Re: [vox-tech] my site was hacked
On Sun, 31 Jan 2010, Tony Cratz wrote: > time you get a real provider who does so you have the > security on their end to prevent this from happening again. > And seeing they are using Linux there is no reason why they > should not be supporting SSH, SCP. Actually there are pros and cons to it. But like many subjects, not really worth going into for the average person. In general the recommendation is correct enough. Gandalf Parker ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Hai: Tony Cratz wrote on 1/27/10: > If you have a shell access you would be much better to transfer > the file via SCP (rsync) instead. > > > Tony Brian Lavender wrote: > >Can you use ssh to log into a shell? If you notice from the last few E-mails a number of us has suggested you use a more secure form to transfer the files. If you provider does not support SSH, SCP, SFTP then it is time you get a real provider who does so you have the security on their end to prevent this from happening again. And seeing they are using Linux there is no reason why they should not be supporting SSH, SCP. Tony ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Can you use ssh to log into a shell? On Sun, Jan 31, 2010 at 05:05:24PM -0500, Hai Yi wrote: > just checked - my ISP doesn't support SFTP, I couldn't connect to the > site using SFTP, otherwise it seems OK > > Thanks! > > On Wed, Jan 27, 2010 at 4:44 PM, Richard Burkhart > wrote: > > > > "Rick Moen" wrote: > > > >>> Tony: I use dreamweaver to edit my files locally and use its > >>> internal ftp to upload them. > >> > >> > >>So, are you sending your password unencrypted across the open Internet? > > > > Dreamweaver's internal FTP client can handle SFTP. > > > > ___ > > vox-tech mailing list > > vox-tech@lists.lugod.org > > http://lists.lugod.org/mailman/listinfo/vox-tech > > > > > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech -- Brian Lavender http://www.brie.com/brian/ "Too much hype, too much confusion, and too many people talking about something they don't understand have greatly muddied the waters in the last year or so." Borland Turbo Pascal OO Programming Guide 1989 ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
On Sun, Jan 31, 2010 at 05:05:24PM -0500, Hai Yi wrote: > just checked - my ISP doesn't support SFTP, I couldn't connect to the > site using SFTP, otherwise it seems OK That's a damn shame, as standard FTP is totally insecure. Your username/password and any files you transmit are completely unencrypted. (See also: why SSH instead of TELNET) -bill! ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
just checked - my ISP doesn't support SFTP, I couldn't connect to the site using SFTP, otherwise it seems OK Thanks! On Wed, Jan 27, 2010 at 4:44 PM, Richard Burkhart wrote: > > "Rick Moen" wrote: > >>> Tony: I use dreamweaver to edit my files locally and use its >>> internal ftp to upload them. >> >> >>So, are you sending your password unencrypted across the open Internet? > > Dreamweaver's internal FTP client can handle SFTP. > > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
"Rick Moen" wrote: >> Tony: I use dreamweaver to edit my files locally and use its >> internal ftp to upload them. > > >So, are you sending your password unencrypted across the open Internet? Dreamweaver's internal FTP client can handle SFTP.
Re: [vox-tech] my site was hacked
Rick Moen wrote: > Hai Yi (yihai2...@gmail.com) wrote: > >> Tony: I use dreamweaver to edit my files locally and use its >> internal ftp to upload them. > > > So, are you sending your password unencrypted across the open Internet? Beside sending your password unencrypted as Rick pointed out depending on the FTP client some of them are very insecure and can be 'hack' with ease. If you have a shell access you would be much better to transfer the file via SCP (rsync) instead. Tony ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
I inadvertantly sent this comment offlist, the first time. My apologies! Hai Yi (yihai2...@gmail.com) wrote: > Tony: I use dreamweaver to edit my files locally and use its > internal ftp to upload them. So, are you sending your password unencrypted across the open Internet? ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Tony: I use dreamweaver to edit my files locally and use its internal ftp to upload them. lunpages's OS is Linux (they might provide Windows too but mine is Linux) On Tue, Jan 26, 2010 at 7:51 AM, Tony Cratz wrote: > Hai Yi wrote: >> The website hasn't been restored yet, even I wrote an urgent email to >> the support of my ISP, lunarpages.com, no response after 24 hours >> except for an automatic email. This host used to be a good one, >> responding to the requests in time and to the point; however it's >> becoming a disappointment in recent years, I think it's time for me to >> move my business else where. >> > > > I have a couple of questions which might help use to find > out how your site was hacked. > > How do you make changes to your site? Do you send the > file to the ISP and they put the file into position or > do you somehow transfer the file and put it into place? > > If you transfer the file yourself, what method do you use > to transfer the file? > > Do you have shell access to your site? > > What OS does the ISP use for your site? > > Tony > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
