Jump to content


Photo

Hacked


  • Please log in to reply
4 replies to this topic

#1 Godwin

Godwin

    title available

  • Hosted
  • 491 posts

Posted 07 December 2010 - 03:49 PM

Hi, I haven't been around for a long time, so am not sure of who to contact. It seems last week on the 3rd my site/ftp (godwin.ralert.net) got 'hacked' into, and .htaccess files and edits to index.html files were dropped into every folder in the directory, redirecting connections to a malicious domain (webarh.com). I tried to clean it out but it hit again on the 5th. I'm not sure what caused this, but suspect it might be connected to MyPHPAdmin; as a precaution can I get an admin to change the ftp password and pass it to me? If possible too could someone assist in cleaning this out? It's really tedious going through every folder deleting this stuff. Are there any recent backups available on your end? Thanks.

Edited by Godwin, 07 December 2010 - 03:51 PM.

Posted Image

#2 Phil

Phil

    Force Majeure

  • Network Leaders
  • 7,971 posts
  • Location:Switzerland
  • Projects:Revora, C&C:Online
  •  Thought Police
  • Division:Revora
  • Job:Network Leader
  • Donated
  • Association

Posted 07 December 2010 - 10:05 PM

I'd love to help but I'm awfully busy at the moment. I'll try to get some time to look into it tomorrow evening though.

revorapresident.jpg
My Political Compass

Sieben Elefanten hatte Herr Dschin
Und da war dann noch der achte.
Sieben waren wild und der achte war zahm
Und der achte war's, der sie bewachte.


#3 Godwin

Godwin

    title available

  • Hosted
  • 491 posts

Posted 07 December 2010 - 10:32 PM

It's nothing urgent, I can wait. It's okay if there is no quick way to clean it, I'll probably just download the entire directory to do it myself, and prune the files a little at the same time. Was planning to relaunch my site sometime this month or next year. I think what's pertinent right now is to just change the password. Hopefully someone can find out how this happened.
Posted Image

#4 Banshee

Banshee

    One Vision, One Purpose!

  • Network Admins
  • 8,997 posts
  • Location:Rio De Janeiro, RJ, Brazil.
  • Projects:PPM, PPM: Final Dawn, OS SHP Builder, OS Palette Editor, OS W3D Viewer, VXLSE III, etc...
  •  Retired Network Leader
  • Division:Revora
  • Job:Maintenance Admin

Posted 07 December 2010 - 11:01 PM

I'm trying to do a quick cleanup as much as I can, but I'll need some help here. You've used so many suspicious scripts and some of them simply demand too much effort to be cleared up. Anyway, make sure you use the latest software and eliminate anything that you are not using. Also, change the phpMyAdmin settings (do you really need that?).
Project Perfect Mod

Command & Conquer Mods, Mods Support, Public Researchs, Map Archives, Tutorials, Tools, A Friendly Community and much more. Check it out now!

Posted Image

#5 Phil

Phil

    Force Majeure

  • Network Leaders
  • 7,971 posts
  • Location:Switzerland
  • Projects:Revora, C&C:Online
  •  Thought Police
  • Division:Revora
  • Job:Network Leader
  • Donated
  • Association

Posted 08 December 2010 - 11:26 PM

I've taken a look at the account and it really is infested. I was able to delete all the generated .htaccess files with relative ease, but it seems you also have a ton of HTML files with injected javascript that redirects to that site.
Of course we can try to fix this, but to be plain honest, it would probably be easier and safer if you just started the site from scratch and ported over specific content as necessary.

Using this as an opportunity, I've created a new, real account for you at godwin.revora.net which is properly isolated system-wise (the previous attack could've affected all ralert.net sites, which fortunately doesn't seem to be the case). This will also give you more options, as listed on our Hosting Page. Plus, we want to fade out ralert.net anyway; preferably you'd just create a new site there, separate from the ralert.net mess.
I've also changed the FTP and MySQL passwords of your old account to prevent more damage. I further suggest you scan your computer for malware, as previously we've had a similar case where it seems the FTP password was taken from the client computer.
Once you send me your e-mail address by PM I'll give you all the login info.

revorapresident.jpg
My Political Compass

Sieben Elefanten hatte Herr Dschin
Und da war dann noch der achte.
Sieben waren wild und der achte war zahm
Und der achte war's, der sie bewachte.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users