ive been hacked need help asap

[Va2k]

I come home find all my index.html files were changed to this
<html>
<head>
<title>Hacked By USG!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#000000" text="#999999" link="#6666FF">
<center><h3>USG (UNIX Security Guards)</h3></center>
<hr>
<p> There is no such thing as Jerusalem the capital of Israel</p>
<p> There is only one arabic Jerusalem</p>
<p> USA I think that you are all about to be some war criminals</p>

<p> UK you are a slave to USA</p>
<hr>
<p align="center"><b>FREE PALESTINE!</b></p>
<p align="center"><b>STOP THE PAIN!</b></p>
<p>&nbsp;</p>
<p>Greetz: AIC (Anti India Crew), WFD (World Fabulous Defacers),DkD,
BreaKIce, Rivver, TheBugz, raiden4 and everyone else who fights for the same case.</p>
<p>&nbsp;</p>
<p align="center"><code> WE Are: Egyptian|Fighter, ShellCode, LinuxLover
and rD.</code></p>
<p align="center">&nbsp;</p>
<p align="center"><code>rD of USG</code></p>
<p align="center"><b> <strong><a
href="mailto:[email protected]">[email protected] m</a></strong></b></p>
</body>
</html>


WTF how can this happen anyone know how or what they did to get in?

[Amputate Your Head]

sorry man... I thought you'd like it.

[mrthumbs]

And did the new front-end convert..?!

[Amputate Your Head]

Quote:

Originally posted by mrthumbs
And did the new front-end convert..?!

I can't see how it wouldn't....

[pornJester]

you're fucked... but seriously you need someone (who know's what they are doing) to take a look at your server.,, hit me up on icq if you need some help finding someone to do so.. 91573698

[cherrylula]

that fucking sucks ass.....

May the force be with you.

[Va2k]

FREAKING terriost or how ever you spell it lmao man that really sucks donkey balls

[theking]

Va2K I am sorry this happened to you. You seem to be a decent sort and hard working. I hope you can fix the problem ASAP.

[Va2k]

www.fuckingmature.com this is one out of about 150 sites on my box ARGH@#$@#$@#$@#$#@$$#@#$@#@$$#@

[.:Frog:.]

weird!

[Va2k]

Quote:

Originally posted by theking
Va2K I am sorry this happened to you. You seem to be a decent sort and hard working. I hope you can fix the problem ASAP.

you know thank you I could understand if i fucked others or was a cheat but GOD DAMN what did i do to deserve this shit. FIRST god damn VISA then money and NOW MY SITES am I pissed hell yea cause I dont knwo what to do and my admin is been so busy I cant get a hold of him if there is anyone I MEAN anyone that knows me and I know them I will pay you what I can if you help me fig out how the FUCK they did this

[gothweb]

[/COLOR]

[Carrie]

Are you prepared to wipe that box and re-load it?
Most likely they left themselves a backdoor. Hunting down that backdoor could take days, while simply reloading could take a few hours.
When your sysadmin reappears, tell him you want IPChains set up on the box immediately with Logcheck emailing you every 15 minutes (at least) and all non-essential ports closed down.
If you've got telnet on the box, install SSH2 and disable telnet. If you've got anonymous FTP turned on, turn it off.
Change all of your passwords - and then do it again at *least* once a month from here on out.
If you still can't get a hold of your sysadmin, install this until you can: http://www.pointman.org/PMFirewall/
It's got easy instructions and is just as easy to open up a port if you close it by mistake.

Best of luck - and check your logs to find out who these fuckers are so you can fry 'em.

[cherrylula]

hey maybe you need to report that somewhere? to some authority?

maybe you can get some free publicity = traffic

[Va2k]

Quote:

Originally posted by Carrie
Are you prepared to wipe that box and re-load it?
Most likely they left themselves a backdoor. Hunting down that backdoor could take days, while simply reloading could take a few hours.
When your sysadmin reappears, tell him you want IPChains set up on the box immediately with Logcheck emailing you every 15 minutes (at least) and all non-essential ports closed down.
If you've got telnet on the box, install SSH2 and disable telnet. If you've got anonymous FTP turned on, turn it off.
Change all of your passwords - and then do it again at *least* once a month from here on out.
If you still can't get a hold of your sysadmin, install this until you can: http://www.pointman.org/PMFirewall/
It's got easy instructions and is just as easy to open up a port if you close it by mistake.

Best of luck - and check your logs to find out who these fuckers are so you can fry 'em.

I allready have the firewall ill go do the ipchan prolly blow up my damn server now

[trailboss]

Va2k,

There are some security holes in Cobalt. I'm not familiar with them. We run FreeBSD. Sure hope you got backups.

I wear belt and suspenders. Have a complete backup of everything on all three of our PC's.

The site www.fuckingmature.com is running
Apache/1.3.12 Cobalt (Unix) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/4.1.2 mod_auth_pam/1.0a FrontPage/4.0.4.3 mod_perl/1.24

We had an NT box get hacked last summer. After we moved all the sitesof it we got a box of shells took it out in the desert and had some fun target practice.

Blew the living shit out of it.
BTW you can have Full Auto in Nevada. Rock n' Roll.

[Va2k]

Quote:

Originally posted by trailboss
Va2k,

There are some security holes in Cobalt. I'm not familiar with them. We run FreeBSD. Sure hope you got backups.

I wear belt and suspenders. Have a complete backup of everything on all three of our PC's.

The site www.fuckingmature.com is running
Apache/1.3.12 Cobalt (Unix) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/4.1.2 mod_auth_pam/1.0a FrontPage/4.0.4.3 mod_perl/1.24

We had an NT box get hacked last summer. After we moved all the sitesof it we got a box of shells took it out in the desert and had some fun target practice.

Blew the living shit out of it.
BTW you can have Full Auto in Nevada. Rock n' Roll.

HOW the hell did you get that info?????? CAN you help me fix these holes???? Pwease pretty pwease with a cherry on top or a tittie

[trailboss]

Va2k,

my icq is 64074953.

I can try to help.

[AcidMax]

That information is easy to get...just peep this URL:

Check out www.netcraft.com for more information (Click on "Whats that site running")

It will show you information about your webserver and even start keeping tabs about your uptime .

Let me just add that the URL above shows nothing that anyone can use OTHER than the information. Hackers are smart, upgrade your packages on your cobalt and get everything up to date.

Otherwise upgrade your sites to a newer box, Cobalt RaQ's are notorious for intrusions. Also, the newer version of the cobalt software has ways to notify you of port scans and hack attempts.


AJ

[Cogitator]

Encrypt your damn password file!

[foe]

That sucks man, seriously get some one who knows what hes doing to take a look at your servers and make sure to stay current with patches

[Va2k]

Ok I need an admin anyone want some $$$ hit me up asap

[HQ]

Quote:

Originally posted by va2k
WTF how can this happen anyone know how or what they did to get in?

Many ways!!! Let's start with making sure all your passwords are not the same!

[faytl]

24449990, might be able to help...

[cosis]

if your server is new make sure the root password is changed from the default

[pr0]

man thats some terrorism right there

[trailboss]

HiYa AcidMax,

I thought everbody and their dog knew about www.netcraft.com


Here are a couple other usefull tools:

Dns Traversal http://www.squish.net/dnscheck/

ARIN http://www.arin.net/whois/index.html

CyTech http://www.cytechconsult.com/

So Tell your dogs.

Trailboss

[Va2k]

I found who was behind this attack
http://news.bbc.co.uk/1/hi/sci/tech/2052320.stm wtf woudl they pick on someone as little as me

[Va2k]

here they are on tech tv http://www.techtv.com/news/security/...392443,00.html http://www.spitcum.com i still havevt gotten all my sites fixed

[pr0]

Quote:

Originally posted by va2k
I found who was behind this attack
http://news.bbc.co.uk/1/hi/sci/tech/2052320.stm wtf woudl they pick on someone as little as me

Mail bomb em

Didn't they leave a mail box addy?

[Va2k]

Quote:

Originally posted by pr0


Mail bomb em

Didn't they leave a mail box addy?

yea hackermail.com FUCK THAT I aint pissing no one off..... Maybe they will never return to my little site lmao good nite this was a bitch of a night

[redshift]

here's some hints:
turn off all services that are not needed
update - update - update - update
do not use telnet - use ssh

just for example

if you need any help
icq me at 576 1 0 2 1

I've been running several linux servers for 5 years now
have never been hacked (KNOCK ON WOOD HAHA)

now that I have said this I will wake up in the morning with every damn one em hacked

[[Dan]]

Wow your server is full of security holes:

Server: Apache/1.3.12 Cobalt (Unix) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/4.1.2 mod_auth_pam/1.0a FrontPage/4.0.4.3 mod_perl/1.24


Apache: versions < 1.3.27 are unsafe
PHP: you need to upgrade to 4.2.3
OpenSSL: you need to upgrade (the library) to 0.9.6e


And it's only what can be seen really fast. Your sshd is probably vulnerable too, judging by the date of the software you run... From what I know they could very well change the pages through the PHP hole, without having shell access to your server..

[chaze]

Most hackers use port scanning make sure you get a good firewall and block every port you can, this might scare them off. They roll out onto thousands of servers and wait for a reply from there scans.

It's kinda like how a thief passes a car when they see the blinking alarm on the dash. If they see your firewall it will lead them to the next box that's showing a up front weakness.

Basically any intense hacker can break a box you just to try and detour them before they get to interested.

I would do a format they could of left another route anywhere on your box.

Good luck,

Charles

[Ace-Ace]

Usama hitting at the heart of America; porn.

[Acolyte]

Quote:

I would do a format they could of left another route anywhere on your box.

You might consider using tripwire on your new install, or one of the opensource lookalikes. It makes it a little bit easier to spot new or changed files.