hi guys
the site was defaced probably due to really old openssl versions etc
heres the servers details
Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.2 PHP/4.3.4 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.6b
its more than likely rootkitted by now
ive put up a temp index.php page just to alert people that its down but below is a screenshot of the defaced page
cheers
anyweb
<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/post-38-1072184360.png" data-fileid="12">[img]<fileStore.core_Attachment>/post-38-1072184360.png[/img]</a>
from what i can see the website was hacked at 1:58AM
the hacker copied index.html (946 bytes) to every single folder in the website layout,
i am attempting to remove the offending file from all those folders, and im making a backup of the site right now (takes time over ftp)
however, if they got in, then the site/server is compromised and could have rootkits installed
the hacker... uses 'their' logo from this address
[/url][url=http://www.tr0yck.blogger.com.br/]http://www.tr0yck.blogger.com.br/ which is in brazil channel #Ir4dex on irc.brasnet.org
so thats where you can start to look for them,
cheers
anyweb
Nice. At leas the deface wasn't anything explictive or anything. That's at least a positive side. Thanks for that info, this could be the start of something fun. :P
Sorry to hear about the defacing, but I like a challenge, and I feel like fighting back. Go go go....
[img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img]
478 index.html 's man these guys are assholes...
it looks like everything was up to date. My guess is they got someone's account and got in that way
Hacked? [img]<___base_url___>/uploads/emoticons/default_ohmy.png[/img] lol...... [img]<___base_url___>/uploads/emoticons/default_rolleyes.gif[/img]
Anyweb mate it's your forums you're the one that supposed to help others lol!
its NOT my forums dude, its the forums of a CLAN that i happen to be a member of,
the site that was hacked was
[/url][url=http://www.clanhtas.net]http://www.clanhtas.net
their site was rooted, i'm just reporting it here and doing what i can to help
my site (
https://www.linux-noob.com) has nothing to do with the clan site,
cheers
anyweb
i got the site back up by
ftping the entire content down locally,
deleting all index.htmls and index.php's that were created
taking a backup of the site from october and overwriting the current one with that and then ftp'ing that all back to the site
seems to work now at least, and the host says the server wasnt rooted, that the hackers exploted a vulnerability (which they wont tell) and all is updated and ok now
thats good for xmas
cheers
anyweb
I meant that this linux n00b is your forums...
What can u and longbow do to secure HTAS' forums and prevent the bored hackers from hacking to our site again?
And thanks a lot to you and longbow for fixing the site :)