Been hacked warning

samandian · 2006-08-07, 12:34 AM

I have just been to look at my traffic and had an entry from the following page:

http://www.zone-h.net/defaced/2006/0...exyethnic.com/ when i click on this i get the message:

Your Security 0wnz By K@YV@NIR@N.

Please Try Again!!
We Will Return Soon
If You Have a Problem Contact Us AnyWhere.

We Are: Black Dragon (DragonDVB) - Red Dragon - Honnibal - Labyrinth
dragondvb AT yahoo DOT com

K@YV@NIR@N IT Security Team!

What should we do about this? Is this for real and if so how do we protect against it?

the ip is from U.A.E.

virgohippy · 2006-08-07, 03:36 PM

You mean your stats say this is a page you are hosting? Or that this page sent you hits?

If it sent you hits, just ignore it.

I don't think I can help, but if you answer these questions someone else might be able to:

Is "zone-h.net" your domain?
What's your stats program?
Are you running any scripts on your domain? If so, which?

cd34 · 2006-08-07, 04:05 PM

There are two types of exploits where there are defacements like this.

One is an exploit through ftp, so, change your FTP password, etc. This one usually occurs when someone has spyware or a keylogger on their machine that sends this data elsewhere, or has shared the username/password/hostname combo with a software vendor and didn't change it after software was installed.

The other exploit is a web exploit which can come through numerous pieces of software depending on what you were running. Some of the exploits allow remote shell, and if your hosting runs apache in setuid mode (which is an abhorrent security nightmare), files could have been compromised that way.

http://www.greenguysboard.com/board/...ad.php?t=31508

In either case, you need to find out where the exploit happened so that once you do change passwords, etc, it doesn't happen again.

You will need to spend time going over system logs, etc to see where things got changed and then adjust/fix whatever so that it doesn't happen again.

samandian · 2006-08-07, 11:11 PM

Thanks CD34. I checked with the host, they said there had been a few reports of hacks today. Doesn't look like any damage was done - but a good wake up call as to the importance of changing passwords regularly and backing up all those hours of work elsewhere.

2006-08-07, 12:34 AM	#1
samandian WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Jul 2006 Location: Paradise Posts: 42	Been hacked warning I have just been to look at my traffic and had an entry from the following page: http://www.zone-h.net/defaced/2006/0...exyethnic.com/ when i click on this i get the message: Your Security 0wnz By K@YV@NIR@N. Please Try Again!! We Will Return Soon If You Have a Problem Contact Us AnyWhere. We Are: Black Dragon (DragonDVB) - Red Dragon - Honnibal - Labyrinth dragondvb AT yahoo DOT com K@YV@NIR@N IT Security Team! What should we do about this? Is this for real and if so how do we protect against it? the ip is from U.A.E.

2006-08-07, 03:36 PM	#2
virgohippy Madness is like gravity. All it takes is a little... push. Join Date: Feb 2006 Location: California Posts: 1,679	You mean your stats say this is a page you are hosting? Or that this page sent you hits? If it sent you hits, just ignore it. I don't think I can help, but if you answer these questions someone else might be able to: Is "zone-h.net" your domain? What's your stats program? Are you running any scripts on your domain? If so, which? __________________ ~Warm and Fuzzy.

2006-08-07, 04:05 PM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	There are two types of exploits where there are defacements like this. One is an exploit through ftp, so, change your FTP password, etc. This one usually occurs when someone has spyware or a keylogger on their machine that sends this data elsewhere, or has shared the username/password/hostname combo with a software vendor and didn't change it after software was installed. The other exploit is a web exploit which can come through numerous pieces of software depending on what you were running. Some of the exploits allow remote shell, and if your hosting runs apache in setuid mode (which is an abhorrent security nightmare), files could have been compromised that way. http://www.greenguysboard.com/board/...ad.php?t=31508 In either case, you need to find out where the exploit happened so that once you do change passwords, etc, it doesn't happen again. You will need to spend time going over system logs, etc to see where things got changed and then adjust/fix whatever so that it doesn't happen again. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-08-07, 11:11 PM	#4
samandian WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Jul 2006 Location: Paradise Posts: 42	Thanks CD34. I checked with the host, they said there had been a few reports of hacks today. Doesn't look like any damage was done - but a good wake up call as to the importance of changing passwords regularly and backing up all those hours of work elsewhere.