My site was hacked a few days ago and I've finally managed to get it up and running (just a simple family photo site - www.familyheard.com). Thanks to Hostony staff for the help in getting it back.

I've been checking my site records to see where it came from and as noted by other posts in this forum it seems to have come mainly from some characters in Turkey. Amongst the records I noticed exit page URLS such as:

http://familyheard.com/~pinkiong/yaya/
http://familyheard.com/~maxigame/
http://familyheard.com/~bpgisme/main/

These are not my subdomains or sites, nor can I find any reference to them in any of my directories.

"Pinkiong" from what I can tell is another user here and also had his site hacked.

Any ideas as to what may be causing this? I don't have a clue as to whether this is a naming system problem or a Hostony issue.

PeterDk

Kind of weird.

Someone attempted to hack my site some time ago.

PeterDk
It is not our issue. Only your script security holes can cuse it or somebody stolen your password.

I saw that bpgisme thing! It links to my site! I have no idea why. It's listed in my Awstats as a referer site. I tried to figure out why and couldn't make heads or tails of it. Also, that maxigame thing is also listed as a page in my site!

http://bpgisme.com/~maxigame/

There's some other odd things too. IP addresses that link to bpgisme that way too. What does that stuff mean?

Here's a list of what I'm finding:

http://64.4.43.250/cgi-bin/linkrd
http://67.15.42.48/~bpgisme/
http://64.4.36.250/cgi-bin/linkrd
http://www.familyheard.com/~bpgisme/
http://www.familyheard.com/~bpgisme/main/
http://67.15.42.48/~bpgisme/brainofbpgisme/

Help?

I just clicked that maxigame thing and its a GAME SITE!!!!!! I don't go to game sites! How did it get attached to my website?

I'm gonna go do some looking around to get what else shouldn't be there!

Thanks,
Bonnie
bpgisme.com

I just sent a message to support.
I don't know if they can help or not, but I want to resolve this as quick as possible and I don't have the slightest idea what it's doing or how to stop it.

-Bonnie

No, I have to find a PHP programmer. Great. Anyone know one?

Geez. This sounds like the end of my weblogs and I was really enjoying them....

Well, I'm poking around the MovableType forum to see if there are any answers - a few possible scenarios - an inserted cgi script (though I've searched all of my scripts already and nothing has come to light), or possibly some PHP bug. I'm talking php itself not any of Movabletype stuff as it uses Pearl.

There have been lots of attacks which seem to be focusing on PHPNuke. You just need to browse through the hack sites to see who their after. I just wish I knew Turkish so I could decifer what their writing about.

As for the end of your weblogs Bonnie, I don't think you need to worry yet. Was your site hacked? I notice that you're using Nucleus which I'm not familiar with. From your comments I assume it uses PHP.

Lets hope we can get to the bottom of this soon.

PeterDk

Yeah, I'm using Nucleus and I like it alot.

I started a weblog as a gift for someone just last night and a message came up while I was installing it saying that I should change a setting in the config.php for each of my older ones. (I'm using an older version but the new one I set up is apparently a more recent version of Nucleus.) So, I did as they said, but it scared me, so I justwent and snooped around my php files and changed more permissions. I think I'll go have a look at the Nucleus site and see if there's any info there.

You know, I really don't know what I'm doing with this stuff and I'm just using it all for the first time. (I've had websites for years, but none with PHP...) And I didn't change anything at all from what Fantastico set up..... Mainly because I just didn't know to.

Time to go do some learning I guess!

-Bonnie

If you are using PHPNuke, be sure to use the security updates they offer.

And update to 7.3, I need to get 7.4 X_X

It looks like hackers are *trying* to find holes in this server.

Lets say there are 50 people on your server.
all 50 domains will resolve to one ip . [67.15.42.48] is server 23 in this case
i can access your site as 67.15.42.48/~bpgisme
familyheard is also on server23
familyheard resolves to 67.15.42.48
so i can access your site with the url www.familyheard.com/~bpgisme/

if some one got access to etc/passwd on that server
they go down the list and just append usernames on known ip
and start looking for holes


the other links you listed there are hotmail redirects
http://64.4.43.250/cgi-bin/linkrd
someone clicked on an email message in hotmail and
was redirected to your site.

just make sure you dont have any world writable files
and you *should* be ok




I beg to differ. It is your issue when the server is compromised
and all customers on server23 are without service.

If fantastico is leaving config files marked 777
then there is a problem YOU can solve.
If a customer is shut down for insecure scripts
then dont let them open up until all holes are closed.

Lets be proactive about these *issues*

Just went and got the updates. Now I'll go check for world writables.

I found two world writeables in my guestbook. That's all I found.
I just added that guestbook maybe a week or two ago.

Still looking though, just in case I missed something.

Thanks artrocity for the insightful info.

Lets take your comments a step further. If as an example, 50 sites resolve to IP 67.15.42.48, why is my domain name the one being used? Would this be an issue within that server as a whole or possibly just within a script on my site?

I'm checking my files and nothing yet. I have changed a few world writable files but no 777 files found.

I'm not happy with Stanly/sysadmin saying its not their issue. You are responsible for the server and its users. We need help in determining where the problem lies, whether it be the server or one of the users sites/scripts.

thanks,
PeterDk

I would attribute it to just BAD LUCK...

Others probably have similiar urls in there access logs.
They havent checked the logs or dont know how to.

If I were a sysadmin , i'd look at ALL of the logs
and see if there were any patterns in where they were coming from.

