Got my major site hacked


#1

Someone this morning was able to successfully add a index.html file and a file called installasi.php. I’m on a dedicated server, my main site i’m talking about is www.ffxionline.com .

The index file contained:

Hacked by Metlek
NO War
Stop War

and some image of war.

and the installasi.php had:
#CIREBONHACKER IRC DAL.NET http://rst.void.ru 1.24

/* ©AnGGands ON #CIREBONHACKER IRC DAL.NET

0/* RST/GHC http://anggands.biz

/* ANY MODIFIED REPUBLISHING IS RESTRICTED

I have no idea how they were able to access my main ftp to transferr those files, they didn’t touch anything except for the added index.

Anyone have an idea how they were able to add thoes files? I have took the measures to disable all my ssh on all 10 accounts i have except my main one, and changed the passwords to all of them to a randomly generated password. the php script detected as a virus on my PC scanner, so I disabled it and downloaded and viewed it with my notepad. It seems like it tries to connect to mysql using password list and brute forcing.

Anyone run into a similar situation? This really ticks me off. but i’m glad they didn’t do any damage. What should i be checking for? i checked all the directories and seemd normal for now.


#2

I hope you contacted support.

My first suspicion would be that someone entered through a vBulletin vulnerability. The latest version is 3.6.0, and you’re running 3.0.7.

-Scott


#3

hmm, yes, I notified the support. I’m actuallly in process of working on new site with the newest vbb build.


#4

This may be of interest to you:

http://secunia.com/product/3212/

It sounds like you took some good actions, but upgrading vb should definitely be top priority for you right now.

Check out Gordaen’s Knowledge, the blog, and the MR2 page.