Re: [vox-tech] my site was hacked

2010-02-01 Thread Gandalf Parker
On Sun, 31 Jan 2010, Tony Cratz wrote:

>   time you get a real provider who does so you have the
>   security on their end to prevent this from happening again.
>   And seeing they are using Linux there is no reason why they
>   should not be supporting SSH, SCP.

Actually there are pros and cons to it.
But like many subjects, not really worth going into for the average 
person. In general the recommendation is correct enough.

Gandalf  Parker

___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-31 Thread Tony Cratz
Hai:

Tony Cratz wrote on 1/27/10:
>   If you have a shell access you would be much better to transfer
>   the file via SCP (rsync) instead.
> 
> 
>   Tony


Brian Lavender wrote:
>
>Can you use ssh to log into a shell?


If you notice from the last few E-mails a number of us has
suggested you use a more secure form to transfer the files.
If you provider does not support SSH, SCP, SFTP then it is
time you get a real provider who does so you have the
security on their end to prevent this from happening again.
And seeing they are using Linux there is no reason why they
should not be supporting SSH, SCP.


Tony

___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-31 Thread Brian Lavender
Can you use ssh to log into a shell?

On Sun, Jan 31, 2010 at 05:05:24PM -0500, Hai Yi wrote:
> just checked - my ISP doesn't support SFTP, I couldn't connect to the
> site using SFTP, otherwise it seems OK
> 
> Thanks!
> 
> On Wed, Jan 27, 2010 at 4:44 PM, Richard Burkhart
>  wrote:
> >
> > "Rick Moen"  wrote:
> >
> >>> Tony: I use dreamweaver to edit my files locally and use its
> >>> internal ftp to upload them.
> >>  
> >>
> >>So, are you sending your password unencrypted across the open Internet?
> >
> > Dreamweaver's internal FTP client can handle SFTP.
> >
> > ___
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> >
> >
> ___
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

-- 
Brian Lavender
http://www.brie.com/brian/

"Too much hype, too much confusion, and too many people talking about
something they don't understand have greatly muddied the waters in the
last year or so."

Borland Turbo Pascal OO Programming Guide
1989
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-31 Thread Bill Kendrick
On Sun, Jan 31, 2010 at 05:05:24PM -0500, Hai Yi wrote:
> just checked - my ISP doesn't support SFTP, I couldn't connect to the
> site using SFTP, otherwise it seems OK

That's a damn shame, as standard FTP is totally insecure.
Your username/password and any files you transmit are completely
unencrypted.  (See also: why SSH instead of TELNET)

-bill!
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-31 Thread Hai Yi
just checked - my ISP doesn't support SFTP, I couldn't connect to the
site using SFTP, otherwise it seems OK

Thanks!

On Wed, Jan 27, 2010 at 4:44 PM, Richard Burkhart
 wrote:
>
> "Rick Moen"  wrote:
>
>>> Tony: I use dreamweaver to edit my files locally and use its
>>> internal ftp to upload them.
>>  
>>
>>So, are you sending your password unencrypted across the open Internet?
>
> Dreamweaver's internal FTP client can handle SFTP.
>
> ___
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-27 Thread Richard Burkhart

"Rick Moen"  wrote:

>> Tony: I use dreamweaver to edit my files locally and use its 
>> internal ftp to upload them.
>  
>
>So, are you sending your password unencrypted across the open Internet?

Dreamweaver's internal FTP client can handle SFTP.


Re: [vox-tech] my site was hacked

2010-01-27 Thread Tony Cratz
Rick Moen wrote:
> Hai Yi (yihai2...@gmail.com) wrote:
> 
>> Tony: I use dreamweaver to edit my files locally and use its 
>> internal ftp to upload them.
>   
> 
> So, are you sending your password unencrypted across the open Internet?


Beside sending your password unencrypted as Rick pointed out
depending on the FTP client some of them are very insecure
and can be 'hack' with ease.

If you have a shell access you would be much better to transfer
the file via SCP (rsync) instead.


