If anyone checked the site this morning, you noticed that I was hacked sometime in the middle of the night. While the details remain somewhat of a mystery, the hacker somehow gained priviliged access to the server that all of FellowSites is hosted on. Thankfully, he didn’t do any major damage. He ran a simple script that searched for index pages on the server, backed up the pages, and then replaced the originals with an index page of his own.
Steve and I have been in contact with the reseller host most of the morning. Everyone’s pages are back to normal and they’ve fixed the security vulnerability so that it won’t happen again. They also got the culprit’s IP address and they’ve banned him from the server.
I can’t imagine that simple banning his ip is going to keep him away. I don’t think it is all that tough to spoof your address.
Anyway, I have a copy of the page. You can check it out by going here:
http://www.cool-stu.com/hackedindex.html
Have fun
Thanks for the file, Stu.
It’s not hard at all. I had a friend on my site that did it quite frequently (anyone remember blarg?).![[Smiley Face]](http://www.joeyday.com/images/emosmile.gif)
It irritated him after awhile though because he always had to generate new IP‘s so he asked me to lift the ban … which I did.
Sounds like you need help from a security expert….::grin::
BTW – simply blocking an IP address won’t do it, with DHCP and and ISP he can get a new one each time, blocking an entire netblock won’t work either, if he wants he can get another IP address or use a compromised server somewhere on the ‘net. The thing to do is patch and update each server and the software running on it.
Well, you probably understand this better than I do, but the way our host explained it to me is that when you first install Apache there is some sort of default user created with full permissions. You are supposed to delete this user after you’ve created the actual user(s) you want to have access to the system. Apparently, our host forgot to delete this user on the server we are hosted on. Oops.
The same day it happened they deleted the default user and restored everyone’s index pages. We were lucky the hacker didn’t do more. We really considered switching hosts because of this. However, other than this one MAJOR oversight, they’ve been very good to us. We have eight sites hosted through a reseller plan with them, which would be somewhat of a nuisance (although certainly not impossible) to move all at once to a new host, so we gave them the benefit of the doubt.
Ah, default users and settings are one of the most iritating items I deal with. Its partially the fault of the software developers and partially the users. S/W Developers are always trying to make things easier for us, consequently there are problems like this that arise. Look at Microsoft with Windows 2003 – the default settings are to have things turned off and force the user to enable them.
As for the hosting provider, while they are not security experts, they should be aware of things like this. I think you probably made the right decision though.