Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
299 posts

Ultimate Geek


  #444919 2-Mar-2011 17:56
Send private message

buggerit: I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability?  Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue?  Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.


It does seem a little dubious that different CMS's have been hacked which points to the hosting company rather than a vulnerably in the software.  In saying that you shouldn't reply on your hosting partner/ISP to back things up as it is really the individuals responsibility to do this.




Red Jet Web Services
- Affordable websites for small businesses
- Google Email setup and Migrations

BDFL - Memuneh
65634 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #444921 2-Mar-2011 17:56
Send private message

Zeon: Yes true. It's funny timing actually as one of our IIS web hosting servers came under a DDoS attack last week mainly from Hong Kong. Think it was just random but the thing that protected us in that instance was the sh!thouse international we have =p.


A DDoS attack is in a very different league of social engineering hacks and defacements...

 




 
 
 
 


2892 posts

Uber Geek

Trusted
Lifetime subscriber

  #444922 2-Mar-2011 17:58
Send private message

buggerit: Interesting. My website uses Joomla CMS. If word press has been hacked then it seems to be either aimed at both or something deeper.  I am with kiwiwebhost as well.  What happened was the menus are all changed to Hacked By Shiraz (in mysql), and then as soon as you make the mistake of logging into the administrator back end the home page changes to a fiery skull, as does the administrator backend page.  You can no longer log in through Joomla.  Orcon/Iserve finally restored the backup after 5 days of my site being down. However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability?  Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue?  Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.


What version of Joomla are you running? 




My views (except when I am looking out their windows) are not those of my employer.

BDFL - Memuneh
65634 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #444924 2-Mar-2011 18:00
Send private message

buggerit: However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.


This is an old tactic... Change the things behind the scenes but don't do the frontend change straight away. This way the "contaminated" database is copied over old backups (assuming an ISP/hosting provider does backups and use a weekly rotation), which means with time all your backups are compromised.

Then at some time the defacement itself happens, as a time bomb.

AS for using Joomla, now things are getting interesting.

So there are people with WP and Joomla seeing defacements?

 




3528 posts

Uber Geek

Trusted

  #444925 2-Mar-2011 18:00
Send private message

buggerit: Interesting. My website uses Joomla CMS. If word press has been hacked then it seems to be either aimed at both or something deeper.  I am with kiwiwebhost as well.  What happened was the menus are all changed to Hacked By Shiraz (in mysql), and then as soon as you make the mistake of logging into the administrator back end the home page changes to a fiery skull, as does the administrator backend page.  You can no longer log in through Joomla.  Orcon/Iserve finally restored the backup after 5 days of my site being down. However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability?  Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue?  Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.


What version of Joomla are you running? There are soooo many holes, especially with 1.0 and look at the number of patches for 1.5 we are up to 1.5.22 now....

I think the hackers target web hosts hence why all the unsecure sites from a particular host fall victim at the same time. I honestly don't think the is a problem with orcon/Iserve but rather holes in the software being exploited.




Speedtest 2019-10-14


BDFL - Memuneh
65634 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #444926 2-Mar-2011 18:01
Send private message

Another question... Is the Joomla/WP environment deployed by each individual user, or by the ISP, in this case Orcon?





BDFL - Memuneh
65634 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #444927 2-Mar-2011 18:04
Send private message

Another possibility, which I am exploring at the moment, is that all the installs, of different CMS, use the same MySQL database.

We won't know for sure until some Orcon employee confirms what's happened... I am making some inquiries.





 
 
 
 


4 posts

Wannabe Geek


  #444938 2-Mar-2011 18:36
Send private message

I am on version 1.5.22 of Joomla... since mid Dec 10. In my case I did the Joomla deployment.

2892 posts

Uber Geek

Trusted
Lifetime subscriber

  #444941 2-Mar-2011 18:40
Send private message

buggerit: I am on version 1.5.22 of Joomla... since mid Dec 10. In my case I did the Joomla deployment.


Same version for me on my deployments (except a couple of new 1.6 sites).