Tony
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-26 Thread Rick Moen
I inadvertantly sent this comment offlist, the first time.  My
apologies!



Hai Yi (yihai2...@gmail.com) wrote:

> Tony: I use dreamweaver to edit my files locally and use its 
> internal ftp to upload them.
  

So, are you sending your password unencrypted across the open Internet?


___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-26 Thread Hai Yi
Tony: I use dreamweaver to edit my files locally and use its internal
ftp to upload them. lunpages's OS is Linux (they might provide Windows
too but mine is Linux)

On Tue, Jan 26, 2010 at 7:51 AM, Tony Cratz  wrote:
> Hai Yi wrote:
>> The website hasn't been restored yet, even I wrote an urgent email to
>> the support of my ISP, lunarpages.com, no response after 24 hours
>> except for an automatic email. This host used to be a good one,
>> responding to the requests in time and to the point; however it's
>> becoming a disappointment in recent years, I think it's time for me to
>> move my business else where.
>>
>
>
>        I have a couple of questions which might help use to find
>        out how your site was hacked.
>
>        How do you make changes to your site? Do you send the
>        file to the ISP and they put the file into position or
>        do you somehow transfer the file and put it into place?
>
>        If you transfer the file yourself, what method do you use
>        to transfer the file?
>
>        Do you have shell access to your site?
>
>        What OS does the ISP use for your site?
>
>                                                        Tony
> ___
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-26 Thread Scott Miller
You can alter a site's home page (or do more) with types of injection.
:( This random article has pictures of an example:

http://www.technicalinfo.net/papers/CSS.html
(See: Putting It All Together)

So depending on the site's places of 'input' - (search boxes, comment
boxes, even the address bar can be used) it is possible to inject code
and potentially do whatever you want.

Depending on the situation it may or may not be a security problem of
the hosting company but could be a vulnerability in a specific site's
code. Especially with PHP. PHP calendars, guestbooks, blogs, etc are
constant targets.

If this was an injection, and if you have access to the apache logs
you can see what exact ip address made the injection, and such. Look
for POST in the logs. A lot of times hackers will try again and again
for several days (weeks) posting random scripts until they get it. So
there can be a long track record recorded in the apache logs.

On Tue, Jan 26, 2010 at 04:31, Hai Yi  wrote:
> Gandalf: Thank you for the detailed explaination, I'll read it again.
> I checked my pages, only index.html was replaced, what really upset me
> is that now it's 48 hours after I sent the request to the ISP, still
> no response; I can understand now hacking does happend and I can fix
> the problem myself, but their services disappoint me.

-- 
Scott
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-26 Thread Tony Cratz
Hai Yi wrote:
> The website hasn't been restored yet, even I wrote an urgent email to
> the support of my ISP, lunarpages.com, no response after 24 hours
> except for an automatic email. This host used to be a good one,
> responding to the requests in time and to the point; however it's
> becoming a disappointment in recent years, I think it's time for me to
> move my business else where.
> 


I have a couple of questions which might help use to find
out how your site was hacked.

How do you make changes to your site? Do you send the
file to the ISP and they put the file into position or
do you somehow transfer the file and put it into place?

If you transfer the file yourself, what method do you use
to transfer the file?

Do you have shell access to your site?

What OS does the ISP use for your site?

Tony
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-26 Thread Hai Yi
Gandalf: Thank you for the detailed explaination, I'll read it again.
I checked my pages, only index.html was replaced, what really upset me
is that now it's 48 hours after I sent the request to the ISP, still
no response; I can understand now hacking does happend and I can fix
the problem myself, but their services disappoint me.

On Tue, Jan 26, 2010 at 12:32 AM, Gandalf  Parker  wrote:
>
> Ive worked as admin for ISPs. And one of those was owned by a law firm.
> I will take a stab at this.
>
> On Mon, 25 Jan 2010, Hai Yi wrote:
>> The website hasn't been restored yet, even I wrote an urgent email to
>> the support of my ISP, lunarpages.com, no response after 24 hours
>> except for an automatic email. This host used to be a good one,
>> responding to the requests in time and to the point; however it's
>> becoming a disappointment in recent years, I think it's time for me to
>> move my business else where.
>
> Hacks happen. The defenses for hacks are developed and distributed after
> hacks occur. One event by itself is not a good reason to move. In fact,
> its rather like a lightening strike. The fact that they got a wakeup call
> means that moving to one that is still asleep could be a bad move.
>
> On the other hand, this is a simple attack with a simple fix. From the
> sound of it I would expect that every index.htm, index.html, main.html,
> home.html and a long list of other main pages were simply overwritten with
> the signature webpage for bragging rights. A simple script should be able
> to go to the backups and restore every modified page. Any ISP that is slow
> on this might be worth moving away from.
> Id recommend Sonic.net
>
>> Anyway, I hope someone here can help me with a few questions: does the
>> ISP bear responsibility for such a security breach?
>
> Yes and no. You copied your pages to their server. Your alternative was
> doing your own. They would only have to show reasonable effort. But they
> can be sued for loss of business if you can show the amount prior and
> after.
>
>> My homepage is replaced by the hacker's page of some crap, is that the
>> best he can do? what kind of attack it is? are they able to access my
>> data? I checked that my files are still there, but not sure if the
>> hacker has made a copy.
>
> They got into someones account. That account could be highly compromised
> but its unlikely they bothered looking thru everyones stuff on the server.
> Once they plant their flag (the replaced index pages) they usually delete
> every trace they can behind them and leave. The account they got into
> might have lost everything in their directories in the cleanup/escape.
>
> Do you have a copy of the webpage on your machine? You really should no
> matter what ISP you go to. Just upload the page back to your account.
>
> DISCLAIMER: these are of course my one opinions of what I would do if this
> was me. The "safe and appropriate" instructions would be much harsher.
> Usually something like delete everything, reformat, start over.
>
> Gandalf  Parker
> --
> Saying your system is secure should be considered the same as saying
> your food is too hot. Its a temporary condition which is going away even
> as you speak.
>
> ___
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-25 Thread Gandalf Parker

Ive worked as admin for ISPs. And one of those was owned by a law firm.
I will take a stab at this.

On Mon, 25 Jan 2010, Hai Yi wrote:
> The website hasn't been restored yet, even I wrote an urgent email to
> the support of my ISP, lunarpages.com, no response after 24 hours
> except for an automatic email. This host used to be a good one,
> responding to the requests in time and to the point; however it's
> becoming a disappointment in recent years, I think it's time for me to
> move my business else where.

Hacks happen. The defenses for hacks are developed and distributed after 
hacks occur. One event by itself is not a good reason to move. In fact, 
its rather like a lightening strike. The fact that they got a wakeup call 
means that moving to one that is still asleep could be a bad move.

On the other hand, this is a simple attack with a simple fix. From the 
sound of it I would expect that every index.htm, index.html, main.html, 
home.html and a long list of other main pages were simply overwritten with 
the signature webpage for bragging rights. A simple script should be able 
to go to the backups and restore every modified page. Any ISP that is slow 
on this might be worth moving away from.
Id recommend Sonic.net

> Anyway, I hope someone here can help me with a few questions: does the
> ISP bear responsibility for such a security breach?

Yes and no. You copied your pages to their server. Your alternative was 
doing your own. They would only have to show reasonable effort. But they 
can be sued for loss of business if you can show the amount prior and 
after.

> My homepage is replaced by the hacker's page of some crap, is that the
> best he can do? what kind of attack it is? are they able to access my
> data? I checked that my files are still there, but not sure if the
> hacker has made a copy.

They got into someones account. That account could be highly compromised 
but its unlikely they bothered looking thru everyones stuff on the server. 
Once they plant their flag (the replaced index pages) they usually delete 
every trace they can behind them and leave. The account they got into 
might have lost everything in their directories in the cleanup/escape.

Do you have a copy of the webpage on your machine? You really should no 
matter what ISP you go to. Just upload the page back to your account.

DISCLAIMER: these are of course my one opinions of what I would do if this 
was me. The "safe and appropriate" instructions would be much harsher. 
Usually something like delete everything, reformat, start over.

Gandalf  Parker
-- 
Saying your system is secure should be considered the same as saying
your food is too hot. Its a temporary condition which is going away even
as you speak.

___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-25 Thread Hai Yi
Maybe the info is insufficient since I am concerned that a virus might
be introduced and cause you some damage, forgive me if I talk like a
layman, but here is my site: www.entrepidea.com , take a look if you
want to take a risk

On Mon, Jan 25, 2010 at 10:32 PM, Jeff Newmiller
 wrote:
> Not sure this is really a "technical" question... but I'll bite:
>
> Hai Yi wrote:
>> a couple days ago one of my friends got hacked into her photo website,
>> ironically it turned out my business website was hacked too - I found
>> out yesterday.
>>
>> The website hasn't been restored yet, even I wrote an urgent email to
>> the support of my ISP, lunarpages.com, no response after 24 hours
>> except for an automatic email. This host used to be a good one,
>> responding to the requests in time and to the point; however it's
>> becoming a disappointment in recent years, I think it's time for me to
>> move my business else where.
>>
>> Anyway, I hope someone here can help me with a few questions: does the
>> ISP bear responsibility for such a security breach?
>
> Depends how access was gained.  Figuring that out can be difficult if
> the intruder is competent, but the sysadmin is more likely to be able
> to do this than you are, and they may not feel like sharing if it was
> their fault.
>
>> My site has yet to
>> see much business flow, but suppose there is a successful site being
>> hacked and the restoration is delayed, who is to blame for the loss?
>
> Refer to the contract language for your use of their hosting services.
> Keep in mind that if the security breach was through your password,
> you are almost certainly responsible.  It is unlikely that the ISP
> will accept responsibility for any financial loss, even if they admit
> fault for the breach.
>
>> My homepage is replaced by the hacker's page of some crap, is that the
>> best he can do?
>
> Insufficient data.
>
>> what kind of attack it is?
>
> Insufficient data.
>
>> are they able to access my data?
>
> Insufficient data, but most likely yes.
>
>> I checked that my files are still there, but not sure if the
>> hacker has made a copy.
>
> I would assume so, unless you can confirm that a more limiting mode
> of access than shell access was employed.
>
> --
> ---
> Jeff Newmiller                        The     .       .  Go Live...
> DCN:        Basics: ##.#.       ##.#.  Live Go...
>                                       Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
> /Software/Embedded Controllers)               .OO#.       .OO#.  rocks...1k
> ---
> ___
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-25 Thread Jeff Newmiller
Not sure this is really a "technical" question... but I'll bite:

Hai Yi wrote:
> a couple days ago one of my friends got hacked into her photo website,
> ironically it turned out my business website was hacked too - I found
> out yesterday.
> 
> The website hasn't been restored yet, even I wrote an urgent email to
> the support of my ISP, lunarpages.com, no response after 24 hours
> except for an automatic email. This host used to be a good one,
> responding to the requests in time and to the point; however it's
> becoming a disappointment in recent years, I think it's time for me to
> move my business else where.
> 
> Anyway, I hope someone here can help me with a few questions: does the
> ISP bear responsibility for such a security breach?

Depends how access was gained.  Figuring that out can be difficult if
the intruder is competent, but the sysadmin is more likely to be able
to do this than you are, and they may not feel like sharing if it was
their fault.

> My site has yet to
> see much business flow, but suppose there is a successful site being
> hacked and the restoration is delayed, who is to blame for the loss?

Refer to the contract language for your use of their hosting services.
Keep in mind that if the security breach was through your password,
you are almost certainly responsible.  It is unlikely that the ISP
will accept responsibility for any financial loss, even if they admit
fault for the breach.

> My homepage is replaced by the hacker's page of some crap, is that the
> best he can do?

Insufficient data.

> what kind of attack it is?

Insufficient data.

> are they able to access my data?

Insufficient data, but most likely yes.

> I checked that my files are still there, but not sure if the
> hacker has made a copy.

