What kind of person would do this? why????????? i don't understand them, why would somebody do this to anyone???
This is al i have left when i view the source of my site :'(
<nothing in here>
<head>
<meta http-equiv="Content-Language" content="nl">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Hacked By Msk007 AkA Skuller l Contact me l Info@fastrappers.Tk</title>
</head>
<body bgcolor="#000000">
<div style="position: absolute; width: 100px; height: 100px; z-index: 1; left: 162px; top: 45px" id="laag1">
<font color="#FFFFFF" face="Verdana">
<img border="0" src="http://tinypic.com/4c0su38.jpg" width="816" height="583"></font></div>
<php>
</body>
</html>
AND HOW???
I set all the files to standard in the package manager!
:'(
the link of my forum http://thelivezone.net
He even changed the password of php my admin, can't get into nowhere :(
Well, how they do it I cant help you with.
but i DO know that it wasent YOUR site it self that got hacked, probably the whole server as they changed the index.php.
So in order to get it back on track, you have to upload all the index.php files from your backup.
There is a lot of them (about every dir have one) so youare probably best of with just replaceing all files with a backup, and i just hope you have one.-
The good news is that your DB are likly intact.
But it's not through SMF or TP tou have been hacked, that hack have been done through the host server of yours.
So i guess a talk with them about security is in place.
Man oh man... i'm glad i backup all my files yesterday and the database this morning...
But i did a lot of work today so that's all lost..
And your right about the host, i can't reach their site, so it's likely that they have been hacked..
Man i don't know even what to write here at this moment, really sad about this.. :(
Yes as G6 says it sounds like it was your host that was hacked, They even say that in the image they left "Hacked Host"
It really is a feeling of violation, not unlike the feeling of having your home broken into and your things stolen.
There are some real jerks out there who don't "play" by the same rules of common decency that the rest of us do. They are a very, very small minority, but unfortunately they let themselves be known way out of proportion.
It's likely going to take you a little while to get over this. The worst of it is that there's nothing you can do right now to fix it. You have to wait until your host gets back up before you can take any action.
I really feel for you.
Quote from: JPDeni on January 16, 2007, 10:40:16 PM
It really is a feeling of violation, not unlike the feeling of having your home broken into and your things stolen.
There are some real jerks out there who don't "play" by the same rules of common decency that the rest of us do. They are a very, very small minority, but unfortunately they let themselves be known way out of proportion.
It's likely going to take you a little while to get over this. The worst of it is that there's nothing you can do right now to fix it. You have to wait until your host gets back up before you can take any action.
I really feel for you.
This is exacly how i feel right now... These people have no common decency at all...
I HATE THEM! What are they thinking? It was just a normal forum with a lot of nice people that want to help eachother, just like this beautiful site.. But they don't care...
This is another example...
Sorry but my english is not so good at the moment, i come back when i calmed down a little, i'm going nuts in my mind..
I will contact my host tomorrow and i will be back how things are going.. Andi think it would take me a while to get over this like you said.. This is the second time i lost my forum, but another case..
Thank you for the words..
With regards,
Lucien
Oke this is what i did:
I emailed TinyPic.com about the picture hosted by the hacker and i asked them if they could remove it and maybe give me the ip adres of the uploader. Within 5 minutes the replied with the answer the removed the image and the gave me the ipadres..
The host is from the netherlands and within the district i live in..
Is this ip of any use for me or my hosting service?
I don't have enough technical expertise to be able to answer your question, Lucien. I wish I did. I'm sure someone who knows more will be around to answer better.
I'm glad you're taking action, though. It will help you to get through it.
Quote from: soMzE on January 16, 2007, 11:20:31 PM
Oke this is what i did:
I emailed TinyPic.com about the picture hosted by the hacker and i asked them if they could remove it and maybe give me the ip adres of the uploader. Within 5 minutes the replied with the answer the removed the image and the gave me the ipadres..
The host is from the netherlands and within the district i live in..
