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

      and

      FTP – 21 220


      Welcome to Pure-FTPd [privsep] [TLS]


      220-You are user number 4 of 50 allowed.
      220-Local time is now 19:38. Server port: 21.
      220-IPv6 connections are also welcome on this server.
      220 You will be disconnected after 15 minutes of inactivity.
      220 Logout.

      so hosting server OS is linux and web server is apache 2.2.19

      lets try this

      199.204.248.104:2086

      it works and you see cpanel ( WHM ) > so this is linux Centos OS as cpanel only works on Centos OS

      lets find your neighbours

      go to bing.com and put this “ip:199.204.248.104”

      you will find many cool sites actually many many sites , so your site is on shared server that is really high risk and you can be hacked any time 🙂

      lets see hacked websites in this server 199.204.248.104

      type in bing “ip:199.204.248.104 hacked” , you will see many hacked websites like :

      http://nwmasssmedia.com/
      http://vmrmackay.org.au/
      http://www.camelotpm.com/
      http://www.iseeyouhq.com/forums/
      http://texasturkeyhunts.com/
      http://al-carmel.com/?p=6
      http://www.pendantall.com/
      http://aerodomo.com.ar/blog/
      http://www.perfectpunting.co.uk/
      http://mariborlive.com/
      http://bladefishusa.com/
      http://www.courtneydavisjewelry.com/
      http://nwmasssmedia.com/

      oh that is alot 🙂 and may be more …..

      okay , i think all sites hacked by hacking one weak site in same server by exploiting sql injection , blind sql injection , file upload , remote file ( old ) , local file include , xss , csrf , brute forcing cpanel accounts

      after hackers are in one site in server they will see how server is secure

      safe mode off or on ? if off it is good to hack if it is on > we need to make it off by using some tricks like writing new fake php,ini ,

      disabled_functions = none it is really really cool so hackers can run any cmd they like with user privileges

      if there is disabled functions they will write a fake php.ini file  and bypass all disabled functions

      and if no thing works they will try different bypassing techniques with symlink and exploit php vulns to manipulate files

      and will try to upload perl web shell that will bypass that php security on server and do what they want , like reading your friend config.php file and get all info like db name and users name and password and try to access this database and change admin password by inserting hacker email address and request new password to login in admincp and change index.php to hacked page

      if there is a firewall on admincp they will remove it 🙂 and enter with success

      so to secure your site friend you may find a database backup and remove all vbulletin php scripts and find a new version of it as your friend site is using

      Powered by vBulletin™ Version 4.1.3
      Copyright © 2011 vBulletin Solutions, Inc. All rights reserved.

      and this version ( 4.1.3) is vulnerable to sql injection vulnerability

      see exploit >http://www.exploit-db.com/exploits/17555/

      hackers may be hacked your friend site by exploiting this vuln and found admin ( user name , email , password hash ( md5+salt ) and cracked it and enter admincp and change index.php to hacked page here >  http://www.zone-h.org/mirror/id/16235342

      so you must find another secured hosting company to host your friend site and forget hackers 🙂

      pm me  if you want me to give you a well secured hosting company

      best regards

Viewing 15 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?