Author Topic: hacked[solved] (Read 5262 times)

theinvisible · « **on:** July 16, 2017, 09:44:32 am »

kingc0pe hacked my website https://goo.gl/QuVrZ2

Anybody know how he did it?

_CONEJO · « **Reply #1 on:** July 16, 2017, 12:17:16 pm »

Current version 3.7.3 has no known vulnerabilities, and given how "complex" were last ones discovered, I hardly doubt it's the cause.

Probable causes for a hack:
- Unpatched/unsecure version (doesn't look like it)
- Unpatched/unsecure plugins or themes (please update your themes, plugins)
- Weak admin/ftp/ssh/... password
- Other software (joomla, wordpress,...) unsecure version
- OS vulnerabilities (I doubt that)

dev101 · « **Reply #2 on:** July 16, 2017, 03:54:39 pm »

Quote

Anybody know ow he did it?

Download your entire public/www folder to your PC (including databases) and you need to make a comparison from your backup files, assuming you have clean versions. That's a first step. This will potentially reveal compromised files, shell scripts and some database injections, if any.

If above turns out clean, you might not be hacked in the common terms, as CONEJO explained above, look for holes in your server access (FTP, terminal, passwords...), also running other scripts/CMS will open your sites/server to their vulnerabilities, too.

Unfortunately, not an easy task, it requires time and knowledge.

theinvisible · « **Reply #3 on:** July 16, 2017, 04:32:57 pm »

I contacted my hosting provider and they restored my site somehow. I donno. Now it is working fine. I'm going to change my ftp password first.
I asked the support team of my hosting company about how it happened, but they didn't give me an answer.

theinvisible · « **Reply #4 on:** July 16, 2017, 04:45:05 pm »

This is their reply

_CONEJO · « **Reply #5 on:** July 16, 2017, 04:48:35 pm »

their reply is scary,they should have tell you to update your software at least to avoid being hacked again... how are they so sure it wont happen again?

theinvisible · « **Reply #6 on:** July 16, 2017, 04:54:58 pm »

I donno. My osclass is 3.7.3

BritWeb · « **Reply #7 on:** July 16, 2017, 05:07:54 pm »

... and what was that 'unwanted file' that they cleaned? Dodgy hosting company, I guess!

Aficionado · « **Reply #8 on:** July 16, 2017, 05:14:47 pm »

HostDime. An other crappy hosting company.

Aficionado · « **Reply #9 on:** July 16, 2017, 05:24:03 pm »

Quote from: theinvisible on July 16, 2017, 04:32:57 pm

I contacted my hosting provider and they restored my site somehow. I donno. Now it is working fine. I'm going to change my ftp password first.
I asked the support team of my hosting company about how it happened, but they didn't give me an answer.

Dude IT IS NOT OK !!!!!

http://www.graffittibooks.com/oc-content/

theinvisible · « **Reply #10 on:** July 16, 2017, 05:48:46 pm »

Quote from: Aficionado on July 16, 2017, 05:24:03 pm

Quote from: theinvisible on July 16, 2017, 04:32:57 pm
I contacted my hosting provider and they restored my site somehow. I donno. Now it is working fine. I'm going to change my ftp password first.
I asked the support team of my hosting company about how it happened, but they didn't give me an answer.

Dude IT IS NOT OK !!!!!

http://www.graffittibooks.com/oc-content/

there is a glitch..

it is ok now.. but a minute ago it was again blocked

theinvisible · « **Reply #11 on:** July 16, 2017, 06:22:39 pm »

the hacker kingc0pe replaced all index.php files in each and every folder with his own or edited those files.
But how?

Aficionado · « **Reply #12 on:** July 16, 2017, 06:30:51 pm »

Quote from: theinvisible on July 16, 2017, 06:22:39 pm

the hacker kingc0pe replaced all index.php files in each and every folder with his own or edited those files.
But how?

Probably by some PHP or Apache or mysql security whole. Because Osclass is not even known within the hacking community. Not a popular target.

Or some hosting setup that allows all that could be the cause of it ?

Impossible to know.

Now: do you have a recent BACKUP of your site ?

Can you see the security of the folders (should be 755) and of files (should be 644) ?

_CONEJO · « **Reply #13 on:** July 16, 2017, 06:34:57 pm »

There's no way to know exactly how. Going back to a backup and restore your files is not secure since you still have the issue of insecure software or passwords.

Your hosting telling you everything is fine now while clearly it isn't is scary and worrisome

Which OS and version were you running?
Which version of PHP are you running?
Which themes/plugins do you have installed and which version of each?
Did you have installed any other software (wordpress, joomla,...) even if it's no longer active? Which version?
Did you use weak passwords?
Is your local computer/device compromised? keylogged?
...
and the list goes on

theinvisible · « **Reply #14 on:** July 16, 2017, 07:10:06 pm »

Quote from: Aficionado on July 16, 2017, 06:30:51 pm

Now: do you have a recent BACKUP of your site ?

Can you see the security of the folders (should be 755) and of files (should be 644) ?

i don't have a recent backup of my site.

Some folders are with 750 and others with 755. All files except 'config.php'(666) in public_html folder is 644.

Osclass forums

News:

Author Topic: hacked[solved] (Read 5262 times)

theinvisible

hacked[solved]

_CONEJO

Re: hacked

dev101

Re: hacked

theinvisible

Re: hacked

theinvisible

Re: hacked

_CONEJO

Re: hacked

theinvisible

Re: hacked

BritWeb

Re: hacked

Aficionado

Re: hacked

Aficionado

Re: hacked

theinvisible

Re: hacked

theinvisible

Re: hacked

Aficionado

Re: hacked

_CONEJO

Re: hacked

theinvisible

Re: hacked