I’m not sure how much of that site you can see as it’s ‘protected’ for members of NLCC and Prints Rupert, but I’m sure you can see “ALPEREN(TURK HACKER)” on the front.
Now, I know nothing about hacking, but I assume when it says “Turk Hacker” and I search google and find that a number of forums have had their name changed to that; the site has been hacked.
Now I’d be rude to just say “tee hee, this site was hacked”, so of course there’s a background to this.
Last spring, I was still an active member of the NLCC (Terrace’s ‘Camera Club’). Then came the day when they decided it was time for a website so we formed a committee that was mainly just myself and another guy. We volunteered ourselves and it soon became an issue between design and functionality. My idea was to have a good looking site using different scripts to run the photo gallery, forum, news, etc. that would be brought together with a Content Management System that allows you total control of the appearance of the site while the other guy on the committee wanted PHP Nuke. For those of you that don’t know PHP Nuke, it’s an extremely generic looking content management system that you just upload to a website and you’re done.
Long story short, the argument was that the club couldn’t afford the software I wanted. So I informed them that everything was free except Invision Board which I have an older copy of on my computer from when it was free. Then the argument was that the site would be hacked because it was on old software. I laughed and said no one would hack a small camera club website. Well, I was wrong, but somehow the magic ‘new’ script they used was hacked. Ironic.
Same idiots hacked my area250.com a few months back. It’s a phpBB vulnerability in pre v.18 software.
Amazing people would bother to hack boards used so little…
Long story short phpBB is a piece of shit, no worries about the server though its either compromised as the user nobody or the user apache runs as. I see this at work all the time oh and I have scripts to deal with the fuckers too but they would need to be adapted to your situation.
Check your /tmp /var/tmp and /dev/shm directories for scripts. Chances are phpBB was used to download the scripts and a backdoor such as r0nin to your server then used for spamming and other things. What were the permissions on the directory phpBB was installed in? I am assuming 777
PM me if you’d like the scripts they will find the hackers and automatically ban them.
I don’t know anything about the camera club website, some other guy maintains it.
However, I got an email today from one of my clients saying the site’s been hacked. I checked it out and it was the same hacker who hacked the camera club site. I checked the FTP to make sure everything was still there because I’ve only got backups of the HTML/PHP/CSS files, no mySQL backups.
All the hacker did was delete the index.php and add their own index.html with something about “no war in iraq”. Anyway, easy fix, changed password, hoping not to get hacked again. I honestly don’t get who would take the time to hack the website of a small sports shop from a city like Terrace.
[quote=“SteveDVS”]
All the hacker did was delete the index.php and add their own index.html with something about “no war in iraq”. Anyway, easy fix, changed password, hoping not to get hacked again. I honestly don’t get who would take the time to hack the website of a small sports shop from a city like Terrace.[/quote]
I’m sorry this is just bad. Are you sure thats all they did? Did you find out how they exploited your system and got in? Did they leave any backdoors? Did they trojan your machine? Rootkit it? You dont know. Did you patch your system in any way?
A few years ago I had a FreeBSD machine at home. An exploit was released for Apache and I got hit less than 24 hrs after the exploit was announced and released in the wild. I learned about the exploit via a few security lists I’m on and when I checked my machine I’d already been hit.
They backdoored the machine, installed a root kit and an IRC bouncer. Sure I could have cleaned it up to a degree but I could never be sure I got everything they installed and I could not trust the machine again.
Reformat/install is the only way to be sure, upgrading any parts of the OS that need to be done.
If your machine is vulnerable it will be found eventually.
Chances are it was just a phpbb installation and shitty permissions. If it was my server I would format it but at work we simply clean the rootkits and files out of /tmp/ /var/tmp I wrote some scripts that find the obscure locations they put the files in as well so you can be 99% sure you got rid of them.
The short of this is software updates need to be applied, there are worms out there to automatically hack these websites big or small. Generally they are used for irc bots to participate in ddos attacks/spamming.
At least upgrade your software and run rkhunter/chkrootkit if you arnt going to format it. You were hit by someone and I will bet they will hit your server again if all you did was replace the index.php and change your password.
It’s not my server, it’s hosted on www.ipowerweb.com so there’s not all that much I can do there. I’m going to see if the people want to change web hosts, though, because at the time being they’re only really using like 1% of their bandwidth and paying about $10/mo whereas they could get more than enough hosting again for $5/mo, save $60 per year.
but they would need to be adapted to your situation.
but at work we simply clean the rootkits and files out of /tmp/ /var/tmp I wrote some scripts that find the obscure locations they put the files in as well so you can be 99% sure you got rid of them.