My website has been hacked

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › My website has been hacked

1 | 2 | 3 | 4

299 posts

Ultimate Geek

#444919 2-Mar-2011 17:56

buggerit: I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability? Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue? Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.

It does seem a little dubious that different CMS's have been hacked which points to the hosting company rather than a vulnerably in the software. In saying that you shouldn't reply on your hosting partner/ISP to back things up as it is really the individuals responsibility to do this.

Red Jet Web Services
- Affordable websites for small businesses
- Google Email setup and Migrations

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#444921 2-Mar-2011 17:56

Zeon: Yes true. It's funny timing actually as one of our IIS web hosting servers came under a DDoS attack last week mainly from Hong Kong. Think it was just random but the thing that protected us in that instance was the sh!thouse international we have =p.

A DDoS attack is in a very different league of social engineering hacks and defacements...

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#444922 2-Mar-2011 17:58

buggerit: Interesting. My website uses Joomla CMS. If word press has been hacked then it seems to be either aimed at both or something deeper. I am with kiwiwebhost as well. What happened was the menus are all changed to Hacked By Shiraz (in mysql), and then as soon as you make the mistake of logging into the administrator back end the home page changes to a fiery skull, as does the administrator backend page. You can no longer log in through Joomla. Orcon/Iserve finally restored the backup after 5 days of my site being down. However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability? Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue? Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.

What version of Joomla are you running?

My views (except when I am looking out their windows) are not those of my employer.

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#444924 2-Mar-2011 18:00

buggerit: However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

This is an old tactic... Change the things behind the scenes but don't do the frontend change straight away. This way the "contaminated" database is copied over old backups (assuming an ISP/hosting provider does backups and use a weekly rotation), which means with time all your backups are compromised.

Then at some time the defacement itself happens, as a time bomb.

AS for using Joomla, now things are getting interesting.

So there are people with WP and Joomla seeing defacements?

Zeon

3916 posts

Uber Geek

Trusted

#444925 2-Mar-2011 18:00

buggerit: Interesting. My website uses Joomla CMS. If word press has been hacked then it seems to be either aimed at both or something deeper. I am with kiwiwebhost as well. What happened was the menus are all changed to Hacked By Shiraz (in mysql), and then as soon as you make the mistake of logging into the administrator back end the home page changes to a fiery skull, as does the administrator backend page. You can no longer log in through Joomla. Orcon/Iserve finally restored the backup after 5 days of my site being down. However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability? Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue? Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.

What version of Joomla are you running? There are soooo many holes, especially with 1.0 and look at the number of patches for 1.5 we are up to 1.5.22 now....

I think the hackers target web hosts hence why all the unsecure sites from a particular host fall victim at the same time. I honestly don't think the is a problem with orcon/Iserve but rather holes in the software being exploited.

Speedtest 2019-10-14

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#444926 2-Mar-2011 18:01

Another question... Is the Joomla/WP environment deployed by each individual user, or by the ISP, in this case Orcon?

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#444927 2-Mar-2011 18:04

Another possibility, which I am exploring at the moment, is that all the installs, of different CMS, use the same MySQL database.

We won't know for sure until some Orcon employee confirms what's happened... I am making some inquiries.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

buggerit

4 posts

Wannabe Geek

#444938 2-Mar-2011 18:36

I am on version 1.5.22 of Joomla... since mid Dec 10. In my case I did the Joomla deployment.

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#444941 2-Mar-2011 18:40

buggerit: I am on version 1.5.22 of Joomla... since mid Dec 10. In my case I did the Joomla deployment.

Same version for me on my deployments (except a couple of new 1.6 sites).

A couple of questions if it's ok:

- Did you change the default administrator username?
- Did you use something like jsecure to hide the administrator login?

Cheers, Matt.

My views (except when I am looking out their windows) are not those of my employer.

aw

286 posts

Ultimate Geek

#445000 2-Mar-2011 22:25

Regarding backups... For web hosting, I use a VPS (with Openhost) I can SSH into.

I have a script that runs a database dump on the VPS, then rsyncs that and the whole /var/www folder (and others) to my local server, then uses Areca Backup to archive that. The entire Areca archive is then rsync'd to one of several external hard discs, whichever is plugged in at the time. The Areca archive goes back a whole year.

Works pretty well. Hopefully the method described may prove useful for others looking to reliably back up their sites so they can easily go back. Also handy to see when files were changed as Areca sort-of lists file modification history - again, useful in the case of determining when you were hacked.

robbyp

1199 posts

Uber Geek

#445001 2-Mar-2011 22:26

The web hosts logs should show exactly how the files were uploaded. If they were uploaded via FTP, then it could be that hackers got hold of the ftp login details. Otherwise it could be that you are using an old version of the CMS, and they have hacked it through that. People who have CMS must factor in the costs and time in regually updating these. It does sound odd if there are several accounts on the server that all all affected. Do you have a phpinfo.php page for the site that we can see the server and php software setup?

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#445012 2-Mar-2011 22:46

Most Hacks I've found in the past are due to bugs in CMS's. (People not upgrading or installing software they have no idea how to use/secure).

As (whoever) changed the content they would most likely would have needed to POST something on the webserver (hacking via FTP is very uncommon) so search for POSTS in your log files around the time it got hacked and you can usually find out how someone did something.

buggerit

4 posts

Wannabe Geek

#445048 3-Mar-2011 06:54

hairy1: A couple of questions if it's ok:

- Did you change the default administrator username?
- Did you use something like jsecure to hide the administrator login?

Cheers, Matt.

Hi Matt, No to both.

However, the admin login had not been accessed for a long time which I immediately checked, so it was unlikely to be through the administrator backend using the default admin login (which I will be removing from now on though!).
I also reviewed the raw logs files and could not find any suspicious POST activity. Maybe Orcon will be able to review the logs for each hacked site on their server and identify the pattern?

I just don't believe it's a CMS issue. It is most of the time I agree. But for a whole lot of sites on one server maybe having an FTP account or admin backend account and password all hacked within days of each other seems strange.

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#445059 3-Mar-2011 07:56

Yeah. Agreed.

If you are running the latest version of Joomla I would be surprised if it was the CMS at fault particularly when several types of CMS are involved.....

My views (except when I am looking out their windows) are not those of my employer.

styxgeist

32 posts

Geek

#445199 3-Mar-2011 15:53

Try searching for 'hacked by shiraz' and then filtering the results to show New Zealand.

All the urls showing up in Google search bar one are resolving to 202.191.37.3 which I believe is iServe.

1 | 2 | 3 | 4