.
has been hacked again.
The hacker left this email address. Mail To : 020@xp020[dot]com
1
Thanks for reminding me, I need to give my server a security audit again.
Posted by: Michael Hampton at May 04, 2006 09:40 PM (FVbj6)
2
Hosting Matters hasn't responded to my ticket since last night. They acknowledged that a script had been dropped into one of my directories and they SAID they were going to work on it. It's been over 24 hours and whenever I previously sent a status request email, they told me that doing so would automatically put my issue at the bottom of the support queue.
Lovely.
This one was tracked to Cyprus and I saw it on my logs.
I won't give them (HM or the hackers) the satisfaction of my giving up.
Posted by: Aaron's cc: at May 04, 2006 10:20 PM (ov6Vw)
3
I didn't realize it had been down 24 hrs Last to know I guess. Just looked and saw it. Me casa is su casa. I think Rusty would agree. If we can do anything holler.
Posted by: Howie at May 04, 2006 10:37 PM (GRDou)
4
Aaron, is this a wordpress issue? I noticed you were already running the current version 2.02 (security release)
Last time did you export your database to flattext and ensure they did not inject user accounts into it? mysqldump is a quick way to write out your database to flattext to view in an editor, attackers normally leave something behind as a backdoor to get back in.
did you see POST requests in your logs, to some of your scripts? either to attack the script, or upload their backdoor scripts.
You might also concider putting .htaccess/.htpasswd into effect in your wp-admin directory.
Posted by: davec at May 04, 2006 10:38 PM (CcXvt)
5
I use .htaccess and blocked .sa but this was from a different country. The last 5 hacks were different from the first and used, I think, the same exploit left behind as a cuckoo's egg.
I found a file in a directory that was not part of the WP install and I've notified HM to remove it, because I can't, not through cPanel or my FTP interface. It's been over 24 hours and HM is not responsive. Not cool.
The WP user table looks clean.
I'm betting on the mystery scripts that I can't delete.
Posted by: Aaron's cc: at May 04, 2006 11:23 PM (ov6Vw)
6
You probably cannot delete them because they were created by the webserver and owned by nobody/www?
I used to see a lot of that with old CGI scripts that got owned, and files dumped by the attacker in the /tmp directory.
if you know php you should write a script to delete those files, and execute it from the web, which will also run as the webserver and be able to delete those files.
Posted by: davec at May 04, 2006 11:30 PM (CcXvt)
7
just in case you don't know php i'll throw a very simple way to do it
create a file called deletefile.php and put the following in it.
<?php
$badfile="/home/aaroncc/public_html/hackersfile.php";
unlink($badfile);
?>
edit the path to match the file you need to delete in $badfile, you can most likely get your whole path using the 'pwd' command from ftp, then just browse to the deletefile.php on your site, and check via ftp if the hackers file was deleted.
If that file is owned by the webserver (www/nobody/web/etc) it points to active exploitation of software installed on your site to create/upload the files.
Posted by: davec at May 04, 2006 11:50 PM (CcXvt)
8
Dave, it isn't a Wordpress issue, it's a muslim issue. We are living in the last days of civilization unless we wake up and realize that the only way to deal with muslims is to kill them in massive numbers.
Posted by: Improbulus Maximus at May 05, 2006 02:58 AM (0yYS2)
9
sounds like "Hosting Matters" should change it's name to
"Hosting only Matters when we can be bothered."
Posted by: davec at May 05, 2006 11:53 AM (CcXvt)
10
Isn't it odd that leftards and 'slamotards use the same methods to quell speech they don't like?
Posted by: Improbulus Maximus at May 05, 2006 06:36 PM (0yYS2)
11
Looking today it appears Aaron may be close to being back up. check him.
Posted by: Howie at May 06, 2006 06:07 AM (D3+20)
12
ok we all can see that aaron was hacked but what we have to do when your blog is under attack ? just wait or what else ? also do someone know where to find all the photos that he had on his site ? coz with some friends we will open hundreds of blog with "aaron" in blog name and we will continue his job but power 1000 times stronger.
Posted by: James at May 07, 2006 01:18 AM (nzUqX)
13
Please james oh what will be do when we are always under attack. Please tell us just who you are James with the poor english.
Posted by: Howie at May 07, 2006 01:34 PM (D3+20)
14
just french guy who dont know perfectly your language but its ok i try to increase it daily by reading news or blog or speaking, by the way i guess it would be fun to hear u speaking french. whatever, about the topic : when blog was hacked what do u have to do ? is the blog coming back by itself at the "normal", also as its possible to make lots of blog u could do if u have many friends the same contents in all that blogs so what the matter if few are hacked ?
Posted by: James at May 07, 2006 08:10 PM (nISDy)
15
James that's fie withteh fatwa and the threats the question where are all the pics on the net kind of feels suspicious. Sorry about that I'm understanably paranoid at the moment. And no I can't speak french at all period. I don't know we have backup blogs so we go there until it's back.
Posted by: Howie at May 08, 2006 07:40 PM (D3+20)
16
aaron if you read this email me I'll give you acess to my blog all you like.
Posted by: Howie at May 08, 2006 07:43 PM (D3+20)
Hide Comments
| Add Comment