Search Results

Search found 374 results on 15 pages for 'hacked'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 1/15 | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • IIS site hacked with ww.robint.us malware

    - by sucuri
    A bunch of IIS sites got hacked with a javascript malware pointing to ww.robint.us/u.js. Google cache says more than 1,000,000 different pages got affected: http://www.google.com/#hl=en&source=hp&q=http%3A%2F%2Fww.robint.us%2Fu.js http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html My question is: Did anyone here got hacked with that and still have any logs (or network dump) available for analysis? If you do, have you spotted anything interesting in there? Sites as big as wsj.com got hacked and some people are saying that maybe a zero-day on IIS/ASP.net is in the wild...

    Read the article

  • Finding how a hacked server was hacked

    - by sixtyfootersdude
    I was just browsing through the site and found this question: My server's been hacked EMERGENCY. Basically the question says: My server has been hacked. What should I do? The best answer is excellent but it raised some questions in my mind. One of the steps suggested is to: Examine the 'attacked' systems to understand how the attacks succeeded in compromising your security. Make every effort to find out where the attacks "came from", so that you understand what problems you have and need to address to make your system safe in the future. I have done no system admin work so I have no idea how I would start doing this. What would be the first step? I know that you could look in the server log files but as an attacker the first thing that I would do would be errasing the log files. How would you "understand" how the attacks succeeded?

    Read the article

  • Linux Server hacked?

    - by user115848
    I'm trying to determine if this linex webserver/openfire server has been compromised by some form of malware or a hacker. Can you please help me determine if this server has been hacked? The snippet of logs below are from the linux server running apache. A few days ago the moodle site, which is installed on the server, started to render the apache default page. Also the access logs show some activity im not sure of. Please see logs below. 85.190.0.3 - - [02/Apr/2012:13:31:01 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:13:31:01 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 99.41.69.92 - - [02/Apr/2012:13:33:35 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "curl/7.18.0 (x86_64-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1" 212.34.151.92 - - [02/Apr/2012:14:01:46 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 212.34.151.92 - - [02/Apr/2012:14:01:46 -0600] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "http://173.164.35.181/phpmyadmin/scripts/setup.php\r" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 82.223.140.4 - - [02/Apr/2012:14:05:03 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 82.223.140.4 - - [02/Apr/2012:14:05:04 -0600] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "_http://173.164.35.181/phpmyadmin/scripts/setup.php\r" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" 10.0.0.100 - - [02/Apr/2012:14:25:35 -0600] "GET / HTTP/1.1" 403 5043 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110330 CentOS/3.6-1.el5.centos Firefox/3.6.15" 10.0.0.100 - - [02/Apr/2012:14:25:38 -0600] "GET /favicon.ico HTTP/1.1" 404 295 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110330 CentOS/3.6-1.el5.centos Firefox/3.6.15" 50.17.41.60 - - [02/Apr/2012:14:27:29 -0600] "HEAD /icons/apache_pb.gif HTTP/1.0" 200 - "-" "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])" 85.190.0.3 - - [02/Apr/2012:14:42:33 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:14:42:33 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:14:42:33 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:14:42:36 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:03:48 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 66.233.63.54 - - [02/Apr/2012:15:12:19 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0" 70.114.161.135 - - [02/Apr/2012:15:17:12 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0" 99.41.69.231 - - [02/Apr/2012:15:52:21 -0600] "GET /files/externallibs.php HTTP/1.1" 404 306 "-" "curl/7.18.0 (x86_64-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1" 85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:15:55:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 10.0.0.253 - - [02/Apr/2012:16:01:45 -0600] "GET / HTTP/1.1" 403 5043 "-" "WWW-Mechanize/1.0.0 (http://rubyforge.org/projects/mechanize/)" 10.0.0.253 - - [02/Apr/2012:16:02:27 -0600] "GET / HTTP/1.1" 403 5043 "-" "WWW-Mechanize/1.0.0 (http://rubyforge.org/projects/mechanize/)" 85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "POST _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "GET _http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:16:13:40 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 89.135.124.125 - - [02/Apr/2012:16:20:47 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "_http://173.164.35.181/phpmyadmin/scripts/setup.php" "Opera" 89.135.124.125 - - [02/Apr/2012:16:20:48 -0600] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 305 "_http://173.164.35.181/phpmyadmin/scripts/setup.php" "Opera" 85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "GET http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-" 85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 303 "-" "-" 85.190.0.3 - - [02/Apr/2012:16:29:59 -0600] "POST http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 307 "-" "-"

