Have I been hacked?


#1

I have the Mint web stats program installed for one of the sites I host. Recently, I started seeing a whole bunch of odd referrers showing up - drug searches, the usual spam queries. I assumed this was referrer spam, and since Mint is supposed to be the one program that works against referrer spam, I was puzzled.

Clicking on any of the queries did show my site in the search results. However, when I posted on the Mint forum, the admin there did some searches against the search terms and found PAGES AND PAGES of results seemingly on my site. They all look like this:

metsgrrl.com/?p-GyjJLllHQkStwStJwfSEwRQkJSkJupX
metsgrrl.com/?p-HWbzHIQtHkwzQlSwwW
metsgrrl.com/?sid=RTZSnnSRJlwQnwBHRQzHkwHkwLJSfQqwg

if you go to google and do a search on “vicodin dosage” and limit the results to metsgrrl.com, you will get OVER 10 PAGES OF RESULTS.

I manage the site via Expression Engine.
There are no entries in the CMS that are not valid entries.
I changed the password in EE.
I am on the site via FTP fairly regularly and haven’t seen anything there that I did not install (and I haven’t installed very much so that’s pretty easy to suss out) and by the URL’s above I’m looking for something in /root anyway, but I don’t see anything.
Are these db entries?

I’ve changed ALL my DH passwords.
Yes, I have emailed support.
But in the meantime I was hoping someone has had this happen to them and they’d say, “Oh, yeah, that, here’s what you have to do,” or that a DH staffer would see this and say ‘OMFG this is a real problem’ and 1) tell me what I can do and 2) escalate it or 3) explain how they are spoofing it to make it look like hte pages are on my site.

thanks in advance for reading and for any assistance you can offer.


#2

From what I can tell the possibilities are:

  1. Your CMS source code has been compromised
  2. Your .htaccess file has been compromised

The reason I suspect .htaccess or your CMS source is because according to Firebug the response from your site is simply a frameset document. So it would not be caused by JavaScript or someone putting entries into your CMS (unless your CMS is so insecure that it lets entries override its output altogether).

Anyways, you may need someone with the technical expertise in web development to take a look under the hood of your site. Well at least I wish I could to find out what the exploit is because there is no guarantee that simply deleting all code and re-installing would prevent this from happening again.

:cool: openvein.org -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7


#3

Atropos, much respect for taking a look at my problem.

I am starting to lean towards the side of Mint being the problem, because when I look at the DH web stats logs, I see a lot of genuine referrers, and none of the referrers I’m seeing in Mint. NONE.

I tried uninstalling mint and it just hosed my site. so i’m starting to suspect some truth there.

Hopefully the DH folks in support will take a look at this case eventually.


#4

there was a line in .htaccess that read

:# Uncomment if you are getting ?pt_sid=xxxxxxxxxxx at the end of every

link in your knowledge base

that is exactly what the links looked like, that syntax, so I uncommented it. now the links are out there in the search engines, but they resolve to the index page of my site.

do not know what this could have been.


#5

I don’t know your cms, but sometimes cases like that are pingback spam or trackback spam… I was getting a lot of these from russia, got to write my own lines on .htaccess via modrewrite to keep out this guys.

By the way, is always good idea to check the cms dev site to check if an advisory or security release has been made.

use VIC3M to get 50USD discount on all plans +10% on storage and bandwith, VICM3 to get the maximum disscount on sign up.


#6

If the pages mentioned above actually return (spam) results, then it’s not just trackback spam, but a break-in.

What CMS are you using?


#7

This is definitely a break-in, because as of this morning my site is dead. Files are still on the server and I’m grabbing them now, but I have no confidence that there isn’t exploit code somewhere in there.

I have notified DH and I would like to think that a breakin would be of interest to them but it would appear not so much so far.

I am using Expression Engine.

I have a Moveable Type installation also on the server (different URL obviously) that hasn’t been compromised (so far).

Any ideas on what I can do? Besides move lock stock and barrel to a new host with a clean EE install?


#8

…and then it comes back. and then it seems to disappear again.

at first i thought DH had disabled the site while they were investigating the exploit. I have no idea what is going on right now.


#9

Dreamhost says it has to be a third-party script. I have a flickr script, google ad sense, and another ad network.

that’s it.

i somehow doubt those are the causes of the exploit.

expression engine claims it is a php update needed.

so is the debug here for me to remove flickr, adsense, and the other ad network, and see if the exploit stops?