(unless it wasnt my issue and then i'd do nothing
and wait for the next attack)

That's a serious security issue.

I can access my site through the others just by putting /~pinkiong

http://familyheard.com/~pinkiong/
http://bpgisme.com/~pinkiong/
http://67.15.42.48/~pinkiong/

To what number should be the files be changed to from 777?

Should all the files have the same number?

I agree, and in that quote lie the two solutions:

1) Hostony should remove Fantastico if it's not installing scripts properly

2) Hostony should suspend the accounts of people who don't know how to configure a script and pose security threats.

And that's it. Hostony's not responsible for a user's ignorance and is not here to debug scripts (including Fantastico iteself) for people. They are responsible for making sure that a user's misconfigured script doesn't hurt anyone else's site though, so they should follow one of those two courses of action.

And I believe Stanly's comment referred to your initial post when you asked if it was a Hostony issue. It's not, it's a user error. However, Hostony can correct the error.

Well, I have an answer, in part at least - it makes some sense.

The server with IP 67.15.42.48 is a shared server as we know. Any number of registered domains exist within this IP. So, this IP can represent any one of the domains. For example I was nervous about my domain having another attached to it eg. http://familyheard.com/~pinkiong/yaya/ or
http://familyheard.com/~maxigame/

However, because its shared and we all reside there, the alternate names work too:
http://bpgisme.com/~familyhe/
http://www.pinkiong.com/~familyhe/

There's apparently nothing wrong with this its just the way a shared server is setup. I'm not thrilled with this setup, but it makes sense. I haven't read my agreement lately but I believe we have the option of getting individual static IP's.

thanks to Gleb at Hostony support for clearing this up. Alternatively, Stanly from sysadmin should have been able to clear this up with his first posting to this thread instead of blaming the customers.

Thanks to all who posted here - chalk it up to a learning experience. I'll be reading up on security....

PeterDk

exactly peter .
Its just the nature of shared hosting
its not a security issue.

re: pinkiong
To what number should be the files be changed to from 777?
Should all the files have the same number?

It's a bit more complex than that

you have three groups
The "u" is for "user", "g" for "group", and "o" is for "others"
and you have three permissions
read, write, and execute
lets give these permissions a weight
r=4 w=2 e=1
add the up for each group and come up with the values

with me so far ...?

so 777 = rwxrwxrwx
everyone can do anything to the files
755=rwxr-xr-x
user can do anything : group and others cant write

does that help?

google file permissions for more info
or consult the scripts docs for exactly what they should be set to.

its not a one number fits all solution.

we had this same discussion when the
customer base was clammering for
fantastico.

http://forum.hostony.com/index.php?showtop...t=15&#entry7010

Whew! I'm glad to know that, PeterDK....

I've been checking and rechecking everything on my site. In fact, I think I've learned more about what scripts I have up on my site because of it. I still may make some changes though. This issue creeped me out.



An apparently "ignorant" user,
Bonnie

First of all thanks artrocity. It did help. When I read it, that makes me reminded
of a subject I did at uni called operating systems. We had to use unix. There are
commands like ls, man, gcc, etc .

On the page for hosting I can see the following additional services:
Account Upgrades,Account Downgrades,Additional WebSpace 300 Mb,
Additional Bandwidth 1 Gb,Addon domain. I didn't see the static IP
option but I also believe can have that option. Most hosting companies
I've visited provide that function for an additional fee each month.


Humm...compared to u Bonnie what shall I call myself ? Oh I know, a
completely ignorant user .

You have static IP. All IPs are static at our servers.
But I think you don't know the difference between static IP and dedicated IP.
Static IP is IP address that is never changed.
Dedicated IP - IP address that have ONLY 1 DOMAIN NAME assigned to it. We also provide this service for $3 per months.

Shared IP have a lot of domain names assigned to it.
But link like http://domain.com/~username/ cant't be used for hacking.

As I was typing that yesterday I knew I had discussed that before with someone, but I couldn't remember who. Thanks for jogging my memory.

Does this affect our bandwidth? I mean the top of the top 25 urls on supposedly MY website are for pages on Maxigame which has nothing to do with me!

/~maxigame/ 287 28.50 KB 3 1


/~maxigame/index.php 201 34.08 KB


/~maxigame/includes/comments.php 135 2.36 KB


/~maxigame/popup.php 125 3.97 KB


/~maxigame/includes/sendtoafriend.php 124 2.74 KB


/~maxigame/includes/rate.php 121 390 Bytes


/ 87 755 Bytes 24 12


/brainofbpgisme/index.php 65 17.05 KB


/thebrain/blog.html 45 6.64 KB 2 2


/brainofbpgisme/nucleus/index.php 41 14.14 KB


/brainofbpgisme/ 36 13.86 KB 17 15


/~maxigame/webmasters.php 26 835 Bytes





I really don't like this.

I might consider the Dedicated IP..... It stops this problem?


-Bonnie
bpgisme.com

Nevermind.

I decided to go ahead and get the dedicated IP.

Only $3, why not.....

just to let you all know, everyday i get in the error logs that somebody is trying to hack through this:
/_vti_pvt/service.pwd
make sure your service.pwd is chmod correctly to avoid they get it.

I use PHPnuke and was also hacked a while ago by spykidz, I was un-aware at the time that this could happen. I ended up getting a thing called protector system that monitors your PHPnuke site for Union Breaches and SQL injections, its very good and costs nothing. I could direct people to the site if they need it, just send me a PM and I will gladly share the protector system.