Hackers on my website

**wildred** · August 18th, 2005, 08:41 PM

misscoco, with your permission...would you mind me running a few security scans/audits on your website? I can reply back to a private email address with the results. Note, I will NOT alter anything on the website, nor take down the website. As always, no charge

**THE RADICAL** · August 19th, 2005, 01:14 AM

Hello,

The most off the top explaination I can give after checking out your server is that they may have cracked your FTP servers user and password and then changed things around. Hopefully you are well aware that you have an FTP server running (at least it is attatched to the domain name you provided) and I assume that you use it to remotely change things on your website.

If a hacker has access to someones FTP server it is very easy for them to modify your webpage that you are hosting. My recommendation would be to change your username and password and lock it down by limiting the number of connections, disableing annoymous accounts, etc... The FTP server that your running (WS_FTP 1.0.5) IMO Isn't the greatest, try Serv-U instead if your running Windows, it's user friendly and is easy to lock down.

Also after you have done that run some type of tool that checks for rootkits (tools that hackers use to get into your system, kinda like putting a backdoor entrance to your house). I hope that helps and good luck. I'm sorry this happened to you.

**wildred** · August 19th, 2005, 01:40 AM

Also, to chime in on what Radical is saying (good points), I would recommend using a secure password as well and not an easily guessed password (dictionary based). For example, instead of using a password of "password", use the password of "P@ssw0rd" instead. Note, do not use this actual password as it too is easily guessed.

Best wishes.

**nihil** · August 19th, 2005, 01:44 AM

A weird one,

I have done a bit of research, and the vandalised sites seem to be scattered all over the place, with no apparent content similarity or connection; hell, they even hit my hometown's good pub guide? (in the middle of Yorkshire, UK)

They seem to be a Turkish emigre outfit based in the UK?

http://s2.phpbbforfree.com/forums/?mforum=ksteam

misscoco your "communist flag" is, in fact, the Turkish flag

Turkish intelligence suggests that WaRRiOr is known to them but is not the sharpest tool in the shed. Errrrrrrrr he/she is not in the top 50

I would guess some sort of Bot to collect vulnerable sites then attack a few in each country. Interestingly, the sites all seem to be in NATO/SEATO/EU aligned countries.

This makes me wonder if it is not an attempt by one group of website defacers to implicate/discredit another. I have heard that there is great rivalry between some of them.

I guess that you were just unlucky.

***Egaladeist*** · August 19th, 2005, 02:00 AM

Hi nihil,

Or is it Sherlock Nihilholmes

Eg

**wildred** · August 19th, 2005, 02:02 AM

DAMN! No kiddin! Someone did their homework

**nihil** · August 19th, 2005, 02:15 AM

Hi Folks,

I tried the usual Whois and Traceroute scans, but all I seem to get to is an outfit in NYC, and Traceroute shows a lot of "bogus rDNS", "fraudulent rDNS" and "no rDNS" at the end of the trail.

I don't believe a word of it

**wildred** · August 19th, 2005, 02:43 AM

Hmmm...I see what you are saying nihil
Im getting
12 32 ms 33 ms 32 ms o3-2bd1.dfw002ap01.yipes.com [66.7.141.42]
13 33 ms 31 ms 31 ms 66.7.165.37

Yipes.com...hmmm..who that be?

**nihil** · August 19th, 2005, 03:01 AM

Hi Wildred,

OrgName: Yipes Communications, Inc.
OrgID: YIPS
Address: 114 Sansome Street
City: San Francisco
StateProv: CA
PostalCode: 94104
Country: US

NetRange: 209.213.192.0 - 209.213.223.255
CIDR: 209.213.192.0/19
NetName: YIPES-BLK1
NetHandle: NET-209-213-192-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YIPES.COM
NameServer: NS2.YIPES.COM
NameServer: NS3.YIPES.COM
Comment:
RegDate: 2000-04-13
Updated: 2001-06-29

TechHandle: IY10-ARIN
TechName: Yipes Communications, Inc.
TechPhone: +1-877-788-4662
TechEmail: [email protected]

OrgAbuseHandle: ABUSE21-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-303-785-4450
OrgAbuseEmail: [email protected]

OrgTechHandle: IY10-ARIN
OrgTechName: Yipes Communications, Inc.
OrgTechPhone: +1-877-788-4662
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-08-18 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

This stuff is all over the place..............proxies, owned or whatever I guess?

Here is a fraudulent rDNS:

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

ReferralServer: rwhois://rwhois.level3.net:4321

NetRange: 63.208.0.0 - 63.215.255.255
CIDR: 63.208.0.0/13
NetName: LEVEL4-CIDR
NetHandle: NET-63-208-0-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-05-28
Updated: 2001-05-30

TechHandle: LC-ORG-ARIN
TechName: level Communications
TechPhone: +1-877-453-8353
TechEmail: [email protected]

OrgAbuseHandle: APL8-ARIN
OrgAbuseName: Abuse POC LVLT
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: [email protected]

OrgTechHandle: ARINC4-ARIN
OrgTechName: ARIN Contact
OrgTechPhone: +1-800-436-8489
OrgTechEmail: [email protected]

OrgTechHandle: TPL1-ARIN
OrgTechName: Tech POC LVLT
OrgTechPhone: +1-877-453-8353
OrgTechEmail: [email protected]

It seems to leave London (UK) hit San Francisco, then go to this place in Colorado (?) then go back to San Francisco?

I am glad I am not paying the taxi fares

**wildred** · August 19th, 2005, 03:32 AM

LOL Shoot Im so cross-eyed in tracert that I forgot what the hell the original domain name was

ahhh sleep is a good thing....now if only the wife would give me a backrub lol

Thread: Hackers on my website

Thread Tools

Display

Posting Permissions