Website hacked. "Rooted"

[TimT]

I put together website for my friend.

Got an email from him that said its hacked... go to the site.. yeap hacked. The home page says:

"Hacked By GHoST61
Rooted!"

http://www.rudtnersracing.com

Cant access the site through my ftp program..Tried the web hosting companies control panel and can access the files, any changes I make to the index.html or php files that were changed won't save. Cant get in touch with the hosting company until tomorrow..

What should I be asking the hosting company, so that this doesn't happen again?

[emcon5]

Try reseting the FTP account password from the control panel.

[slodave]

Hehe. I haven't seen that in years. Sorry.

Gotta get a hold of the hosting co., have them reset the passwords and clean up.

Also, make sure your passwords are at least 8 characters, using a mix of upper, lower, numbers and characters.

[TimT]

I am nervous to go in and reset passwords etc.. Afraid that the hacker may know or record what I am doing??

I use cuteFTP for file transfers,

this is the error I get when trying to connect

"STATUS:> Getting listing ""...
STATUS:> Resolving host name ns.web4you.net...
STATUS:> Host name ns.web4you.net resolved: ip = 74.86.29.196.
STATUS:> Connecting to FTP server ns.web4you.net:21 (ip = 74.86.29.196)...
STATUS:> Socket connected. Waiting for welcome message...
ERROR:> Can't read from control socket. Socket error = #10054 "

which leads me to believe I can't fix anything from my end, Have to wait for the hosting company to take care of it..


I believe this is a vulnerability at the hosting company..

What should I ask them to do so my (my friends site) doesn't get hacked?

BTW only two files were changed....

Can I change permissions on those file so I am the super user?

[TimT]

Weird...

only links to the index don't work.. I think I may not be saying this correctly

follow this link

:: R U D T N E R S * R A C I N G * G R O U P ::

it works...

[einreb]

Most likely the server itself has been 'hacked', not just your site and ftp accounts. I would assume its a shared hosting environment (many websites hosted from the same machine). Once that has been compromised... they have access to all the sites and will rewrite the index/default pages.

I would seriously consider moving to a better hosting service with 24/7 tech support.

[slodave]

Tim, these types are not after any info. They simply are "tagging" in the cyber world. They setup scripts that run against servers out there and try to exploit weaknesses, such as in the FTP servers, webservers. When the script finds a weak one, it can inject crap into users root folders, such as yours. I bet a lot of other customers at your hosting site have been 'pwned' as well.

They usually copy your homepage over and insert the one you see, leaving your website mostly functioning.

Dave

[TimT]

I figured that my site was not targeted specifically...

Yes its just the index.*** files that were changed..

Any of the other links to my site work..

Quote:

it can inject crap into users root folders,

Can I go in and clean the crap out??

I do still have access to the root folders through hosting services control panel... I know just enough about this stuff to be dangerous LOL

[slodave]

Two scenarios.. One, they just moved a page or two around and that's it. The hosting service needs to make sure that all of their SW is up to date, web, ftp, ssh... Any of those can be compromised and end up where you are.

The other is that the page was changed AND other SW was installed, such as IRC, or client SW to turn your server into a torrent provider...

If it's the latter, you need to search the directory carefully, they usually hide their dirs... I'm guessing that your provider is using Linux for there severs. If dirs were setup, you would see something like... .src .xyz .(something) It will be random.

I'm going to say that you just had one or two pages changed and nothing more. This type of attack is usually only to rack up points amongst the hacker wannabe's.

[stomachmonkey]

There's an exploit running around last couple of years.

It grabs all your stored FTP info and phones it home.

Then home loads a script that searches the directory structure looking for index files.

Usually just adds a redirect to another site.

Check your local machine before you change passwords or you might just be back at square one.

One of my clients got hit.

He hired a DB guy and all hell broke loose.

Had 15 sites get hit at the same time.

[TimT]

Looking at a backup copy of my site... I see an additional index file..

a index.php

can I just delete this if I am in the hosting companies control panel?

[einreb]

Quote:

Originally Posted by slodave

They usually copy your homepage over and insert the one you see, leaving your website mostly functioning.

Dave

The ones I've seen like this have the entire shared hosting server compromised.

[stomachmonkey]

Quote:

Originally Posted by TimT

Looking at a backup copy of my site... I see an additional index file..

a index.php

can I just delete this if I am in the hosting companies control panel?

no, parts of or all of your site appears t be dynamic. leave the .php

Search by date.

You'll notice all the index.html files have the same mod date.

[TimT]

Thanks guys... I have played with this a bit and it is apparent that is a global prob for this hosting company...

I have deleted the new index( html and php) files and the problem still exists

[slodave]

Your host runs:
Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14 Server at


Apache is up to date
OpenSSL is now at 0.9.8o though your hosting co is using a version for RedHat Linux.
AFAIK, Frontpage extensions have been shelved for a number of years now.
PHP is now at 5.3.3

[TimT]

Quote:

Looking at a backup copy of my site... I see an additional index file..

not sure if I was clear..

There are additional files added at the host compared to the backup copy of the site that I have

I burn a copy to disc every month.

[TimT]

Quote:

our host runs:
Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14 Server at

OK time to get a new host...

[slodave]

You sell used medical equipment too? If not, you need to talk to your hosting co. A reverse lookup on your domain gives 74.86.69.21 as your website I.P. When I go to that I.P., I get a medical site instead.

You might also want to let them know that 74.86.69.19 and 74.86.69.16 (afaihost.com) were pwned too.

[stomachmonkey]

Refresh, you are seeing a cached page.

[slodave]

Me? Don't think so...

slodave@ns1:~$ nslookup admarneuro.com 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: admarneuro.com
Address: 74.86.69.21

slodave@ns1:~$ nslookup rudtnersracing.com 192.168.0.34
Server: 192.168.0.34
Address: 192.168.0.34#53

Non-authoritative answer:
Name: rudtnersracing.com
Address: 74.86.69.21