    Read the article

  • My server's been hacked EMERGENCY

    - by Grant unwin
    I'm on my way into work at 9.30 p.m. on a Sunday because our server has been compromised somehow and was resulting in a DOS attack on our provider. The servers access to the Internet has been shut down which means over 5-600 of our clients sites are now down. Now this could be an FTP hack, or some weakness in code somewhere. I'm not sure till I get there. How can I track this down quickly? We're in for a whole lot of litigation if I don't get the server back up ASAP. Any help is appreciated. UPDATE Thanks to everyone for your help. Luckily I WASN'T the only person responsible for this server, just the nearest. We managed to resolve this problem, although it may not apply to many others in a different situation. I'll detail what we did. We unplugged the server from the net. It was performing (attempting to perform) a Denial Of Service attack on another server in Indonesia, and the guilty party was also based there. We firstly tried to identify where on the server this was coming from, considering we have over 500 sites on the server, we expected to be moonlighting for some time. However, with SSH access still, we ran a command to find all files edited or created in the time the attacks started. Luckily, the offending file was created over the winter holidays which meant that not many other files were created on the server at that time. We were then able to identify the offending file which was inside the uploaded images folder within a ZenCart website. After a short cigarette break we concluded that, due to the files location, it must have been uploaded via a file upload facility that was inadequetly secured. After some googling, we found that there was a security vulnerability that allowed files to be uploaded, within the ZenCart admin panel, for a picture for a record company. (The section that it never really even used), posting this form just uploaded any file, it did not check the extension of the file, and didn't even check to see if the user was logged in. This meant that any files could be uploaded, including a PHP file for the attack. We secured the vulnerability with ZenCart on the infected site, and removed the offending files. The job was done, and I was home for 2 a.m. The Moral - Always apply security patches for ZenCart, or any other CMS system for that matter. As when security updates are released, the whole world is made aware of the vulnerability. - Always do backups, and backup your backups. - Employ or arrange for someone that will be there in times like these. To prevent anyone from relying on a panicy post on Server Fault. Happy servering!

    Read the article

  • Joomla Sites hacked by DR-MTMRD [closed]

    - by RedLEON
    Possible Duplicate: My Sites Were Hacked. What To Do? A few of my joomla sites were hacked. After I became aware of this, I did these things: Changed hosting passwords (mysql, ftp, control panel) Renamed joomla admin user name to "admin" in users table (Hacker had changed the user name how?) Upgraded joomla latest Added php.ini root directory of host. Disabled cgi access But the site is still hacked. I checked up on the index.php file and owerwrite original index.php but the site is still hacked. How is this possible?

    Read the article

  • Website hacked, cpanel password not encrypted?

    - by Jeg Bagus
    Yesterday I found out that all the websites that are hosted on my webhosting site were hacked. I tried to change my password, and unbelievably, I COULD SEE my password there. This means my password is able to be decrypted. I asked customer support, and they say, its normal, CPanel saves the password like that. Is it true? I mean, cpanel password able to be decrypted? They blame me because my wordpress version is out of date. But 2 of my website are on different platforms. One made by CI and one by Wordpress, and all are hacked. Is this hosting reliable?

    Read the article

  • how to fix bad seo after being hacked

    - by mkprogramming
    About a year ago my wordpress website was hacked & some company decided to go nuts and actually do some "SEO" on the various links it created. Some of the pages would show up on google as "payday cash advance" instead of "portfolio". The issue has been resolved, but now as I've been doing GOOD seo, I've noticed (when checking backlinks) that there are TONS of links still on the internet (mostly broken sites now) that have links to my website with titles like: "get a loan today" and so on. Is there a way to remove these links ? Can I tell google to ignore them ? Help !

    Read the article

  • Website address hacked, emails created but not showing in manage your account

    - by ProfMJMcG
    I have a website, thebleudoor.com. It is hosted by yahoo. It gets 2000-3000 hits a day and has been for at least 5 years. A few months ago, as admin of the website, I started getting bounced back emails from newly created emails like [email protected]. Yahoo only shows 2 emails for my account. They said they can't do anything about it. Now, my "spam hacked email accounts" are getting spam. They haven't altered or used my website or email or bank info, just the good name of my website. Is there anything I can do? Do I need to be concerned? Changing my provider won't really help will it? Thank you.

    Read the article

  • IKEA Lamps Hacked into Flexible Speaker Mounts

    - by Jason Fitzpatrick
    This simple hack combines the swing arms of two IKEA work lamps with a set of computer speakers for flexible and easily adjustable sound. IKEAHackers reader Bill Dwyer wanted an easy way to get the speakers off his desk but still be able to easily adjust them. By hacking apart two IKEA work lamps (he removed the light assembly and snipped the wires off) he was able to attach his computer speakers to the arms and, in the process, get them off the desk. The arms make it super simple to adjust the speakers exactly where he wants them, including towards other parts of his office/apartment. Hit up the link below to check out more pictures and read Bill’s instructions. Very Flexible Computer Speaker Mounts [IKEAHackers] Use Your Android Phone to Comparison Shop: 4 Scanner Apps Reviewed How to Run Android Apps on Your Desktop the Easy Way HTG Explains: Do You Really Need to Defrag Your PC?

    Read the article

  • Kinect hacked for augmented reality

    - by Kit Ong
    It seems Kinect has more potential than any other consoles based motion detection device given the number of hacks that are out there in the wild. http://uk.videogames.games.yahoo.com/blog/article/19744/kinect-as-youve-never-seen-it-before.html Direct links to youtube videos of Kinect hacks: http://www.youtube.com/watch?v=M-wLOfjVfVc?fs=1&hl=en_GB http://www.youtube.com/watch?v=eWmVrfjDCyw?fs=1&hl=en_GB http://www.youtube.com/watch?v=P3gfMXwQOGI?fs=1&hl=en_GB http://www.youtube.com/watch?v=4qhXQ_1CQjg?fs=1&hl=en_GB http://www.youtube.com/watch?v=VgLp-KyK5g8?fs=1&hl=en_GB http://www.youtube.com/watch?v=CeQwhujiWVk?fs=1&hl=en_GB

    Read the article

  • How to discredit hacked links pointing at my company's website

    - by Dan Gayle
    The competition of one of my company's websites has started a really dirty campaign of acquiring hack links. One of their ingenious tactics has been to seed in links to OUR site withing their hack bot, making US look like we might be responsible for it or using us to cover their tail. These are .gov and .edu sites. Is there any way possible to discredit these links? To disavow them at all? EDIT: Penguin has really effected this question, IMO. Does anyone know if there is a revised opinion on disavowing backlinks to your site?

    Read the article

  • Hacked by our own hosting company!

    - by dazhall
    OK, so our hosting company decided to clone our site and database onto a new serve. Without our knowledge or permission they then edited our code to point to the new database. The old server was left running, still pointing at the original database. The DNS was changed to reflect the new IP address of the server. Obviously during the propagation customers were hitting both the new and old servers, resulting in orders coming in to both databases, sometimes being split between the two. We're now attempting to reconcile the two databases. The question I have is is it still hacking if it was done by your own hosting company?! I'm fairly sure they shouldn't have edited our code! If they had left it as it was the site would have stayed pointed at the original database and we wouldn't be in this mess! I'm thinking that legal advice is need but just wanted to know if anyone had ever come across this situation before?!

    Read the article

  • Links in my site have been hacked

    - by Funky
    In my site I prefix the images and links with the domain of the site for better SEO using the code below: public static string GetHTTPHost() { string host = ""; if (HttpContext.Current.Request["HTTP_HOST"] != null) host = HttpContext.Current.Request["HTTP_HOST"]; if (host == "site.co.uk" || host == "site.com") { return "http://www." + host; } return "http://"+ host; } This works great, but for some reason, lots of links have now changed to http://www.baidu.com/... There is no sign of this in any of the code or project, the files on the server also have a change date when i last did the publish at 11 yesterday, so all the files on there look fine. I am using ASP.net and Umbraco 4.7.2 Does anyone have any ideas? thanks

    Read the article

  • My webserver just got hacked [closed]

    - by billmalarky
    Possible Duplicate: My server's been hacked EMERGENCY My web server just got hacked. It was on a vps so I think it was hacked through another site. When I loaded the homepage it looks like it ran some script. Can anyone tell me if this script is malicious and if I just got screwed by my own website? `<script>var _0x8ae2=["\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x6F\x70\x65\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45\x2F\x73\x70\x65\x63\x69\x61\x6C\x3D\x31","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6D\x67\x74\x66\x79\x2E\x63\x6F\x6D\x2F\x3F\x71\x3D\x48\x61\x63\x6B\x65\x64\x20\x62\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x73\x63\x72\x6F\x6C\x6C\x42\x79","\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x6F\x6E\x6B\x65\x79\x64\x6F\x77\x6E","\x72\x65\x73\x69\x7A\x65\x54\x6F","\x6D\x6F\x76\x65\x54\x6F","\x6D\x6F\x76\x65\x28\x29","\x72\x6F\x75\x6E\x64","\x66\x67\x43\x6F\x6C\x6F\x72","\x62\x67\x43\x6F\x6C\x6F\x72","\x4C\x4F\x4C","\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68","\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74"];function details(){window[_0x8ae2[1]](_0x8ae2[0]);window[_0x8ae2[1]](_0x8ae2[2]);window[_0x8ae2[1]](_0x8ae2[3]);} ;window[_0x8ae2[4]](0,1);if(document[_0x8ae2[5]]==_0x8ae2[6]){function keypressed(){return false;} ;document[_0x8ae2[7]]=keypressed;window[_0x8ae2[8]](0,0);window[_0x8ae2[9]](0,0);setTimeout(_0x8ae2[10],2);var mxm=50;var mym=25;var mx=0;var my=0;var sv=50;var status=1;var szx=0;var szy=0;var c=255;var n=0;var sm=30;var cycle=2;var done=2;function move(){if(status==1){mxm=mxm/1.05;mym=mym/1.05;mx=mx+mxm;my=my-mym;mxm=mxm+(400-mx)/100;mym=mym-(300-my)/100;window[_0x8ae2[9]](mx,my);rmxm=Math[_0x8ae2[11]](mxm/10);rmym=Math[_0x8ae2[11]](mym/10);if(rmxm==0){if(rmym==0){status=2;} ;} ;} ;if(status==2){sv=sv/1.1;scrratio=1+1/3;mx=mx-sv*scrratio/2;my=my-sv/2;szx=szx+sv*scrratio;szy=szy+sv;window[_0x8ae2[9]](mx,my);window[_0x8ae2[8]](szx,szy);if(sv<0.1){status=3;} ;} ;if(status==3){document[_0x8ae2[12]]=0xffffFF;c=c-16;if(c<0){status=8;} ;} ;if(status==4){c=c+16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>239){status=5;} ;} ;if(status==5){c=c-16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c<0){status=6;cycle=cycle-1;if(cycle>0){if(done==1){status=7;} else {status=4;} ;} ;} ;} ;if(status==6){document[_0x8ae2[5]]=_0x8ae2[14];alert(_0x8ae2[14]);cycle=2;status=4;done=1;} ;if(status==7){c=c+4;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>128){status=8;} ;} ;if(status==8){window[_0x8ae2[9]](0,0);sx=screen[_0x8ae2[15]];sy=screen[_0x8ae2[16]];window[_0x8ae2[8]](sx,sy);status=9;} ;var _0xceebx11=setTimeout(_0x8ae2[10],0.3);} ;} ;</script><body bgcolor="#000000" oncontextmenu="return false;"><p align="center"><span style="font-weight: 700;"><font face="Tahoma" size="5" color="#EEEEEE"><i>Server HackeD<br/><br/>By</i> </font><br/><br/><a href="#" class="name"><script>if (navigator.appName == 'Microsoft Internet Explorer'){document.write('<font face="Arial Black" size="5" color="#FF0000">');}else{document.write('<font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">');}</script><i onclick="details()">TiGER-M@TE</i></font></a></span><br/><br/><script>var l1n3='<img src="data:image/gif;base64,R0lGODlhqAABAOYAAAMDA3d4eAAAAAICAfLy8l5dXaWlpSQlJBwcHBQVFBISEQ0NDbu7u/v8/EJBQePj4/3+/T4+PtjX2Do7OlZWVyEiIjc3N09PT4OEhIB/f/r6+sjIyMTExPb29rS0tHx7fOvr64+Pj4eHh56dnZqZmvT09GVlZejp6dXU1aGhoeXm5khISJKTk93e3hkZGQcHB0RFRBcXF+7u7isqKi4uLmxtbLe3t6ysrXR0dTQ0M87Ozw8QEMvLy6ipqQUFBUxMTAkJCdHS0vDw73BwcQsLCycnJ/j4+JeXl8HBwmFhYVNSU+Dg4Glpadvb2jEwML6+vrCvsB8fH4uLi1pZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAACoAAEAAAewgBANGkYdJQRCMiAnKg9LLU0SKEE6PBscSE8MNh5QNz0GKSMkRywhUiIYGR8BOEM1TCZJBVMUShc/KzAOERMWOU40M0UHFVEILjEJCjsLREAvPgADAgIDAD4vQEQLOwoJMS4IURUHRTM0TjkWExEOMCs/F0oUUwVJJkw1QzgBHxkYREgJweIIiREpDPS4AcWDDQZPkHDYwENHEBQSmrRY8kDFCRAyhBAo0cGIhgYQAgEAOw==" />'; document.write(l1n3+l1n3);`

    Read the article

  • How do companies know they've been hacked?

    - by Chad
    With the news of Google and others getting hacked, I was wondering how companies find out, detect, and/or know they've been hacked in the first place? Sure, if they find a virus/trojan on user's computers or see a very high access rate to parts of their system that don't usually see much, if any, traffic. But, from what I've see in articles, the attack was pretty 'sophisticated', so I wouldn't imagine the hackers would make it so obvious of their hacking in the first place. Maybe someone can enlighten me on current detection schemes/heuristics. Thanks.

    Read the article

  • Wordpress hacked. Disabled hacked site but bad traffic continues [closed]

    - by tetranz
    Possible Duplicate: My server's been hacked EMERGENCY My Ubuntu 10.04 LTS VPS has been hacked, probably via a WordPress site. I was alerted to it when I noticed the incoming traffic was unusually high. A WordPress site was littered with eval(base64_decode(...)) code in lots of files. My fault, I had some files writeable by www-data which shouldn't have been. I've disabled that site (a2dissite ... and restart Apache). This has reduced it but I am still getting some malware type traffic. My server runs several WordPress and Drupal sites and a home grown PHP site. I have captured traffic with tcpdump and looked at it Wireshark. It's reaching out to the login page of some Joomla sites, trying multiple logins. The traffic stops when I stop Apache. If I a2dissite every site and reload (not restart) Apache the traffic continues. At that point I have no virtual hosts running and no DocumentRoot in my apache2.conf so I don't know how Apache is still running something. I have searched the other sites with grep for likely looking php code with no success. I may have missed it but I haven't found anything suspicious in the Apache logs. I have mod-status running. I haven't really seen anything much there except that someone is still trying to do a POST to the theme page on the disabled WordPress site but they now get a 404. What should I be looking for? Are there any tools or whatever which would give me more info about how Apache is generating that traffic? Thanks

    Read the article

  • How Could My Website Be Hacked

    - by Kiewic
    Hi! I wonder how this could happen. Someone delete my index.php files from all my domains and puts his own index.php files with the next message: Hacked by Z4i0n - Fatal Error - 2009 [Fatal Error Group Br] Site desfigurado por Z4i0n Somos: Elemento_pcx - s4r4d0 - Z4i0n - Belive Gr33tz: W4n73d - M4v3rick - Observing - MLK - l3nd4 - Soul_Fly 2009 My domain has many subdomains, but only the subdomains that can be accessed with an specific user were hacked, the rest weren't affected. I assumed that someone entered through SSH, because some of these subdomains are empty and Google doesn't know about them. But I checked the access log using the last command, but this didn't show any activity through SSH or FTP the day of the attack neither seven days before. Does anybody has an idea? I already changed my passwords. What do you recommend me to do? UPDATE My website is hosted at Dreamhost. I suppose they have the latest patches installed. But, while I was looking how they entered to my server, I found weird things. In one of my subdomains, there were many scripts for execute commands on the server, upload files, send mass emails and display compromising information. These files had been created since last December!! I have deleted those files and I'm looking for more malicious files. Maybe the security hold is an old and forgotten PHP application. This application has a file upload form protected by a password system based on sessions. One of the malicious scripts was in the uploads directory. This doesn't seem like an SQL Injection attack. Thanks for your help.

    Read the article

  • How to analyse logs after the site was hacked

    - by Vasiliy Toporov
    One of our web-projects was hacked. Malefactor changed some template files in project and 1 core file of the web-framework (it's one of the famous php-frameworks). We found all corrupted files by git and reverted them. So now I need to find the weak point. With high probability we can say, that it's not the ftp or ssh password abduction. The support specialist of hosting provider (after logs analysis) said that it was the security hole in our code. My questions: 1) What tools should I use, to review access and error logs of Apache? (Our server distro is Debian). 2) Can you write tips of suspicious lines detection in logs? Maybe tutorials or primers of some useful regexps or techniques? 3) How to separate "normal user behavior" from suspicious in logs. 4) Is there any way to preventing attacks in Apache? Thanks for your help.

    Read the article

  • Vserver: secure mails from a hacked webservice

    - by lukas
    I plan to rent and setup a vServer with Debian xor CentOS. I know from my host, that the vServers are virtualized with linux-vserver. Assume there is a lighthttpd and some mail transfer agent running and we have to assure that if the lighthttpd will be hacked, the stored e-mails are not readable easily. For me, this sounds impossible but may I missed something or at least you guys can validate the impossibility... :) I think basically there are three obvious approaches. The first is to encrypt all the data. Nevertheless, the server would have to store the key somewhere so an attacker (w|c)ould figure that out. Secondly one could isolate the critical services like lighthttpd. Since I am not allowed to do 'mknod' or remount /dev in a linux-vserver, it is not possible to setup a nested vServer with lxc or similar techniques. The last approach would be to do a chroot but I am not sure if it would provide enough security. Further I have not tried yet, if I am able to do a chroot in a linux-vserver...? Thanks in advance!

    Read the article

  • Hacked website, code is encrypted in hex, unable to identify

    - by dhakad
    my web site hacked and i am getting code in index page, but i am unable to find that where is the code in my web site... %3c%68%74%6d%6c%3e%3c%68%65%61%64%3e%0d%0a%3c%6d%65%74%61%20%63%6f%6e%74%65%6e%74%3d%22%74%65%78%74%2f%68%74%6d%6c%3b%20%63%68%61%72%73%65%74%3d%75%74%66%2d%38%22%3e%0d%0a%3c%74%69%74%6c%65%3e%2e%2f%20%72%45%64%20%58%20%7c%20%33%78%70%31%72%33%20%43%79%62%65%72%20%41%72%6d%79%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%6d%65%74%61%20%6e%61%6d%65%3d%22%61%75%74%68%6f%72%22%20%63%6f%6e%74%65%6e%74%3d%22%72%45%64%20%58%22%20%2f%3e%0d%0a%3c%6d%65%74%61%20%6e%61%6d%65%3d%22%6b%65%79%77%6f%72%64%73%22%20%63%6f%6e%74%65%6e%74%3d%22%72%45%64%20%58%2c%33%78%70%31%72%33%20%43%79%62%65%72%20%41%72%6d%79%2c%5a%6f%6e%65%2d%48%2c%42%61%6e%67%6c%61%64%65%73%68%69%20%48%61%63%6b%65%72%22%20%2f%3e%0d%0a%3c%6d%65%74%61%20%6e%61%6d%65%3d%22%64%65%73%63%72%69%70%74%69%6f%6e%22%20%63%6f%6e%74%65%6e%74%3d%22%5b%20%72%45%64%20%58%20%2e%2e%20%54%68%65%20%52%65%61%6c%20%4f%75%74%72%61%67%65%6f%75%73%20%5d%22%20%2f%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%53%48%4f%52%54%43%55%54%20%49%43%4f%4e%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%75%73%2e%79%69%6d%67%2e%63%6f%6d%2f%69%2f%6d%65%73%67%2f%65%6d%6f%74%69%63%6f%6e%73%37%2f%36%31%2e%67%69%66%22%3e%0d%0a%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%0d%0a%62%6f%64%79%20%7b%62%61%63%6b%67%72%6f%75%6e%64%2d%69%6d%61%67%65%3a%20%75%72%6c%28%68%74%74%70%3a%2f%2f%6d%65%64%69%61%2e%73%6f%6d%65%77%68%65%72%65%69%6e%62%6c%6f%67%2e%6e%65%74%2f%69%6d%61%67%65%73%2f%6f%6e%64%68%6f%6b%61%72%65%72%5f%72%61%6a%70%75%74%72%61%5f%31%33%33%38%32%35%30%34%33%31%5f%31%2d%62%67%2e%67%69%66%29%3b%0d%0a%62%61%63%6b%67%72%6f%75%6e%64%2d%63%6f%6c%6f%72%3a%20%62%6c%61%63%6b%3b%63%6f%6c%6f%72%3a%20%23%46%46%41%35%30%30%3b%66%6f%6e%74%2d%77%65%69%67%68%74%3a%20%62%6f%6c%64%3b%74%65%78%74%2d%61%6c%69%67%6e%3a%20%63%65%6e%74%65%72%3b%7d%0d%0a%69%6d%67%7b%6f%70%61%63%69%74%79%3a%30%2e%37%35%3b%20%66%69%6c%74%65%72%3a%61%6c%70%68%61%28%6f%70%61%63%69%74%79%3d%37%35%29%3b%7d%0d%0a%2e%72%65%64%78%20%7b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%30%20%36%70%78%20%72%65%64%2c%20%30%20%30%20%35%70%78%20%72%65%64%2c%20%30%20%30%20%35%70%78%20%72%65%64%3b%63%6f%6c%6f%72%3a%20%23%46%46%46%7d%0d%0a%3c%2f%73%74%79%6c%65%3e%0d%0a%3c%2f%68%65%61%64%3e%0d%0a%3c%62%6f%64%79%20%6f%6e%63%6f%6e%74%65%78%74%6d%65%6e%75%3d%22%72%65%74%75%72%6e%20%66%61%6c%73%65%22%20%6f%6e%6b%65%79%64%6f%77%6e%3d%22%72%65%74%75%72%6e%20%66%61%6c%73%65%22%20%6f%6e%6d%6f%75%73%65%64%6f%77%6e%3d%22%72%65%74%75%72%6e%20%66%61%6c%73%65%22%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%50%61%6c%61%74%69%6e%6f%20%4c%69%6e%6f%74%79%70%65%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%34%36%70%78%3b%22%20%63%6c%61%73%73%3d%22%72%65%64%78%22%3e%2e%3a%3a%20%72%45%64%20%58%20%57%61%73%20%48%65%72%65%20%3a%3a%2e%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%6d%65%64%69%61%2e%73%6f%6d%65%77%68%65%72%65%69%6e%62%6c%6f%67%2e%6e%65%74%2f%69%6d%61%67%65%73%2f%6f%6e%64%68%6f%6b%61%72%65%72%5f%72%61%6a%70%75%74%72%61%5f%31%33%35%33%35%35%32%36%35%31%5f%31%2d%72%65%64%2d%78%2e%6a%70%67%22%3e%3c%62%72%2f%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%42%6f%6f%6b%6d%61%6e%20%4f%6c%64%20%53%74%79%6c%65%3b%63%6f%6c%6f%72%3a%20%23%30%30%30%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%6d%61%72%67%69%6e%3a%30%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%31%70%78%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%2d%31%70%78%20%30%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%30%20%2d%31%70%78%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%31%70%78%20%30%20%33%70%78%20%23%30%30%46%46%30%30%3b%22%3e%50%72%6f%75%64%20%54%6f%20%62%65%20%61%20%42%61%6e%67%6c%61%64%65%73%68%69%20%48%61%63%6b%65%72%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%42%65%72%6c%69%6e%20%53%61%6e%73%20%46%42%3b%63%6f%6c%6f%72%3a%20%23%31%35%31%42%35%34%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%30%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%30%20%30%20%33%70%78%20%23%30%30%46%46%30%30%2c%20%30%20%30%20%33%70%78%20%23%66%66%66%2c%20%30%20%30%20%35%70%78%20%23%46%30%30%2c%20%30%20%30%20%35%70%78%20%23%66%66%32%64%39%35%3b%22%3e%44%65%61%72%20%41%44%4d%49%4e%3c%62%72%2f%3e%21%20%53%65%63%75%72%65%20%79%6f%75%72%20%53%49%54%45%20%21%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%73%69%7a%65%3a%20%31%38%70%78%3b%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%43%65%6e%74%75%72%79%20%47%6f%74%68%69%63%3b%63%6f%6c%6f%72%3a%20%23%30%30%30%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%30%20%30%20%33%70%78%20%6c%69%6d%65%2c%20%30%20%30%20%33%70%78%20%6c%69%6d%65%2c%20%30%20%30%20%35%70%78%20%23%66%66%32%64%39%35%2c%20%30%20%30%20%35%70%78%20%23%66%66%32%64%39%35%3b%22%3e%72%65%64%2d%78%40%68%61%63%6b%65%72%6d%61%69%6c%2e%63%6f%6d%3c%2f%64%69%76%3e%0d%0a%3c%62%72%2f%3e%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%22%3e%2e%2e%3a%3a%7c%20%47%72%65%65%74%7a%20%7c%3a%3a%2e%2e%3c%2f%64%69%76%3e%0d%0a%3c%64%69%76%20%73%74%79%6c%65%3d%22%66%6f%6e%74%2d%66%61%6d%69%6c%79%3a%20%42%6f%6f%6b%20%41%6e%74%69%71%75%61%3b%63%6f%6c%6f%72%3a%20%67%72%65%79%3b%66%6f%6e%74%2d%73%69%7a%65%3a%20%32%30%70%78%3b%74%65%78%74%2d%73%68%61%64%6f%77%3a%20%72%65%64%20%31%70%78%20%2d%30%70%78%20%36%70%78%22%3e%2e%3a%3a%20%78%33%6f%2d%31%33%33%37%20%7c%20%47%61%62%62%79%20%7c%20%24%70%21%72%21%74%7e%24%33%33%6b%33%72%20%7c%20%46%72%45%61%4b%79%20%3a%3a%2e%3c%62%72%2f%3e%41%6c%6c%20%4d%65%6d%62%65%72%73%20%6f%66%20%33%78%70%31%72%33%20%43%79%62%65%72%20%41%72%6d%79%3c%2f%64%69%76%3e%3c%62%72%2f%3e%0d%0a%3c%65%6d%62%65%64%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%79%6f%75%74%75%62%65%2e%67%6f%6f%67%6c%65%61%70%69%73%2e%63%6f%6d%2f%76%2f%70%74%5a%31%77%6f%33%4a%73%50%63%26%61%75%74%6f%70%6c%61%79%3d%31%26%6c%6f%6f%70%3d%31%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%73%68%6f%63%6b%77%61%76%65%2d%66%6c%61%73%68%22%20%77%6d%6f%64%65%3d%22%74%72%61%6e%73%70%61%72%65%6e%74%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%62%6f%64%79%3e%3c%2f%68%74%6d%6c%3e'

    Read the article

  • Did Firefox running in OSX get hacked

    - by z-buffer
    When I try to do a google search in Firefox, I can't click on any of the links. They're just regular black text, not hyperlinks. I even tried safe mode and disabling all the plugins. I was running Firefox 12. I installed the current version over it and it's the same thing. Other browsers have not been affected. This is what it looks like. Edit: My firewall was turned off and I had several things running which are potential security holes. I turned on my firewall and closed all unnecessary ports. I also turned off Home Sharing. Then I restarted my computer. After that, Firefox works normally again. What do you think happened?

    Read the article

  • Router/Security question: Am I hacked?

    - by IVR Avenger
    Hi, all. I've noticed that my home broadband speed seems to be a bit slow in recent days. I noticed, last night, that my Wireless Router had given a DHCP lease to a public IP address with an odd formation; something like 111.10.11.110. Should I consider these warning sings of my ZyXEL router being compromised in some way? Thanks, IVR Avenger

    Read the article

  • Windows Server 2003 Hacked - Files Being Uploaded

    - by jreedinc
    Blank directories are being created on my Windows Server 2003 virtual server with sub directories that are weird (for example: "88ÿ ÿ ÿÿþþ þþ13þ"). It looks like they are uploading bootlegged DVDs and pirated software. All of my bandwidth and file space is being eaten up. Could this be a shared permissions issue? Where should I look to further investigate this? My security permissions for the directory that is being hit are as followed: Administrators - ALL GRANTED IIS_WPG - Read & Execute, List Folder Contents, Read Internet Guest - DENY SYSTEM - ALL GRANTED Users - Read & Execute, List Folder Contents, Read My Event Viewer is showing many Logon/Logoff with NO IP?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >