Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
299 posts

Ultimate Geek


  # 444919 2-Mar-2011 17:56
Send private message

buggerit: I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability?  Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue?  Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.


It does seem a little dubious that different CMS's have been hacked which points to the hosting company rather than a vulnerably in the software.  In saying that you shouldn't reply on your hosting partner/ISP to back things up as it is really the individuals responsibility to do this.




Red Jet Web Services
- Affordable websites for small businesses
- Google Email setup and Migrations

BDFL - Memuneh
64949 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 444921 2-Mar-2011 17:56
Send private message

Zeon: Yes true. It's funny timing actually as one of our IIS web hosting servers came under a DDoS attack last week mainly from Hong Kong. Think it was just random but the thing that protected us in that instance was the sh!thouse international we have =p.


A DDoS attack is in a very different league of social engineering hacks and defacements...

 




 
 
 
 


2877 posts

Uber Geek

Trusted
Lifetime subscriber

  # 444922 2-Mar-2011 17:58
Send private message

buggerit: Interesting. My website uses Joomla CMS. If word press has been hacked then it seems to be either aimed at both or something deeper.  I am with kiwiwebhost as well.  What happened was the menus are all changed to Hacked By Shiraz (in mysql), and then as soon as you make the mistake of logging into the administrator back end the home page changes to a fiery skull, as does the administrator backend page.  You can no longer log in through Joomla.  Orcon/Iserve finally restored the backup after 5 days of my site being down. However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability?  Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue?  Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.


What version of Joomla are you running? 




My views (except when I am looking out their windows) are not those of my employer.

BDFL - Memuneh
64949 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 444924 2-Mar-2011 18:00
Send private message

buggerit: However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.


This is an old tactic... Change the things behind the scenes but don't do the frontend change straight away. This way the "contaminated" database is copied over old backups (assuming an ISP/hosting provider does backups and use a weekly rotation), which means with time all your backups are compromised.

Then at some time the defacement itself happens, as a time bomb.

AS for using Joomla, now things are getting interesting.

So there are people with WP and Joomla seeing defacements?

 




3506 posts

Uber Geek

Trusted

  # 444925 2-Mar-2011 18:00
Send private message

buggerit: Interesting. My website uses Joomla CMS. If word press has been hacked then it seems to be either aimed at both or something deeper.  I am with kiwiwebhost as well.  What happened was the menus are all changed to Hacked By Shiraz (in mysql), and then as soon as you make the mistake of logging into the administrator back end the home page changes to a fiery skull, as does the administrator backend page.  You can no longer log in through Joomla.  Orcon/Iserve finally restored the backup after 5 days of my site being down. However, the backup still has the hacked menu info in the mysql tables, so it's to an older version I must go... I guess.

I really want Orcon/iServe to identify how it happened to my site and at least 5-6+ others on the SAME server. Did we all have the same vulnerability?  Why are other sites around NZ and the world for that matter not getting the same hacked message if it is a joomla and word press security issue?  Maybe it is just a coincidence that our sites are all kiwiwebhost hosted.


What version of Joomla are you running? There are soooo many holes, especially with 1.0 and look at the number of patches for 1.5 we are up to 1.5.22 now....

I think the hackers target web hosts hence why all the unsecure sites from a particular host fall victim at the same time. I honestly don't think the is a problem with orcon/Iserve but rather holes in the software being exploited.




Speedtest 2019-10-14


BDFL - Memuneh
64949 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

BDFL - Memuneh
64949 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 444927 2-Mar-2011 18:04
Send private message

Another possibility, which I am exploring at the moment, is that all the installs, of different CMS, use the same MySQL database.

We won't know for sure until some Orcon employee confirms what's happened... I am making some inquiries.





 
 
 
 


4 posts

Wannabe Geek


  # 444938 2-Mar-2011 18:36
Send private message

I am on version 1.5.22 of Joomla... since mid Dec 10. In my case I did the Joomla deployment.

