Site hacked!!!

[redhawk14506]

I have a friend whos site was hacked a littlte while back by a group calling themselves "Hacking for Jesus" aka "Command Tribulation". Unluckily, he is having some trouble getting his site back up. www.alkalinehorse.com and the "hackers" site is http://www.revolutiongospel.net/, or at least thats the link they left on his website. Unluckily I am not sure if he kept any logs. I am just wondering if this group is widely known. Anyway, any help that can be provided will be appreciated.

[RoadClosed]

Hacking for Jesus? Sounds like a front.

//edit

Uless you want the site up for us all to enjoy the clever words of Jesus, then take it down and boot to a floppy and reformat your hard drives, then reload everything and search AO for "locking down <insert os here>" If you know what your doing to can figure out what went wrong and backup from tape. No logs?No Tape? = Format

[DjM]

They appear to be a Portuguese hacking group. They host a forum here.

You might be able to social engineer a little more information out of them if you join the forum.

Cheers:

[jinxy]

Well they seem to be a bussy bunch have a look here:
http://www.zone-h.org/en/defacements...d+Tribulation/

[Spyder32]

Seem's like a pretty big group (or could be) and is making defacements against your type of website's. Interestingly enough they call themselves Hacking for Jesus, which I think (like RoadClosed said) is a front and a serious load of it. Btw:

sh-2.05# uname -a; id uname -a; id Linux srv1.ariadomain.com 2.4.18-18.7.x #1 Wed Nov 13 20:29:30 EST 2002 i686 unknown uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Look's to me (based on a number of scan's and research on your site, etc) that they got root on the webserver. Check to see what that's all about and DEFINITELY check your logs.

[Cybr1d]

do a vulnerability scan on the websterver and see what could have been exploitable and patch it up to avoid further pwnage.

Collect as much data as possible and report it to the authorities.

EDIT:

Ok after a little bit of my own research and the use of some really effective skiddie tools ...I can tell you that his website/webserver had a huge "WELCOME" sign hanging from all its 15 Open ports and some other stuff that I'd rather not share in public display. He seriously needs to lock that box up....is there a firewall installed?
The box is very vulnerable to numerous high risk exploits quite a few medium risks one and one low risk.

I have a report done but I dont think i want to give it to you...as DjM noted, this might be a sad social Engineering attempt.

cheers.

[redhawk14506]

Thanks guys, gonna have to let my buddy know about this stuff, I have been checking out these Jesus hackers, it has to be a front. Pullezzz. Why would a bunch of Jesus fiends target a 17 year olds webserver? If we were talking pr0n, then I might be able to see why, but thats probably out of thier abilities Anyway, I am joining thier forum, (Hope they speak english, dont want to babelfish EVERYTHING.) Thanks again, ill let him know.

(As for open ports, he shouldnt feel too bad, I once left port 139 open on my gaming machine, yes 139, thats not a typo.)

[pZargs]

I did some searching and it seems to me that they are wanna be elitist's but I could be wrong.
Everything that I tried to find out like e-mails were fake but none the less, I agree with everyone he should try to get evidence of there behavior and record it for the authorities. Then fry-um. And this is coming from a true "born again christian"

[redhawk14506]

Cant anyone track these guys down??? I mean, even the brazillian Govt has gotta be gettin sick of this.

[Cybr1d]

I wouldn't be as worried about just the ports being open, as much as I would for the 21 vulnerabilities on the server.