Re: Email saying website hacked ? genuine

Wonder if it's a "padding" div, or maybe a new HTML5 "figure" class

Re: Email saying website hacked ? genuine

More like HTML48

Re: Email saying website hacked ? genuine

SHIT!!!!!!!!!
Just had an email from my webspace provider...following on from this the hackers have been crawling all over my webspace secreting php files into my other domains and sending mass mailings. They locked it down today (unbeknownst to me) and I'm now in the process of going through every single flaming folder hunting the files down.

Re: Email saying website hacked ? genuine

Bl00dy hell Shep the boogers!!

Re: Email saying website hacked ? genuine

It's really worrying. It's a criminal gang and they say they'll try and come back.

Re: Email saying website hacked ? genuine

empty threat usually....they'll move on and find another account you see

Re: Email saying website hacked ? genuine

Blahhhh!
All files found and nuked, passwords changed. Barstewards just stole 3 hours of my life.

Dinner time...

Re: Email saying website hacked ? genuine

Had files whizzing through my head all night!
This was one of the emails I got from my web provider:

It was the last 2 sentences that worried me!

The files I found & nuked included:
ali.zip
../Ali/update.php both in the root of an html site
In wordpress:
wp-admin/includes/gamingaudio.php
wp-content/plugins:
84b51faa9d71add1407178aea0a2fd64.php
5b9c469c0d312a87bbb49941035d668b.php
5a220a099563f6389bd266dc3837f5b8.php
wp-rss.php
probot
7a5d94678ce789fb0024c3b945a9250f.php
c3b123fe391477d5003f0db959149342.php
.wp-rss.php
installer/s_code.php
themes/twentyten/languages/menu.php
themes/update.zip
themes/update/*
/js/tinymce/plugins/directionality/signup.php
/js/tinymce/utils/menu.php
/js/tinymce/utils/santander/*
/js/tinymce/utils/js.php
/wp-edit.php
/wp-test.php

Apparently they got in via "Timthumb"

Now there's no wordpress or any php files on there anymore except one which is for a flash based message box in an otherwise html site.

Although it's needed, I'm thinking I should maybe disable this...am I right in thinking it's potentially exploitable?

Shep x

Re: Email saying website hacked ? genuine

They used this to place the files then?

Attack Targets TinThumb Vulnerability | Malware Blog | Trend Micro

Re: Email saying website hacked ? genuine

Yep, according to one email I got from 1&1:
2. Required measures
************************************************** ****************************
In order to reactivate your websites and re-establish the security of your 1&1
account, observe the following instructions.

2.1 Delete all aforementioned files. Note that hackers usually come back to a
webspace they exploited successfully.

2.2 Upload a more secure version of the following modules of your software:

- TimThumb

You will further information on

http://code.google.com/p/timthumb/

2.3 Please urgently change your Administration Password to the indicated software.

2.4 Also check whether the hackers have changed the content of your data base.
Please look out for the following:
- Are there new users?
- Has malicious content been inserted to your data base?

Re: Email saying website hacked ? genuine

I write websites for clients as a side job, and use Opencart quite alot for shopping based websites.

Usually the attack or hack occurs when a file included with the install is vunerable to attack, mostly incorect script formatting which allows a user to insert code to the page, (injection)

This can result in new pages being added.

Its not normally a case of login details being hacked, most times they dont even need it.

Its always good to check the files on ftp relate to those that should be there, and delete any that shouldnt.

You can also check logs to see if you have been hacked.

And in some cases, its your webhost that have been hacked, ive seen hundreds of hacked sites hosted by the same company because their security was lacking and gave them access to all domains.

You dont really need to reply to these emails that tell you, you have been hacked, just check the info the gave and make any alterations that are needed to correct the issue.

You can also contact your host, and they will check their logs to see if they can find an i.p address that doesnt relate to usual workings of the website, and hopefully, blacklist it.

1 and 1 in my expierence are really rubbish at resolving anything, i stay well clear of them, as far as i know, they use virtual servers to host their domain names, always a bad way of doing things, as if they get compromised, every domain hosted on the same virtual server is open to attack.

Re: Email saying website hacked ? genuine

Hmmm interesting!
I have to say though that on this occasion they were very good. Been with them since around 2002 and never had a problem with them.
I also have an account with Lunar Pages, who have been good too. They use Cpanel, and I get prompted any time wordpress or anything else needs updating, then it's all automated. 1&1 is a bit like a Moggy Traveller isn't it..very basic!

Re: Email saying website hacked ? genuine

I use a company called Agilityhoster for my webhosting, they charge around $5 a month for more than what a website would need.

They do allow automatic installation of wordpress etc, but they tend to not be updated as quickly as if you were to install manually direct from the offical websites.

I also combine the webhost with another company i buy domain names from as you tend to find its cheaper buying them from seperate sources rather than all together.

Re: Email saying website hacked ? genuine

This was the exploit used:

http://www.exploit-db.com/exploits/17872/

Re: Email saying website hacked ? genuine

Hmm not sure either..I'll find out soon though as I'm overseeing a transfer for a pub site as the landlord has sold the pub.
Poor guy is hopeless with t'internet, and after giving me his 1&1 access details I found that the t**t who'd set his first site up (a pub regular) had signed him up for Microsoft Exchange in addition to the Business package...for a 2 page "business card" site. Costing him an extra £9.99 a month for something he didn't need, obviously to get a higher affiliate referral fee.

I've had it with wordpress, it's too tempting a target. I mostly only do favours for friends and family now so think I'll move everything to Lunar Pages, who have been brill.
Just got a good deal on a new central heating boiler though, in return for doing a site for the plumber