Is this ip of any use for me or my hosting service?
It doesn't look to me as e personal attack against you. I think this was something against the entire host.
To many people they get frustrated with the strategy some hosting companies use in order to make money.
To many hosting companies in the beginning they offer you a shared hosting solution with lots of bandwith and lots of space and after cople of months they shut you down with some ecxuse that your site is causing problems in order to sell you a VPS package and you pay more money ofcorse. This is just one reason with to many others that somone point their ability to hack.
So as I said this is nothing personal against you and most likely the IP that your host gave you is nothing more than a proxy IP. I believe that someone with the ability to hack the entire host at least will protect himself using some proxy's in order not to be detected.
I'm saying all this because your priority is to have your site back and ruining as it was before. I'm sure are nice people over your site and those people want your site back as you want. Chasing hackers and trying to find justice I'm not saying that is wrong but you have to know to let go sometimes. Is just going to waste your time and it will make you mad. I believe you don't want that.
All I'm saying is focus on the future and everything will be fine.
Take care OK :up:
Yea its a headache with these hackers.
A lot of people bad mouth dreamhost sometimes for 'being down' but what they dont realize is that these idiot hackers are ALWAYS trying to hack dreamhost servers.
If you read the daily reports on DH you will see how one or another server gets attacked daily and they have to act in time to prevent this from being successful.
These malicious hackers should be killed and then shot into the sun!
No offense to Dream Host, but maybe its time you pay someone that actually knows what they're doing so they can lock down the server. Crack down on people using out of date software while you're at it. Its a 24/7 battle though.
lol no i mentioned that off topic..it wasnt DH that was hacked :P
LOOK WHAT HE IS DOING!!!! www.thelivezone.net
Banned his ip, new smf new tp!! new database password, and he is playing with the forum more than i do!! he does everything.
HOWW??
It have nothing to do with your forum or site, it the server you are on that he is hurrasing. You can ban him from your site, but if he is in the server configuration files, you cant do nothing, it is your host fault, not yours at all, you have to ask your HOST to get rid of him and restore the server, and perhaps even upgrade so they have a safer setup for you
My god i hate this guy, he's personally attacking me...
I wish i knew who he is, I WOULD ....... D*MN going totally out of >:( my mind!!
I contacted my host today and they told me i have to update my software, that its MY fault this is happening, i gave them the ip adres and they told me the could'nt do anything with it.
But i know it's not, because you guys told me and he get access to my admin account, he can change everything on my forum, leaves messages on the index and restores it 5 min. after.. He does it all...
Sorry guys i'm really frustrated,my members are running away because the don't know what's happening to them.. he says horribel things...
yea sooner or later these hackers always find a way in
happens to the best of us
what a waste of life - sitting 24-7 hacking people
What other software are you running besides TP and SMF? And if you're host knows so much then maybe they should tell you exactly how and why they are getting access.
www.purgehosting.com Best reseller ever 0.o The security it has is crazy ^^ and for the price, very good hosting.
Quote from: Aku on January 17, 2007, 11:25:59 PM
yea sooner or later these hackers always find a way in
happens to the best of us
what a waste of life - sitting 24-7 hacking people
Yeah that's true... but you know what? I saw him on the forum, i reconized his ip so i blocked him and i told him what i thought, (reason why banned) so i got him a little bit ;) Can't write it down here because it was not nice :2funny:
But 5 seconds later my site is offline and he wrote a response! Just like he was chatting with me. :o
So my forum was back after that, and minutes later he changed my boards, everything..
And bang again gone with the wind, but my filemanager was still open so i deleted my whole forum but i could reach the database no more.. he had/has totaal controle of my account.
Quote from: IchBinÃ,â,,¢ on January 18, 2007, 01:01:35 AM
What other software are you running besides TP and SMF? And if you're host knows so much then maybe they should tell you exactly how and why they are getting access.
I'm running no other software besides TP and SMF 1.1.1,.. but only i uploaded my database backup, but that should not be a problem i hope? Because that's all i have left...
And i will contact my host again by phone today and i will tell them that they have to secure there server better..
Quote from: Wish on January 18, 2007, 01:34:46 AM
www.purgehosting.com Best reseller ever 0.o The security it has is crazy ^^ and for the price, very good hosting.
Thnx, i'll check this one, looks good..thank you all! :)
Quote from: soMzE on January 16, 2007, 11:20:31 PM
Oke this is what i did:
I emailed TinyPic.com about the picture hosted by the hacker and i asked them if they could remove it and maybe give me the ip adres of the uploader. Within 5 minutes the replied with the answer the removed the image and the gave me the ipadres..
The host is from the netherlands and within the district i live in..
Is this ip of any use for me or my hosting service?
It's been a few years since I used to deal with hackers on a regular basis, so my information may be out of date. However, this is what I used to do:
1. Get the exact time of the attack.
2. Get the hacker's IP
3. Search whois for the ISP of that IP
4. Write to abuse@ of that ISP with the time and IP.
Was a time when I used to punish hackers and I reckoned on getting at least one banned by their ISP per day. If the hacker is associated with a website, you could try and get the website closed by the server, using a similar method. In short: complain to every authority you can - you may be pleasantly surprised at the help you get.
My sympathies and best regards!
Oke i talked to my host today on the phone for half an hour and he told me he blocked the ip of the hacker..and reported a email to abuse@provider.nl.
But he did not understand why it was possible that i they have been hacked.. The use Driect Admin 1.28.6
does anyone know if this good and up-to-date?
He told me that also there was a possibility he had acces to my hotmail account, because i had forwarded my admin email to this account that maybe the hacker got the new database passwords the have sended me.
But i doubt this..
And another question, can it be that my database backup is hacked in any way so the hacker has acces to it all the time,or has this nothing to do with this?
Thank you all for your support and sympathies, the do me really good ;D
Can't wait to get started again!!
Quote from: Chrisâ„¢ on January 18, 2007, 09:04:32 PM
Unless you saved your backups there is no way to get all of the posts and everything back.
The hotmail thing sounds like it could be the problem, but there really is no way to get anything back besides talking with your host.
I have a database backup of all the post and members a day before the hack and a total backup of my site, but what i really like to know is if the have done something with the database.. because yesterday i tried to recover the forum and the hacker whas there instandly and took control over my forum again..
and this was a new install of SMF 1.1.1.. i try to find out what i can do to prevent this..
Oh and sorry, what does this file do?
.htaccess do i need this to make everything work?
You could be keylogged. And if he has acess to your hosting account, he can get through phpmyadmin and make himself admin again.
Do what others said for example do the WHOIS to his ip and contact abuse@ hisisphere
QuoteOke i talked to my host today on the phone for half an hour and he told me he blocked the ip of the hacker..and reported a email to abuse@provider.nl.
My host contacted his isp, but for who knows were he is? Maybe internet cafe or something like that..
And i know he does not have acces to my hosting account at the moment, i have a new password sended to another unknown email adress i use.
It happens when i reinstall the forum, so i think there somewere a flaw.. but i don't know were... what is the keylogging thing you said? Can this be anywere in the database backup i have?
A keylogger would most likely be on your computer, as it captures the user/pass that you enter and can send the data to his unknown source.
I would suggest you setup your forum in a directory that is protected by .htaccess for now and see if he still has access to it. After getting the database setup, run a query to change ALL accounts to non-admin status, then manually change your account to admin so that you are the only one with admin. :) If he can't access your forum with a protected directory then you know that he doesn't have access to your webhost control panel.
If all of that seems to be successful, then I open the forum and see what happens. Cross your fingers. :) Funny, how the host blamed you at first. ;)
Oke thnx IchBinâ„¢ for your reply and sorry but i had to work today that's why i'm so late with answering :)
Oke i am going to follow your instructions, i did a virus scan and it found a trojan horse but i don't think it's coming from him, don't know for sure but it's gone now.
Quote from: IchBinâ„¢ on January 18, 2007, 11:35:37 PM
A keylogger would most likely be on your computer, as it captures the user/pass that you enter and can send the data to his unknown source.
I would suggest you setup your forum in a directory that is protected by .htaccess for now and see if he still has access to it. After getting the database setup, run a query to change ALL accounts to non-admin status, then manually change your account to admin so that you are the only one with admin. :)
You mean by this i use the option to password protect a folder within direct admin? And how do i run the query for the database backup? Do i do this in the forum or in Direct Admin/ Php my admin? Sorry but i don't know these things quite yet, but i'm learning :)
And i checked the logins to my direct admin and the hacker hasn't come back..yet... so i think that's safe..i hope :)
You should think about using a more secure host. I personally use Cartika and they are experts packed to the brim with LEVEL 3 professionals.
Also, DH is slow because they put too many people in small rooms (metaphore: they put too many people on one server, this makes them cheap, but makes your service complete and total crap, I'd doubt DH would be good for any site that gets 10 posts a day)
Cartika runs mod_security (if your host ran mod_security this probably wouldnt have ever happened) - I hope your host learns a lesson!
If I were you, I'd change hosts immediately. check out Cartika at http://www.cartikahosting.com - they aren't the cheapest but they are indeed the best host hands down. They have better tech support then any host I've ever dealt with, and I've dealt with a lot of hosts.
Quote from: MattMcFarland on January 19, 2007, 04:26:54 PM
You should think about using a more secure host. I personally use Cartika and they are experts packed to the brim with LEVEL 3 professionals.
Also, DH is slow because they put too many people in small rooms (metaphore: they put too many people on one server, this makes them cheap, but makes your service complete and total crap, I'd doubt DH would be good for any site that gets 10 posts a day)
Cartika runs mod_security (if your host ran mod_security this probably wouldnt have ever happened) - I hope your host learns a lesson!
If I were you, I'd change hosts immediately. check out Cartika at http://www.cartikahosting.com - they aren't the cheapest but they are indeed the best host hands down. They have better tech support then any host I've ever dealt with, and I've dealt with a lot of hosts.
Thnx for your reply but i think there is a misunderstanding... Do you mean by DH = Dreamhost? This is not the host i'm with, i come from the Netherlands so i don't know if it's a good idea to be with a host in another country?
And Ichbin, can i send you a personal message? I may have something interesting about this case, but i can't figure it out..I still have the logfiles from my account and the show everything the hacker has done..
Maybe you understand this? :)
QuoteThnx for your reply but i think there is a misunderstanding... Do you mean by DH = Dreamhost?
There's a separate discussion going on here. It happens a lot. If something doesn't seem to apply to you, just ignore it. :)
Thank you for asking, yes you may send me a PM. I'd be interested in what you have on this.
Oke i installed:
- New SMF 1.1.1 + TinyPortal v0.9.7.1,
- Password protected my forum, "worked" great.
- Switsed to my database backup.
- Installed packages.
The forum worked great but after a while i could not see the forum with my browser.. but then this message appears:
This IP is being shared among many domains.
To view the domain you are looking for, simply enter the domain name in the location bar of your web browser.
So i thought, what does this mean and why i cannot connect to my website anymore??
A little searching on google brought me to this page:
http://dnsreport.com/tools/dnsreport.ch?domain=thelivezone.net
WARN
Glue at parent nameservers
The parent servers (I checked with c.gtld-servers.net.) are not providing glue for all your nameservers. This means that they are supplying the NS records (host.example.com), but not supplying the A records (192.0.2.53), which can cause slightly slower connections, and may cause incompatibilities with some non-RFC-compliant programs. This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain (for example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain.
And this got my very attention:
Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address.
Does somebody knows what is wrong here, and does this have anything to do with this hacking attack to my site? Does this mean there servers are not secure enough or did somebody changed my settings within Direct Admin?
This is the dnsscan from the site of my host:
http://dnsreport.com/tools/dnsreport.ch?domain=topservers.nl
Can anyone tell me this is any good? :o
Hey guys/girls, just want to let everybody know my forum is back online :)
Thanks you all for the help and support you have gaven me, i have learn a lot here and i hope it is enough to keep my forum safe from abusers...
Tiny Portal and SMF Rock!!! (http://thelivezone.net/forum/index.php?topic=107.0)
I want to thank everybody who made this possible!
Greetz soMzE
Hello all, my forum got hacked again... :( :'(
This time i managed to recover very quickly, as the only changed the index.htm and index.php in the forum root. And the managed to upload the picture to the forum root as well..
But the did not login to DirectAdmin this time, so maybe the used a filemanager to get in?
And why is it that the settings.php is Chmodded to 777? Isn't this very easy to read for outsiders?
I HATE hackers >:(
Change Settings.php to 666 at least. Get the host logs pronto if you can. I'm pretty sure its not SMF or TP though. What does your host say about this? If they don't fix this I would move away from them soMzE.
Send these logs to me if you can. I've been digging through them a bit in the last ones and am not seeing anything. I have another SMF team member looking at it too, but haven't heard word back.
Ok thank you IchBin for your reply, i have immidiantly chmodded settings.php to 666 (i wonder why SMF set this to 777??)
And i tried to contact my host today, but still no response.. if this continues i will follow your advice and i go and look for another host..
Oke and do you need the logfiles from the moment he came to the forum to try and find out what he was doing?
And a shame that you did not here back from the other SMF team member.. I really like to know what happend the last time...
If you have ever been to Package manager../ Options / & checked -- Make All files writable..then that could be the reason they were 777.
Quote from: soMzE on February 09, 2007, 08:41:38 PM
Ok thank you IchBin for your reply, i have immidiantly chmodded settings.php to 666 (i wonder why SMF set this to 777??)
And i tried to contact my host today, but still no response.. if this continues i will follow your advice and i go and look for another host..
Oke and do you need the logfiles from the moment he came to the forum to try and find out what he was doing?
And a shame that you did not here back from the other SMF team member.. I really like to know what happend the last time...
Well he did say he couldn't see any exploits in SMF. So right now, he's looking to see if he can find any info on where it happened. I should have been more specific. Sorry about that.
Forgot to say... yes please the logs for as soon as you think he was on until the time he left. :)
Quote from: ââ,¬Å"cripââ,¬Â on February 09, 2007, 08:49:23 PM
If you have ever been to Package manager../ Options / & checked -- Make All files writable..then that could be the reason they were 777.
Thnx for your reply Crip, but since my forum got hacked i came a little "paranoid" so everytime i went to install a mod i directly used the option "make the minimum files writable" for extra security.. And the settings.php and settings.bak.php still were 777...
Quote from: IchBinâ„¢ on February 09, 2007, 08:54:07 PM
Well he did say he couldn't see any exploits in SMF. So right now, he's looking to see if he can find any info on where it happened. I should have been more specific. Sorry about that.
That's oke, no problem :)
Quote from: IchBinâ„¢ on February 09, 2007, 08:56:57 PM
Forgot to say... yes please the logs for as soon as you think he was on until the time he left. :)
I'll get right on that!!
Edit// typo
My settings.php file has 644 permissions, which is probably what it should be.
Quote from: marzi on February 09, 2007, 09:16:39 PM
My settings.php file has 644 permissions, which is probably what it should be.
Thank you, did that right away!! But what i don't understand.. now it's still readable, but everything is in that file..
And IchBin, i have sended you the logfiles :)
Thank you all for your support..
Readable is harmless.
I may have gotten the wrong impression from what you have written but it seems that the server you forum is on has been compromised. You should move to a server that is secure if that is the case.