NikeJoshua Posted October 22, 2010 Posted October 22, 2010 Seems they replaced all instances of index.php with their own. Can't connect to the FTP server to replace them either. http://nikejoshua.heliohost.org/
Wizard Posted October 22, 2010 Posted October 22, 2010 This support request is being escalated to our root admin.
NikeJoshua Posted October 22, 2010 Author Posted October 22, 2010 Ftp access is back up, i replaced the index.php files in the subdirs to the correct ones, but left the one in public_html as is for reference purposes
Byron Posted October 22, 2010 Posted October 22, 2010 Do you have any idea how they were able to get to your site? Does anybody else have your login information besides you? What kind of site are you running and do you have any vunerable scripts that might allow php injecton?
Havoz Posted October 22, 2010 Posted October 22, 2010 Them Iranians got me too.. http://havoz.heliohost.org' All I had was a simple guestbook looking thing I made in php, but I made sure to secure it all with htmlentites and real string escape with the database stuff.. Nothing more, why would they even bother..
Byron Posted October 22, 2010 Posted October 22, 2010 but I made sure to secure it all with htmlentites and real string escape with the database stuff.. Did you use something like this for your forms? $text = $_POST[text]; $text = str_replace("<?","",$text); $text = str_replace("?>","",$text);
NikeJoshua Posted October 24, 2010 Author Posted October 24, 2010 No one else knows my password. I doubt that was the issue in any event as no other data was compromised. SQL database was still intact, php files named other than index.php were still intact, no settings were changed, ... There are data entry fields that get processed in php, but as Havoz, all used post variables are encased with htmlspecialchars($var,ENT_QUOTES) or mysql_real_escape_string($var) where applicable...
pooras Posted October 24, 2010 Posted October 24, 2010 My site hacked by a crazy group recently. I want to ask if it's possible to provide me attackers' IP and ANY other info about them, so I can figure out why am i attacked and find out who the Hackers were. I deleted my whole files on the server and my databases to recover the site(didn't copy new files yet.) My site was in Maintenance mode and I didn't announce it to anyone yet! it was a Wordpress 3.0.1 site. my site: computech.heliohost.org please help. Oh mY God. The same Hackers of http://havoz.heliohost.org hacked my site. I just noticed Havoz' post. ADMINISTRATOR: THEY ARE HACKING THIS SERVER. My site hacked by the same group that hacked Havoz. AND like him, I had nothing important in my site, it was just a start!. THEY'RE HACKING for FUN............HEEEELLLLPPP
Guest Geoff Posted October 24, 2010 Posted October 24, 2010 It is recommended in the support FAQ It is recommended in the support FAQ that you back up your data. Also, it is not a real security concern to djbob as of this moment, because your account does not have admin priveledges on this server. Your login data probably just got intercepted while logging into cpanel.
pooras Posted October 24, 2010 Posted October 24, 2010 I didn't say I want my files back. I do know the rules in Free web-Hosts. I'm just trying to alert about a group of hackers that hacked some sites on this server. it's not about my logging infos, i'm saying they focused on Heliohost servers. so take care. I LOVE Helio and want it to be best forever.
rvt Posted October 24, 2010 Posted October 24, 2010 ...Also, it is not a real security concern to djbob as of this moment, because your account does not have admin priveledges on this server... In my opinion, it doesn't matter about account privileges. Privileges can be escalated with a little work on the attackers part and then it could be a major issue. What could be more of a concern is if Google, Yahoo, and other website security sites decide to warn users that the heliohost.org domain is serving malware to visitors. That would severely hurt heliohost's ability to get new customers and keep their current customers.
Ashoat Posted October 25, 2010 Posted October 25, 2010 So... I'm thinking it's pretty unlikely that they broke into the server. I figure they'd be hacking heliohost.org or helionet.org if they had access. My guess is that you guys were all running the same software that had a bug in it. What CMS/forum/blog software were you guys all running?
alteisenriese Posted October 25, 2010 Posted October 25, 2010 i thought i was the only one who got my site hacked, and yea i found a hack script from iranian coders in one of my folders. And they even could access my cpanel and using the SSL service to their website, i still remember the name is gauravjee.heliohost.org (please check this user account). Maybe you guys should check every folder in your website, because i found so many shell codes in my site, if they really get the password from heliohost server thats really a big issue.
Ashoat Posted October 25, 2010 Posted October 25, 2010 I checked your account and I can't find any shell scripts. What is the "SSL service to their website"? How do you know they had access to your cPanel?
alteisenriese Posted October 26, 2010 Posted October 26, 2010 I checked your account and I can't find any shell scripts. What is the "SSL service to their website"? How do you know they had access to your cPanel? Of course you can find any shell script, because i already deleted them. There are 2 websites that using my SSL but i forgot the first one its not heliohost website, the other one is gauravjee.heliohost.org. I know they can access my cpanel because i think using SSL can not be done through shell script and have to use cpanel to do it.
Recommended Posts