SitePoint Sponsor

User Tag List

Results 1 to 21 of 21
  1. #1
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Why would the hacker alert you

    Hi,

    Not long ago I asked for help in this forum because two of my sites were hacked and after thinking about what happened and how I noticed that my site were hacked I started wondering why. What happened is this, one morning I woke up and checked one of my sites that uses WordPress and to my surprise the index page had a picture that said hacked by bla, bla… the same thing happened with my second site except that this one wasn’t using WordPress this one only had a PHP contact form and was done by a different hacker, here is where my question came.

    Why would the hacker alert me? Wouldn’t be easier to do the hack without letting me know and I would probably have never noticed it.


    Does it mean that the index page was the only file they could have access to and they just wanted to let me know about their success?

    Are there some occasions where the only file hacked is the index file?

    Of course the reason I’m asking is because I haven’t find any malicious scripts for the site that wasn’t using WordPress, and I’m trying to understand where the hacking thing came from, may be from my hosting provider?

    Thanks a lot!
    Thank you very much!!!

  2. #2
    SitePoint Zealot
    Join Date
    Sep 2010
    Location
    Brighton, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The hacker alerted you for the glory. They weren't out to take money or use your server for anything, just to show that they could.

    Were your sites hosted on the same sever? If so, your server was probably compromised. I would surmise that anyone who could edit your index page could probably edit any file they chose, also the fact that both a wordpress and a non wordpress site were edited suggests your system was totally compromised.

    Are you using unsecured FTP by any chance?

  3. #3
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your reply!

    Yes, both sites were in the same server (in a share server).
    Yes, I'm using unsecured FTP. Does this make a difference? I thought SFTP was only to protect you from people connected to your network and I have my network secured.

    Should I start using SFTP? If yes, can I ask why and how would this make a difference?

    Thanks
    Thank you very much!!!

  4. #4
    SitePoint Zealot
    Join Date
    Sep 2010
    Location
    Brighton, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    FTP sends your username and password in plain text with every request. It's not just your own network you need to worry about, it's every switch and cable between you and your server. I would switch to SFTP.

    From what you say I can envisage three likely angles of attack.
    1. your password was intercepted by a hacker sniffing packets
    2. Your account was hacked using a brute force, dictionary attack. or
    3. Your shared hosting is insecure and your account was hacked from another account on the same box.

    Without more information, 1 sounds like the most likely to me. Change your password to a random alphanumeric string, use an encrypted connection (SFTP or SSH) and check your hosting provider's reputation for security. Also check your backup strategy

    No one likes getting hacked, hope you get it sorted

  5. #5
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot!

    In fact the password I was using was a four letter password so I hope that was the problem because thats and easy fix. I will try to set up SFTP, and of course now I'm using a more robust password.

    Thanks a lot for your help!
    Thank you very much!!!

  6. #6
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, how about login directly to the Cpanel? Could this be risky too, should I use SFTP to access the server files all the time and not directly using the cpanel?

    Thanks a lot for your help!
    Thank you very much!!!

  7. #7
    SitePoint Zealot
    Join Date
    Sep 2010
    Location
    Brighton, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by fs_tigre View Post
    Oh, how about login directly to the Cpanel? Could this be risky too, should I use SFTP to access the server files all the time and not directly using the cpanel?

    Thanks a lot for your help!
    Cpanel's OK, as long as it's over an https connection. Don't get too paranoid though, it's only a website

  8. #8
    SitePoint Zealot
    Join Date
    Jun 2008
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A four letter password is very, very, very easy to crack, and if it was a real word, it's even easier than that.

    Use at least 12 characters. If your cPanel has a Password Generator, use the password it creates for you.

  9. #9
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you all for your comments!
    Thank you very much!!!

  10. #10
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    4. the hacker(s) found a vulnerability on your page, could be a script, plugin, unsecure form etc.. and exploited it to deface the index page.