I would assume so, unless you can confirm that a more limiting mode
of access than shell access was employed.

-- 
---
Jeff NewmillerThe .   .  Go Live...
DCN:Basics: ##.#.   ##.#.  Live Go...
   Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...1k
---
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-25 Thread Hai Yi
Thanks a lot, Bill, for your helpful advice, this time and last time -
I own you one...

On Mon, Jan 25, 2010 at 10:16 PM, Bill Broadley  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hai Yi wrote:
>> a couple days ago one of my friends got hacked into her photo website,
>> ironically it turned out my business website was hacked too - I found
>> out yesterday.
>>
>> The website hasn't been restored yet, even I wrote an urgent email to
>> the support of my ISP, lunarpages.com, no response after 24 hours
>> except for an automatic email. This host used to be a good one,
>> responding to the requests in time and to the point; however it's
>> becoming a disappointment in recent years, I think it's time for me to
>> move my business else where.
>>
>> Anyway, I hope someone here can help me with a few questions: does the
>> ISP bear responsibility for such a security breach? My site has yet to
>> see much business flow, but suppose there is a successful site being
>> hacked and the restoration is delayed, who is to blame for the loss?
>
> I am not a lawyer, but I suspect that any attempt to get money from an ISP
> would be expensive, painful, and unlikely to have a happy result.  Usually
> acceptable use policies, they are likely to blame you, or at least claim they
> not to blame.
>
>> My homepage is replaced by the hacker's page of some crap, is that the
>> best he can do? what kind of attack it is? are they able to access my
>
> The best kind actually.  If it's ego they might not have slurped your data.
>
>> data? I checked that my files are still there, but not sure if the
>> hacker has made a copy.
>
> You can't tell, I suggest you assume they did.  Assume any related passwords,
> account numbers, and related have been compromised.  Even if you find logs
> it's fairly common to leave easy to find logs that cover their tracks.
>
> So I'd look for a better ISP and do everything you can to make your setup more
> secure.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkteXnUACgkQBmOBO0n4EFV1EgCfYVs5EPU+tYWyrvquUYPXUXzN
> LbEAoJ2onUYNqUaz7RJ9myzaooS0h3Dn
> =A4m0
> -END PGP SIGNATURE-
> ___
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] my site was hacked

2010-01-25 Thread Bill Broadley
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hai Yi wrote:
> a couple days ago one of my friends got hacked into her photo website,
> ironically it turned out my business website was hacked too - I found
> out yesterday.
> 
> The website hasn't been restored yet, even I wrote an urgent email to
> the support of my ISP, lunarpages.com, no response after 24 hours
> except for an automatic email. This host used to be a good one,
> responding to the requests in time and to the point; however it's
> becoming a disappointment in recent years, I think it's time for me to
> move my business else where.
> 
> Anyway, I hope someone here can help me with a few questions: does the
> ISP bear responsibility for such a security breach? My site has yet to
> see much business flow, but suppose there is a successful site being
> hacked and the restoration is delayed, who is to blame for the loss?

I am not a lawyer, but I suspect that any attempt to get money from an ISP
would be expensive, painful, and unlikely to have a happy result.  Usually
acceptable use policies, they are likely to blame you, or at least claim they
not to blame.

> My homepage is replaced by the hacker's page of some crap, is that the
> best he can do? what kind of attack it is? are they able to access my

The best kind actually.  If it's ego they might not have slurped your data.

> data? I checked that my files are still there, but not sure if the
> hacker has made a copy.

You can't tell, I suggest you assume they did.  Assume any related passwords,
account numbers, and related have been compromised.  Even if you find logs
it's fairly common to leave easy to find logs that cover their tracks.

So I'd look for a better ISP and do everything you can to make your setup more
secure.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkteXnUACgkQBmOBO0n4EFV1EgCfYVs5EPU+tYWyrvquUYPXUXzN
LbEAoJ2onUYNqUaz7RJ9myzaooS0h3Dn
=A4m0
-END PGP SIGNATURE-
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech