My web site has been hacked


#1

Hello - first time post, please be gentle with me!

Yesterday, my web site, hosted here, was hacked.

Is there a procedure to follow to determine who was responsible for such action?

Please point me in the right direction!

Thank you!


#2

Being gentle, there are a number of recent threads in this forum discussing the recent hack issues, there are also several pages available in the wiki that can be found by searching. You might want to do a bit of research and come back with more specific questions.


#3

Many thanks for responding. I’ve had a good explore, but found nothing relevant to me.

I was deliberately targeted yesterday. I want to know if DreamHost can identify the culprits.

Who do I contact to put the wheels in motion?

.


#4

If you have submitted a ticket, DH will get back to you with information about cleaning up the hacked files on your server that should help guide you. This is something that you, as the webmaster of your hacked domain, will have to take care of.

There is a lot of good info in the long thread here that should give you the info you need to clean-up your site (or you may just want to re-install it from back-ups) and get it more secure.

http://discussion.dreamhost.com/thread-134262.html

Most likely, out of date installations on your server (WordPress, Joomla, out-of-date or insecure plug-ins and themes!, or other PHP-based sites) allowed this hack. You aren’t being personally targeted, MANY sites here and at other servers have been hacked recently. Sites are targeted by these hack-bots daily.

Also read this:

This post (from page six of that long thread) by dhtr lays out the basic steps you need to take to clean up the files and find open directories.
http://discussion.dreamhost.com/thread-134262-page-6.html
From: dhtr RE: Sites hacked

[quote]I finished cleaning up all of my sites last night.

Here’s the process I used to cleanup an infected site:

Run command line version of the 2.4 cleaner script shown above, using this shell command (let it fully complete -- sometimes takes a while!):
Code:
time php cleaner-cli_2.4.php 2>&1 >> cleaner_log
Find and remove those randomly named "payload" files mentioned above, using this shell command:
Code:
grep -Rinl "JGs9MTQzOy" * |xargs rm -f
Remove the .logs directory that sometimes shows up in web root, using this shell command:
Code:
rm -rf .logs
Locate any 777 / world-writeable directories, using this shell command:
Code:
find . -type d -perm -o=w
Set all 777 directories to 755. See reference at bottom of page here: http://wiki.dreamhost.com/Troubleshootin...irectories
Test any features that were uploading to the previously 777 directories, to make sure they still work.[/quote]

This, from Dreamhost’s Status blog has some more info about securing your site:
http://www.dreamhoststatus.com/2012/03/09/security-improvements-and-password-change-reminder/

Read this thread, too:

Make sure you are running your sites with Enhanced Security and your users with Enhanced security.

Good luck!


#5

Umm, being gentle, you need to work on your searching skills. Searching for ‘my web site has been hacked on dreamhost’ gives you all the relevant info you need.

Actually, that will be your responsibility. You’ll need to check your logs. And gently, don’t ask how to do that. The information is readily available in the wiki.

Basically when you start investigating, then the wheels will begin spinning.


#6

[quote=“artgeek, post:4, topic:57342”]
If you have submitted a ticket, DH will get back to you with information about cleaning up the hacked files on your server that should help guide you. This is something that you, as the webmaster of your hacked domain, will have to take care of. [/quote]

Hello ArtGeek

Thank you so much for taking the time and trouble to give me some guidance. I will explore all the links you have given me as and when time allows. I’m sure there’s going to be lots for me to learn!

It may be of interest to you to learn that I do not have, nor ever have had, a server! I purchased a domain name last November but never ‘used’ it at all - I didn’t ever put up a web page! Someone else did recently, though, and I simply wanted to know if DreamHost could identify the culprit.

I have now worked out how to ‘park’ my domain and used the DH test facility - it says the site is now clean. Phew! :slight_smile:

Thanks again!

.[hr]

Thank you for your help, ‘bobocat’

I have read here http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites and am now much better informed.

As far as I know, I do not have any ‘logs’ on my computer which are in any way relevant to the situation pertaining.

I do not have, nor ever have had, a server! I purchased a domain name last November but never ‘used’ it at all - I didn’t ever put up a web page! Someone else did recently, though, and I simply wanted to know if DreamHost could identify the culprit.

I’ll now investigate how to ‘submit a ticket’!

.


#7

If you didn’t have an active website, then why was your first post this?

We are other users, just like you.
We can’t read your mind.

At least you now know how to submit a ticket


#8

[quote=“artgeek, post:7, topic:57342”]
If you didn’t have an active website, then why was your first post this?[/quote]

Your point taken ArtGeek! :slight_smile:

There was no intention to deceive. Someone DID put a picture up on a URL so anyone could see it, but it just didn’t happen to be me!

How would you have initiated an enquiry such as mine?

TIA


#9

Being specific generally results with a relevant response.


#10

Hello sXi

You have no doubt read the whole thread.

Please demonstrate your expertise by providing a real life example of what you consider would have been a more appropriate ‘Post Subject’ in this particular instance.

In that way, not only will I learn, but others reading here may do so too! :slight_smile:

I very much look forward to reading your reply.

TIA


#11

As a matter of course, yes.

Post Subject: Can I detect who hacked my account?

[size=x-small]* Further reading below.[/size]

As slim as chances are, if it helps even just one person then it’s probably worthwhile.

[size=medium]np[/size]


#12

[quote=“sXi, post:11, topic:57342”]

Post Subject: Can I detect who hacked my account?

[size=x-small]* Further reading below.[/size]

As slim as chances are, if it helps even just one person then it’s probably worthwhile.[/quote]

Hello again sXi

Thank you so much for responding as you did. I’ve now read at the helpful link you provided which led me on to this URL (which I have bookmarked!) http://en.tldp.org/HOWTO/Unix-and-Internet-Fundamentals-HOWTO/ In time, I will read all of it!

I did, indeed open a ticket as was suggested earlier. In case anyone here is interested, this is the response received:-

[color=#8B4513]Hello again!

We keep a record of when a domain is added and removed from the web
panel.

We also keep a history of what types of hosting have been added/removed
for a domain name.

The domain was added to your account on the 27th, which is confirmed with
this record:

TimeStamp: 2012-03-27 02:01:11
Action by: davbro88
Action: domain added
Reason:
Notes: domain ibuoy.co.uk (dh_id 1211187) added through webpanel.

Prior to this event, the domain would basically point to no where and not
resolve at all. A domain MUST be added to the web panel to at least
modify the DNS. So prior to parking, it looks like your domain name
simply was registered but was not viewable online since we the domain’s
DNS records.

And there domain’s http/hosting records show that the “parked” service
was recently updated at 2012-03-30 11:35:21 PST.

I’m not entirely sure what you saw previously, but I cannot really
troubleshoot nor diagnose what exactly happened if the issue is no longer
occurring.

Thanks!
Jen D[/color]

I have never posted anywhere as “davbro88”! Do you feel it worth me asking DH if they have any data regarding this persona? I don’t wish to waste anyone’s time but it would be nice to track down who actually did the dirty deed! :wink:

Have a grand day!


#13

The user davbro88 looks like a genuine DreamHost account name (format xxxxxx99).

If your DreamHost Account Name is not davbro66 and you have not added this user to your Account, then you need to get in touch with DreamHost again ASAP and explain to them that this account is not yours and should have no access to your Panel. Perhaps include a link to this thread so that they can understand more clearly the issue you are facing without having to wait hours between a back & forth via the ticketing system.

Let us know the outcome.


#14

[quote=“Brawdy14, post:12, topic:57342”]
I have never posted anywhere as “davbro88”! Do you feel it worth me asking DH if they have any data regarding this persona? I don’t wish to waste anyone’s time but it would be nice to track down who actually did the dirty deed! ;-)[/quote]

I’m not entirely sure what the dirty deed is considering your domain resolves to a holding page. But if you don’t have any users named davebro88 in your account, then you should let DH know.


#15

While that’s all true, he said an image or picture was put on display at the domain and this is his reason for following it up. If it was a case of inadvertently hosting the domain while poking around in Panel the only thing that would be displayed without any further user interaction is the default Welcome Page.

One scenario is that OP has been “hacked” via someone gaining his login credentials and going on a spite attack. Dreamhost should have IP logs of who logged into the account and if they are not the owner then they should pass whatever information they can to the account holder. While it’s unlikely there would be any serious legal ramifications, if a culprit can be identified then a knock on the door by the plod or even a “lulz n00b” post in a forum might be enough to let the other party know that they probably shouldn’t try that kinda stuff ever again because at the end of the day they’re just proving themselves to be an absolute prat.


#16

Hello again! :slight_smile:

My thanks to all who have helped me in this thread. I apologise for the delay in responding to the most recent posts by sXi and bobcat but real life caught up with me!

I have today written again the DreamHost Customer Support Team referring them to this thread and asking them to check their records as you have recommended. I will, of course, advise you of the outcome.

May I take this opportunity to wish you a very Happy Easter.
.


#17

Hello folks! As promised, this is what DreamHost has advised me:

These are the IP addresses we have on record going into your panel from
the time around the incident Februrary 26th through April 1st.

108.23.66.211
109.148.209.88
86.176.94.118
86.177.170.230

(Los Angeles or Orange County IP addresses may be irrelevant as those may
indicate us checking something in the panel on your behalf)

Here is a thorough log with date and time stamps, areas of the panel and
the “offending” IP Address.

2012-03-30 11:32:53 (domain/registration/none/none) 108.23.66.211
2012-03-30 10:40:12 (domain/registration/Index/none) 108.23.66.211
2012-03-30 10:40:10 (domain/registration/none/none) 108.23.66.211
2012-03-30 10:40:04 (domain/manage/none/none) 108.23.66.211
2012-03-30 10:40:01 (support/his/none/none) 108.23.66.211
2012-03-30 10:38:52 (support/his/none/none) 108.23.66.211
2012-03-30 10:38:48 (billing/accounts/none/none) 108.23.66.211
2012-03-30 10:38:45 (mail/auto/none/none) 108.23.66.211
2012-03-29 00:58:43 (domain/manage/none/none) 86.176.94.118
2012-03-28 12:59:00 (support/msg/Index/Submit) 109.148.209.88
2012-03-28 12:32:41 (support/msg/Index/Outage) 109.148.209.88
2012-03-28 12:32:33 (support/msg/none/none) 109.148.209.88
2012-03-28 12:32:11 (support/msg/none/none) 109.148.209.88
2012-03-28 12:24:33 (support/msg/none/none) 109.148.209.88
2012-03-27 04:04:15 (support/msg/Index/KillReport) 86.177.170.230
2012-03-27 04:03:35 (support/msg/none/none) 86.177.170.230
2012-03-27 04:01:40 (support/msg/Index/Outage) 86.177.170.230
2012-03-27 04:01:00 (support/msg/none/none) 86.177.170.230
2012-03-27 04:00:46 (domain/manage/none/none) 86.177.170.230
2012-03-27 02:25:54 (support/test/none/none) 86.177.170.230
2012-03-27 02:05:47 (support/test/none/none) 86.177.170.230
2012-03-27 02:05:37 (support/test/none/none) 86.177.170.230
2012-03-27 02:04:49 (domain/manage/none/none) 86.177.170.230
2012-03-27 02:01:28 (domain/manage/ShowAddhttp/AddHttp) 109.148.209.88
2012-03-27 02:00:21 (domain/manage/Index/ShowAddhttp) 109.148.209.88
2012-03-27 02:00:10 (domain/manage/none/none) 109.148.209.88
2012-03-27 01:59:53 (domain/manage/none/none) 109.148.209.88
2012-03-27 01:59:30 (home/over/none/none) 109.148.209.88
2012-03-27 01:59:18 (status/disk/none/none) 109.148.209.88
2012-03-27 01:58:50 (status/disk/none/none) 109.148.209.88
2012-03-27 01:58:28 (status/bw/none/none) 109.148.209.88
2012-03-27 01:57:37 (status/stats/none/none) 109.148.209.88
2012-03-27 01:56:18 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:55:02 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:54:31 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:53:48 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:49:23 (goodies/installer/none/none) 109.148.209.88
2012-03-27 01:48:45 (home/over/none/none) 109.148.209.88
2012-03-26 14:41:34 (status/disk/none/none) 109.148.209.88
2012-03-26 14:41:08 (users/users/none/none) 109.148.209.88
2012-03-26 14:40:26 (home/over/none/none) 109.148.209.88
2012-03-26 14:39:00 (home/over/none/none) 109.148.209.88

Hopefully this helps you figure out the problem. If you like, I can add
an extra layer of security to your panel where all logins can only occur
from verified IP addresses. If an un-verified IP attempts to login, they
will have to submit a verification form that goes to the primary email
address on the account for verification.

Please let us know if there’s anything else we can do for you!


A friend has helped me confirm the IP address data:-

108.23.66.211
IP: pool-108-23-66-211.lsanca.fios.verizon.net
Organization: Verizon Internet Services
ISP: Verizon Internet Services
City: Chino Hills
Country: United States State: California
Postal Code: 91709
Time-zone: America/Los_Angeles
Local Time: 09.04.2012 20:13:49
Latitude: 33.9473 Longitude: -117.7289
Ping-Date-Time:4-9-2022 9:59 PM GM:0600

109.148.209.88
IP: host109-148-209-88.range109-148.btcentralplus.com
Organization: British Telecommunications
ISP: British Telecommunications
City: Beaconsfield
Country: United Kingdom State: Buckinghamshire
Time-zone: Europe/London
Local Time: 10.04.2012 04:03:52
Latitude: 51.6000 Longitude: -0.6333
Ping-Date-Time:4-9-2022 9:59 PM GM:0600

86.176.94.118
IP: host86-176-94-118.range86-176.btcentralplus.com
Organization: British Telecommunications
ISP: British Telecommunications
City: London
Country: United Kingdom State: London, City of
Time-zone: Europe/London
Local Time: 10.04.2012 04:03:52
Latitude: 51.5142 Longitude: -0.0931
Ping-Date-Time:4-9-2022 9:59 PM GM:0600

86.177.170.230
IP: host86-177-170-230.range86-177.btcentralplus.com
Organization: British Telecommunications
ISP: British Telecommunications
City: Windsor
Country: United Kingdom State: Belfast
Time-zone: Europe/London
Local Time: 10.04.2012 04:07:26
Latitude: 54.5667 Longitude: -5.9500
Ping-Date-Time:4-9-2022 10:05 PM GM:0600

My ISP is British Telecom (BT) so if I understand matters correctly the ‘attack’ on my domain was probably carried out by someone in the USA using Verizon.

Is that correct? Is there any further action I can take? No doubt the ‘attacker’ could have taken the action from a library or Internet cafe (for example) so there might well be no way to trace him.

You guys have been extremely patient and helpful - I am most grateful! :slight_smile:

Any further advice or comment will be welcomed.

Have a great day!


#18

You mentioned being hacked on or about the 26th. I’d check any records prior to the ones above.


#19

Hello sXi - thanks for your response.

As you are aware, I don’t have any records myself. I’m using my iMac and do not have a server. I do not wish to be a nuisance to the staff at DreamHost, especially as they have already identified a ‘rogue’ IP from Verizon.

I’ve been advised on Usenet that there is no way a seasoned hacker could be identified from an IP address, but have no idea if that is the truth of the matter. These were the exact words used:

“That IP could be a tor node or an open proxy, or
worse yet, a verizon powered free wifi at a mcdonalds. You have nothing,
David. Your site became somebodies bitch and there isn’t anything you
can do about it.”

If that comment is true, there seems to be little point in asking DH for any more information.

Do you agree?


#20

The Verizon IP is logged days after the hack took place. Chances are that it could be a DH tech responding to your query (as they pointed out in the ticket). Again, you need to look at IPs logged while any hack took place, not 4 days after the fact. If 109.148.209.88 was the first one logged after a notable absence of Panel logins than this would be an IP of particular interest.