how to tell if you've been hacked

[superQ]

super has a small problem on his site.  www.therockpile.org  . seen to not want to show up and is being replaced with what you see if you go there.

support sent this in response to a ticket regarding redirection?

"We have restored your original account settings.  It is difficult to tell at this point, since everything is fully resolved, if you have been hacked or if your traffic was just being redirected to some other site.

Please confirm that everything is working normally for you".


How do I tell if it was hacked. A better question would be why would they bother.. I can get into c panel and look around, but what am I looking for, both the coppermine and smf/tp database say ok when checked. 

whois info on the realinfo.com


OrgName:    Inktomi Corporation
OrgID:      INKT
Address:    701 First Ave
City:       Sunnyvale
StateProv:  CA
PostalCode: 94089
Country:    US

NetRange:   72.30.0.0 - 72.30.255.255
CIDR:       72.30.0.0/16
NetName:    INKTOMI-BLK-5
NetHandle:  NET-72-30-0-0-1
Parent:     NET-72-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:   
RegDate:    2005-01-28
Updated:    2005-10-19

RAbuseHandle: NETWO857-ARIN
RAbuseName:   Network Abuse
RAbusePhone:  +1-408-349-3300
RAbuseEmail:  network-abuse@cc.yahoo-inc.com

OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-408-349-3300
OrgAbuseEmail:  network-abuse@cc.yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName:   Netblock Admin
OrgTechPhone:  +1-408-349-3300
OrgTechEmail:  netblockadmin@yahoo-inc.com

# ARIN WHOIS database, last updated 2007-02-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

[technodragon73]

do a whois lookup on your domain to make sure the dns settings are correct for your host, also, double check to see if they make have replaced your index.php file or placed a new index.html or .htm on your server which could just be redirecting people.

[superQ]

Thanks technoD I kinda looked at that stuff when it first happened. and it all looked ok to me,but what do I know. I checked  godaddy account and it was all right. pointing where it was supposed to..

The host thinks it might have something to do with my isp. I wonder if you or anyone else saw something other than what is there now. It was first a yellow pages thing then it was this.

http://realinfo.com/suspended.page/


It was that realinfo url and showed that site this morning when I posted at 10:09 am est..

I wonder if it could have something to do with this

http://hostsman.abelhadigital.com/

I have it installed and it allows you to disable your host files. I probably had them disabled. about 100% sure I did.When it is on it has like 60,000 in the host file list.

when it has the host files diasabled it looks like this
--------------------------------------------
###################################################
#                                                 #
#                    HostsMan                     #
#               Disabled Hosts File               #
#                                                 #
###################################################
127.0.0.1 localhost

[wmiles]

Hi SuperQ

All i know is that suspended.page is a Cpanel redirector when a domain is suspended because i often suspend sites on my server.

I can see your forum without a problem, its a bit all over the place and has no members, have you tried asking your host guessing they are using WHM if using Cpanel to restore to yesterdays backup, it's possibly your best best if you have lost any data.

I have a WHM server using Cpanel and i didnt notice any changes this morning so i cant see it's anything to do with either of those.

[superQ]

Thanks W . I think it was done by the host while they were seeing what the problem was. It was originally some yellow page site or something .

When the realinfo page was up and I tried to login to my cpanel I couldn't. could not connect via ftp either.wrong password. when i tried to reset it it said the account was suspended contact host.They didn't let me know they were even working on it. very unusual for them.

When it first started and the yellow page redirect thing was up I could log in to cpanel and ftp. that is when I looked and saw the files and data bases were there.

As far as the site being all over the place--I know . The least important thing to me is the forum or playing games. If I choose to pursue that particular site, tp[blocks] will be an  important part as will a gallery maybe the forum to a small degree. I have other sites that are not so all over the place as you correctly point out this one is--they are more about just one thing. Normal

There are no members so it don't really matter.It is not a secret,but it may as well be,and It is not a test site per se, but sort of where I test some thing out.That is all..I have unlimited domains,subdomains and databases so wtHeck

I am definitely better off for having it, if not just for finding and being part of this community---which is probably the main reason I have it and leave it up---useless as it is.