A couple of questions if it's ok:

- Did you change the default administrator username?
- Did you use something like jsecure to hide the administrator login?

Cheers, Matt.




My views (except when I am looking out their windows) are not those of my employer.

aw

273 posts

Ultimate Geek


  #445000 2-Mar-2011 22:25
Send private message

Regarding backups... For web hosting, I use a VPS (with Openhost) I can SSH into.

I have a script that runs a database dump on the VPS, then rsyncs that and the whole /var/www folder (and others) to my local server, then uses Areca Backup to archive that. The entire Areca archive is then rsync'd to one of several external hard discs, whichever is plugged in at the time. The Areca archive goes back a whole year.

Works pretty well. Hopefully the method described may prove useful for others looking to reliably back up their sites so they can easily go back. Also handy to see when files were changed as Areca sort-of lists file modification history - again, useful in the case of determining when you were hacked.

1163 posts

Uber Geek


  #445001 2-Mar-2011 22:26

The web hosts logs should show exactly how the files were uploaded. If they were uploaded via FTP, then it could be that hackers got hold of the ftp login details. Otherwise it could be that you are using an old version of the CMS, and they have hacked it through that. People who have CMS must factor in the costs and time in regually updating these. It does sound odd if there are several accounts on the server that all all affected. Do you have a phpinfo.php page for the site that we can see the server and php software setup?

2409 posts

Uber Geek

Trusted

  #445012 2-Mar-2011 22:46
Send private message

Most Hacks I've found in the past are due to bugs in CMS's. (People not upgrading or installing software they have no idea how to use/secure).

As (whoever) changed the content they would most likely would have needed to POST something on the webserver (hacking via FTP is very uncommon) so search for POSTS in your log files around the time it got hacked and you can usually find out how someone did something.


4 posts

Wannabe Geek


  #445048 3-Mar-2011 06:54
Send private message

hairy1: A couple of questions if it's ok:

- Did you change the default administrator username?
- Did you use something like jsecure to hide the administrator login?

Cheers, Matt.


Hi Matt, No to both.

However, the admin login had not been accessed for a long time which I immediately checked, so it was unlikely to be through the administrator backend using the default admin login (which I will be removing from now on though!). 
I also reviewed the raw logs files and could not find any suspicious POST activity. Maybe Orcon will be able to review the logs for each hacked site on their server and identify the pattern?

I just don't believe it's a CMS issue.  It is most of the time I agree. But for a whole lot of sites on one server maybe having an FTP account or admin backend account and password all hacked within days of each other seems strange. 

2892 posts

Uber Geek

Trusted
Lifetime subscriber

  #445059 3-Mar-2011 07:56
Send private message

Yeah. Agreed.

If you are running the latest version of Joomla I would be surprised if it was the CMS at fault particularly when several types of CMS are involved.....




My views (except when I am looking out their windows) are not those of my employer.

32 posts

Geek


  #445199 3-Mar-2011 15:53
Send private message

Try searching for 'hacked by shiraz' and then filtering the results to show New Zealand.

All the urls showing up in Google search bar one are resolving to 202.191.37.3 which I believe is iServe.

1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Vodafone mobile data plans with unlimited data
Posted 26-Feb-2020 06:55


Vodafone launches innovation initiatives to help businesses use 5G
Posted 26-Feb-2020 05:00


Ultimate Ears HYPERBOOM brings massive sound and extreme bass
Posted 25-Feb-2020 09:00


Withings launches three new devices to help monitor heart health from home
Posted 13-Feb-2020 20:05


Auckland start-up Yourcar matches new car buyers with dealerships
Posted 13-Feb-2020 18:05


School gardens go high tech to teach kids the importance of technology
Posted 13-Feb-2020 11:10


Malwarebytes finds Mac threats outpace Windows for the first time
Posted 13-Feb-2020 08:01


Amazon launches Echo Show 8 in Australia and New Zealand
Posted 8-Feb-2020 20:36


Vodafone New Zealand starts two year partnership with LetsPlay.Live
Posted 28-Jan-2020 11:24


Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.