    He probably alerted you for his own glory, as this type of hack gives good karma in the hacking culture.

    most hackers (read script kiddies) don't do more harm than rename your index page, and switch it with their own, as they only use tools made by other to achieve this...
    Who's to doom when the judge himself is dragged before the bar


  11. #11
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    most hackers (read script kiddies) don't do more harm than rename your index page, and switch it with their own, as they only use tools made by other to achieve this...
    Thats good to know that, and its probably why my sites were never banned by google.

    Thanks a lot for your comments!
    Thank you very much!!!

  12. #12
    SitePoint Enthusiast
    Join Date
    Nov 2010
    Posts
    40
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to follow below steps for Secure FTP Password :

    a)First remember to “Sign Out/Log Out” from any of the “services”

    b) Use strong, long and a complex password, as more variety of characters that you have in your password, the harder it is to guess the password.

    c)Avoid sequences or repeated characters in your password.

    d)Use Mix letters, numbers and symbols, and use case sensitivity.

    e)Avoid dictionary words in any language.

    f)Try to memorize the password, and avoid writing it down.

    g)Avoid using only one password for all your accounts

    h) Last but not the least is to change cPanel / FTP passwords most ofently

  13. #13
    SitePoint Enthusiast
    Join Date
    Nov 2010
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hi,
    I think there are two type of hacker, one who jack for fame or glory aand the other one is to cause harm People( may be financial or some other type of harm)

    And you are attacked by the first type of hacker..
    These type hacker do hacking just for fun, and for no other reason...
    may be your site have some type of loophole or backdoor by which they enter in your site, So check for the all possible loop holes, change admin password if there is any such kind of provision in your site.

  14. #14
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you all for your comments!
    Thank you very much!!!

  15. #15
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Well, it may have been glory, or it may have been like the people I know: they look at some crappy system, sigh loudly, shake their heads that such a system is still being used by anyone at all, then break in to show the sheep how silly or dangerous they are being with their info.

  16. #16
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm, interesting.

    Thanks a lot for your comments!
    Thank you very much!!!

  17. #17
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    it may have been like the people I know: they look at some crappy system, sigh loudly, shake their heads that such a system is still being used by anyone at all, then break in to show the sheep how silly or dangerous they are being with their info.
    ...but the admin is not as dumb as he may look, and logs all activity and have it sent to another server and emailed to several addresses as well, so now he contact authority and start the act of tracking the guy(s) ip and sends requests of info regarding this to several sysadmins and ISP's about their server and wingt/proxy logs and tracks the guy(s) to their city and house... one can wonder, who's the sheep now...

    I have tracked morons down many times the last 13 years. some times it's "impossible", well at least not worth it and maybe even impossible, but other times it's almost fun
    Who's to doom when the judge himself is dragged before the bar


  18. #18
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    and start the act of tracking the guy(s) ip
    Uh-huh, yes, everyone does this directly from their bedrooms and they never try proxies or anything. Cause they want trouble : )

    And if they really did, wow, yes it is satisfying watching jack-booted feds jump in through the windows like in a movie "MOVE YOUR HAND AWAY FROM THE KEYBOARD, SLOWLY!" lawlz

  19. #19
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Stomme poes
    Uh-huh, yes, everyone does this directly from their bedrooms and they never try proxies or anything
    sysadmins and ISP's about their server and wingt/proxy logs
    using a proxy don't mean you are safe - and there are several types of proxy servers too. some non anonymous, other transparent, forwarding, reverse etc... and then anonymous proxy servers.

    and even chaining several anonymous proxy servers doesn't make you safe, as anonymous proxy servers tend to log all the activities - and there will be more tracks on every hop which can ease the trace.

    Contacting authorities, and also the sysadmins of these servers can result in getting the logs so you can continue tracing the hacker through several proxy servers - anonymous or not.

    they may also get a court order about handing out the logs.

    of course this can be difficult (and impossible) if you have to track him through several countries - but who said it would be easy

    this is how hackers get caught - cooperation between people

    and now, i have some cake to devour here
    Who's to doom when the judge himself is dragged before the bar


  20. #20
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    ^self-baked I assume : )

  21. #21
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    of course, it's almost Christmas you know - and i love to bake (and eat)

    I just hope i can control myself, and spare some for Christmas
    Who's to doom when the judge himself is dragged before the bar



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •