Printable View
Well we got the fright of our life today, as one of our clients called to inform us that his homepage (that is hosted and developed by us) has been tagged ..
Well it was not too long before we were able to remove the tag from the site, and now a investigation is underway to find out how he got in...
Has anyone come across this tag, and perhaps got any info to share about him/her/them that do these tags ?
Thanks..
Gremmy..
If this is a server hosting multiple sites and only this site was affected then I would look at the username/password used by this particular customer. It may just have been a brute force dictionary break-in. In that case your logs should be able to show you this of course!
Did it look like this?
http://searchlimos.net/photos/
They claim to be turkish and iranian.
They have these emails on their site:
[email protected]
[email protected]
I've come across that handle actually, about a year ago I think. A friend of mine had
his website hosted by some free hosting company hacked by these guys.
The company wasn't very friendly about telling more about it though except that 'they were investigating it and #*($& like that'
Well so far we've been going through the logs and cant find where he got in from .... Also our logins have a 3 wrong password lockup system.. We suspect that he may have hacked another server that had the logins for the hosted site. This client has logins to be able to do update's themselves, and think that the details were stored somewhere on one of there systems..
And it was only one page of one site on a server that has several sites on it..
We were lucky, and managed to get the site back up in less than an hour..
a lot of them come from www.digitalgangster.com.
In web development, you have to be ready for this. In fact, there is a simple procedure to find out if the problem exists on your end, or your host provider's end.
- Determine time of attack. This can usually be found by when the hacked file was last updated, or first updated with the newly hacked content.
- Check your access logs. You will find GET, PUT, and POST as your access log methods. Find all PUT and POST methods around the time of attack.
- Trace the access. Find out from what IP address the access came and if using POST, what script on your site they used to gain access. If you don't find anything, it will be your host provider's problem.
After a long invesigation, and repeated testing, we found how the site was hacked...
SQL Injection...
We have a number of sites that we are hosting, But developed by the client, that we have found to be vunrable to SQL Injection attacks..
Steps are now been taken to fix...