2877 posts

Uber Geek

Trusted
Lifetime subscriber

  # 444941 2-Mar-2011 18:40
Send private message

buggerit: I am on version 1.5.22 of Joomla... since mid Dec 10. In my case I did the Joomla deployment.


Same version for me on my deployments (except a couple of new 1.6 sites).

A couple of questions if it's ok:

- Did you change the default administrator username?
- Did you use something like jsecure to hide the administrator login?

Cheers, Matt.




My views (except when I am looking out their windows) are not those of my employer.

aw

273 posts

Ultimate Geek


  # 445000 2-Mar-2011 22:25
Send private message

Regarding backups... For web hosting, I use a VPS (with Openhost) I can SSH into.

I have a script that runs a database dump on the VPS, then rsyncs that and the whole /var/www folder (and others) to my local server, then uses Areca Backup to archive that. The entire Areca archive is then rsync'd to one of several external hard discs, whichever is plugged in at the time. The Areca archive goes back a whole year.

Works pretty well. Hopefully the method described may prove useful for others looking to reliably back up their sites so they can easily go back. Also handy to see when files were changed as Areca sort-of lists file modification history - again, useful in the case of determining when you were hacked.

1163 posts

Uber Geek


  # 445001 2-Mar-2011 22:26

The web hosts logs should show exactly how the files were uploaded. If they were uploaded via FTP, then it could be that hackers got hold of the ftp login details. Otherwise it could be that you are using an old version of the CMS, and they have hacked it through that. People who have CMS must factor in the costs and time in regually updating these. It does sound odd if there are several accounts on the server that all all affected. Do you have a phpinfo.php page for the site that we can see the server and php software setup?

2399 posts

Uber Geek

Trusted

  # 445012 2-Mar-2011 22:46
Send private message

Most Hacks I've found in the past are due to bugs in CMS's. (People not upgrading or installing software they have no idea how to use/secure).

As (whoever) changed the content they would most likely would have needed to POST something on the webserver (hacking via FTP is very uncommon) so search for POSTS in your log files around the time it got hacked and you can usually find out how someone did something.


4 posts

Wannabe Geek


  # 445048 3-Mar-2011 06:54
Send private message

hairy1: A couple of questions if it's ok:

- Did you change the default administrator username?
- Did you use something like jsecure to hide the administrator login?

Cheers, Matt.


Hi Matt, No to both.

However, the admin login had not been accessed for a long time which I immediately checked, so it was unlikely to be through the administrator backend using the default admin login (which I will be removing from now on though!). 
I also reviewed the raw logs files and could not find any suspicious POST activity. Maybe Orcon will be able to review the logs for each hacked site on their server and identify the pattern?

I just don't believe it's a CMS issue.  It is most of the time I agree. But for a whole lot of sites on one server maybe having an FTP account or admin backend account and password all hacked within days of each other seems strange. 

2877 posts

Uber Geek

Trusted
Lifetime subscriber

  # 445059 3-Mar-2011 07:56
Send private message

Yeah. Agreed.

If you are running the latest version of Joomla I would be surprised if it was the CMS at fault particularly when several types of CMS are involved.....




My views (except when I am looking out their windows) are not those of my employer.

32 posts

Geek


  # 445199 3-Mar-2011 15:53
Send private message

Try searching for 'hacked by shiraz' and then filtering the results to show New Zealand.

All the urls showing up in Google search bar one are resolving to 202.191.37.3 which I believe is iServe.

1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Switch your broadband provider now - compare prices


Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33


IMAGR and Farro bring checkout-less supermarket shopping to New Zealand
Posted 5-Dec-2019 09:07


Wellington Airport becomes first 5G connected airport in the country
Posted 3-Dec-2019 08:42


MetService secures Al Jazeera as a new weather client
Posted 28-Nov-2019 09:40


NZ a top 10 connected nation with stage one of ultra-fast broadband roll-out completed
Posted 24-Nov-2019 14:15


Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.