You can alter a site's home page (or do more) with types of injection. :( This random article has pictures of an example: http://www.technicalinfo.net/papers/CSS.html (See: Putting It All Together) So depending on the site's places of 'input' - (search boxes, comment boxes, even the address bar can be used) it is possible to inject code and potentially do whatever you want. Depending on the situation it may or may not be a security problem of the hosting company but could be a vulnerability in a specific site's code. Especially with PHP. PHP calendars, guestbooks, blogs, etc are constant targets. If this was an injection, and if you have access to the apache logs you can see what exact ip address made the injection, and such. Look for POST in the logs. A lot of times hackers will try again and again for several days (weeks) posting random scripts until they get it. So there can be a long track record recorded in the apache logs. On Tue, Jan 26, 2010 at 04:31, Hai Yi wrote: > Gandalf: Thank you for the detailed explaination, I'll read it again. > I checked my pages, only index.html was replaced, what really upset me > is that now it's 48 hours after I sent the request to the ISP, still > no response; I can understand now hacking does happend and I can fix > the problem myself, but their services disappoint me. -- Scott ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Hai Yi wrote: > The website hasn't been restored yet, even I wrote an urgent email to > the support of my ISP, lunarpages.com, no response after 24 hours > except for an automatic email. This host used to be a good one, > responding to the requests in time and to the point; however it's > becoming a disappointment in recent years, I think it's time for me to > move my business else where. > I have a couple of questions which might help use to find out how your site was hacked. How do you make changes to your site? Do you send the file to the ISP and they put the file into position or do you somehow transfer the file and put it into place? If you transfer the file yourself, what method do you use to transfer the file? Do you have shell access to your site? What OS does the ISP use for your site? Tony ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Gandalf: Thank you for the detailed explaination, I'll read it again. I checked my pages, only index.html was replaced, what really upset me is that now it's 48 hours after I sent the request to the ISP, still no response; I can understand now hacking does happend and I can fix the problem myself, but their services disappoint me. On Tue, Jan 26, 2010 at 12:32 AM, Gandalf Parker wrote: > > Ive worked as admin for ISPs. And one of those was owned by a law firm. > I will take a stab at this. > > On Mon, 25 Jan 2010, Hai Yi wrote: >> The website hasn't been restored yet, even I wrote an urgent email to >> the support of my ISP, lunarpages.com, no response after 24 hours >> except for an automatic email. This host used to be a good one, >> responding to the requests in time and to the point; however it's >> becoming a disappointment in recent years, I think it's time for me to >> move my business else where. > > Hacks happen. The defenses for hacks are developed and distributed after > hacks occur. One event by itself is not a good reason to move. In fact, > its rather like a lightening strike. The fact that they got a wakeup call > means that moving to one that is still asleep could be a bad move. > > On the other hand, this is a simple attack with a simple fix. From the > sound of it I would expect that every index.htm, index.html, main.html, > home.html and a long list of other main pages were simply overwritten with > the signature webpage for bragging rights. A simple script should be able > to go to the backups and restore every modified page. Any ISP that is slow > on this might be worth moving away from. > Id recommend Sonic.net > >> Anyway, I hope someone here can help me with a few questions: does the >> ISP bear responsibility for such a security breach? > > Yes and no. You copied your pages to their server. Your alternative was > doing your own. They would only have to show reasonable effort. But they > can be sued for loss of business if you can show the amount prior and > after. > >> My homepage is replaced by the hacker's page of some crap, is that the >> best he can do? what kind of attack it is? are they able to access my >> data? I checked that my files are still there, but not sure if the >> hacker has made a copy. > > They got into someones account. That account could be highly compromised > but its unlikely they bothered looking thru everyones stuff on the server. > Once they plant their flag (the replaced index pages) they usually delete > every trace they can behind them and leave. The account they got into > might have lost everything in their directories in the cleanup/escape. > > Do you have a copy of the webpage on your machine? You really should no > matter what ISP you go to. Just upload the page back to your account. > > DISCLAIMER: these are of course my one opinions of what I would do if this > was me. The "safe and appropriate" instructions would be much harsher. > Usually something like delete everything, reformat, start over. > > Gandalf Parker > -- > Saying your system is secure should be considered the same as saying > your food is too hot. Its a temporary condition which is going away even > as you speak. > > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Ive worked as admin for ISPs. And one of those was owned by a law firm. I will take a stab at this. On Mon, 25 Jan 2010, Hai Yi wrote: > The website hasn't been restored yet, even I wrote an urgent email to > the support of my ISP, lunarpages.com, no response after 24 hours > except for an automatic email. This host used to be a good one, > responding to the requests in time and to the point; however it's > becoming a disappointment in recent years, I think it's time for me to > move my business else where. Hacks happen. The defenses for hacks are developed and distributed after hacks occur. One event by itself is not a good reason to move. In fact, its rather like a lightening strike. The fact that they got a wakeup call means that moving to one that is still asleep could be a bad move. On the other hand, this is a simple attack with a simple fix. From the sound of it I would expect that every index.htm, index.html, main.html, home.html and a long list of other main pages were simply overwritten with the signature webpage for bragging rights. A simple script should be able to go to the backups and restore every modified page. Any ISP that is slow on this might be worth moving away from. Id recommend Sonic.net > Anyway, I hope someone here can help me with a few questions: does the > ISP bear responsibility for such a security breach? Yes and no. You copied your pages to their server. Your alternative was doing your own. They would only have to show reasonable effort. But they can be sued for loss of business if you can show the amount prior and after. > My homepage is replaced by the hacker's page of some crap, is that the > best he can do? what kind of attack it is? are they able to access my > data? I checked that my files are still there, but not sure if the > hacker has made a copy. They got into someones account. That account could be highly compromised but its unlikely they bothered looking thru everyones stuff on the server. Once they plant their flag (the replaced index pages) they usually delete every trace they can behind them and leave. The account they got into might have lost everything in their directories in the cleanup/escape. Do you have a copy of the webpage on your machine? You really should no matter what ISP you go to. Just upload the page back to your account. DISCLAIMER: these are of course my one opinions of what I would do if this was me. The "safe and appropriate" instructions would be much harsher. Usually something like delete everything, reformat, start over. Gandalf Parker -- Saying your system is secure should be considered the same as saying your food is too hot. Its a temporary condition which is going away even as you speak. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Maybe the info is insufficient since I am concerned that a virus might be introduced and cause you some damage, forgive me if I talk like a layman, but here is my site: www.entrepidea.com , take a look if you want to take a risk On Mon, Jan 25, 2010 at 10:32 PM, Jeff Newmiller wrote: > Not sure this is really a "technical" question... but I'll bite: > > Hai Yi wrote: >> a couple days ago one of my friends got hacked into her photo website, >> ironically it turned out my business website was hacked too - I found >> out yesterday. >> >> The website hasn't been restored yet, even I wrote an urgent email to >> the support of my ISP, lunarpages.com, no response after 24 hours >> except for an automatic email. This host used to be a good one, >> responding to the requests in time and to the point; however it's >> becoming a disappointment in recent years, I think it's time for me to >> move my business else where. >> >> Anyway, I hope someone here can help me with a few questions: does the >> ISP bear responsibility for such a security breach? > > Depends how access was gained. Figuring that out can be difficult if > the intruder is competent, but the sysadmin is more likely to be able > to do this than you are, and they may not feel like sharing if it was > their fault. > >> My site has yet to >> see much business flow, but suppose there is a successful site being >> hacked and the restoration is delayed, who is to blame for the loss? > > Refer to the contract language for your use of their hosting services. > Keep in mind that if the security breach was through your password, > you are almost certainly responsible. It is unlikely that the ISP > will accept responsibility for any financial loss, even if they admit > fault for the breach. > >> My homepage is replaced by the hacker's page of some crap, is that the >> best he can do? > > Insufficient data. > >> what kind of attack it is? > > Insufficient data. > >> are they able to access my data? > > Insufficient data, but most likely yes. > >> I checked that my files are still there, but not sure if the >> hacker has made a copy. > > I would assume so, unless you can confirm that a more limiting mode > of access than shell access was employed. > > -- > --- > Jeff Newmiller The . . Go Live... > DCN: Basics: ##.#. ##.#. Live Go... > Live: OO#.. Dead: OO#.. Playing > Research Engineer (Solar/Batteries O.O#. #.O#. with > /Software/Embedded Controllers) .OO#. .OO#. rocks...1k > --- > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Not sure this is really a "technical" question... but I'll bite: Hai Yi wrote: > a couple days ago one of my friends got hacked into her photo website, > ironically it turned out my business website was hacked too - I found > out yesterday. > > The website hasn't been restored yet, even I wrote an urgent email to > the support of my ISP, lunarpages.com, no response after 24 hours > except for an automatic email. This host used to be a good one, > responding to the requests in time and to the point; however it's > becoming a disappointment in recent years, I think it's time for me to > move my business else where. > > Anyway, I hope someone here can help me with a few questions: does the > ISP bear responsibility for such a security breach? Depends how access was gained. Figuring that out can be difficult if the intruder is competent, but the sysadmin is more likely to be able to do this than you are, and they may not feel like sharing if it was their fault. > My site has yet to > see much business flow, but suppose there is a successful site being > hacked and the restoration is delayed, who is to blame for the loss? Refer to the contract language for your use of their hosting services. Keep in mind that if the security breach was through your password, you are almost certainly responsible. It is unlikely that the ISP will accept responsibility for any financial loss, even if they admit fault for the breach. > My homepage is replaced by the hacker's page of some crap, is that the > best he can do? Insufficient data. > what kind of attack it is? Insufficient data. > are they able to access my data? Insufficient data, but most likely yes. > I checked that my files are still there, but not sure if the > hacker has made a copy. I would assume so, unless you can confirm that a more limiting mode of access than shell access was employed. -- --- Jeff NewmillerThe . . Go Live... DCN:Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...1k --- ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
Thanks a lot, Bill, for your helpful advice, this time and last time - I own you one... On Mon, Jan 25, 2010 at 10:16 PM, Bill Broadley wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hai Yi wrote: >> a couple days ago one of my friends got hacked into her photo website, >> ironically it turned out my business website was hacked too - I found >> out yesterday. >> >> The website hasn't been restored yet, even I wrote an urgent email to >> the support of my ISP, lunarpages.com, no response after 24 hours >> except for an automatic email. This host used to be a good one, >> responding to the requests in time and to the point; however it's >> becoming a disappointment in recent years, I think it's time for me to >> move my business else where. >> >> Anyway, I hope someone here can help me with a few questions: does the >> ISP bear responsibility for such a security breach? My site has yet to >> see much business flow, but suppose there is a successful site being >> hacked and the restoration is delayed, who is to blame for the loss? > > I am not a lawyer, but I suspect that any attempt to get money from an ISP > would be expensive, painful, and unlikely to have a happy result. Usually > acceptable use policies, they are likely to blame you, or at least claim they > not to blame. > >> My homepage is replaced by the hacker's page of some crap, is that the >> best he can do? what kind of attack it is? are they able to access my > > The best kind actually. If it's ego they might not have slurped your data. > >> data? I checked that my files are still there, but not sure if the >> hacker has made a copy. > > You can't tell, I suggest you assume they did. Assume any related passwords, > account numbers, and related have been compromised. Even if you find logs > it's fairly common to leave easy to find logs that cover their tracks. > > So I'd look for a better ISP and do everything you can to make your setup more > secure. > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkteXnUACgkQBmOBO0n4EFV1EgCfYVs5EPU+tYWyrvquUYPXUXzN > LbEAoJ2onUYNqUaz7RJ9myzaooS0h3Dn > =A4m0 > -END PGP SIGNATURE- > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] my site was hacked
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hai Yi wrote: > a couple days ago one of my friends got hacked into her photo website, > ironically it turned out my business website was hacked too - I found > out yesterday. > > The website hasn't been restored yet, even I wrote an urgent email to > the support of my ISP, lunarpages.com, no response after 24 hours > except for an automatic email. This host used to be a good one, > responding to the requests in time and to the point; however it's > becoming a disappointment in recent years, I think it's time for me to > move my business else where. > > Anyway, I hope someone here can help me with a few questions: does the > ISP bear responsibility for such a security breach? My site has yet to > see much business flow, but suppose there is a successful site being > hacked and the restoration is delayed, who is to blame for the loss? I am not a lawyer, but I suspect that any attempt to get money from an ISP would be expensive, painful, and unlikely to have a happy result. Usually acceptable use policies, they are likely to blame you, or at least claim they not to blame. > My homepage is replaced by the hacker's page of some crap, is that the > best he can do? what kind of attack it is? are they able to access my The best kind actually. If it's ego they might not have slurped your data. > data? I checked that my files are still there, but not sure if the > hacker has made a copy. You can't tell, I suggest you assume they did. Assume any related passwords, account numbers, and related have been compromised. Even if you find logs it's fairly common to leave easy to find logs that cover their tracks. So I'd look for a better ISP and do everything you can to make your setup more secure. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkteXnUACgkQBmOBO0n4EFV1EgCfYVs5EPU+tYWyrvquUYPXUXzN LbEAoJ2onUYNqUaz7RJ9myzaooS0h3Dn =A4m0 -END PGP SIGNATURE- ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech