Website was HACKED!

[Russ H]

went to our monthly B&B meeting tonight.

Pulled up our holiday tour site, to check on something, and found this:

www.napaholidaytour.com

What a shock!

What I need to know:

Are there any precautions we should take?

Are there things like cookies (or other stuff) that I need to be concerned about?

It's hosted by Network Solutions-- so I was shocked that this happened.

I have no idea if posting the URL is dangerous/bad (I am clueless about hacking).

Mods-- if I'm doing something wrong, please pull this post.

Thanks,

-Russ H.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Yankees338]

I was just gonna ask if it was harmful to visit the site. Regardless, I clicked the link anyway. I'm not sure if that was wise...

Until you know whether or not it's harmful to visit the site, maybe you should just take screenshots?

Sorry to hear about your troubles, Russ. Wish I could help, but good luck!

 

[EastWind]

who designed your site?

ip resolves to 205.178.145.65

which also is close to the DNS of 205.178.190.15, so they didn't hijack the DNS and point it elsewhere, so they got into the system.

do you have PHP? or any sort of CGI/interactive section of the site? that is most likely how they got in. The next question is what OS/httpd server is your site on. if Microsoft windows/ISS move to Unix. I hope you have backup.

Inform network solutions, if you have server logs, the httpd server logs, the error and access logs may show how they got in if via a http vunerability. whatever it is, has to be patched tho else you will still remain at risk.

 

[JayKim]

I clicked it too but firefox blocked some plug ins it was going to download.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[EastWind]

I clicked it too but firefox blocked some plug ins it was going to download.

in that case, people should avoid going to it, especially those with IE6.

 

[mkzhang]

Do you have backend access to the website?

I would download everything and zip it.

Delete everything on there, just replace the main page with a single HTML file that says "be back soon" or something.

 

[DeletedUser394]

Hundreds of Network Solutions Sites Hacked — Krebs on Security

I would lock your credit/debit accounts asap

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[TC2]

Looks like the server is running UNIX.
Apache/2.2.8 (Unix) FrontPage/5.0.2.2635

There are many possible holes on your site.
1. Using FrontPage to edit and update your site
2. Allow anonymous FTP
3. Using plain FTP which send login and password as plain text
4. Allow to upload attached file or script in your contact form.
5. One of the domain or site on the same shared hosting server is probably also hacked too. So they can copy the files over to other site.
6. Do you happen to have a malware / spyware/ keylogger installed on your computer? So they track all the login and password when you upload files or access your site?

FireFox and Chrome block the popup and images (if you set it right).

I don't use IE unless it's necessary.

Use Chrome or FireFox with NoScript.

You need to get your site back up running ASAP, they may use your server as bridge to infect other sites.

 

[mkzhang]

I just checked my site and it was hacked as well, my anti virus keeps blocking my site.

I downloaded the site onto my comp and my anti virus deleted the index.php because it was trying to pull a Trojan. Hrmmm

 

[CactusWren]

So my websites looks fine, but I have started receiving hundreds of messages in my email that seem a little scary. They are those "mailer daemon" rejections saying your email message did not go through etc. They are from bogus addresses, such as hotty@myurl. In other words, it's like I have been sending out messages from addresses that do not really exist in my domain and they are being rejected.

Any ideas? thanks,

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[JayKim]

I don't know if it was from that but I had to do a system restore. Anyways don't click it.

 

[LightHouse]

I just checked my site and it was hacked as well, my anti virus keeps blocking my site.

I downloaded the site onto my comp and my anti virus deleted the index.php because it was trying to pull a Trojan. Hrmmm

So my websites looks fine, but I have started receiving hundreds of messages in my email that seem a little scary. They are those "mailer daemon" rejections saying your email message did not go through etc. They are from bogus addresses, such as hotty@myurl. In other words, it's like I have been sending out messages from addresses that do not really exist in my domain and they are being rejected.

Any ideas? thanks,

Are both of you hosted with network solutions as well?

 

[mkzhang]

I host using GoDaddy, not sure if they are the same?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[CactusWren]

I'm hosted with DreamHost.

 

[Russ H]

UPDATE on the OP:

Turns out Network Solutions' Unix servers were hacked. Someone got in through the back door, and loaded the same website on to hundreds/thousands of NetSol client's sites.

So they never had our password info, etc.

Hackers had gone in over the weekend and Monday. I saw it Tuesday evening-- and we had it restored by Wednesday am.

So not a lot of damage control needed.

-Russ H.

 

[LightHouse]

UPDATE on the OP:

Turns out Network Solutions' Unix servers were hacked. Someone got in through the back door, and loaded the same website on to hundreds/thousands of NetSol client's sites.

So they never had our password info, etc.

Hackers had gone in over the weekend and Monday. I saw it Tuesday evening-- and we had it restored by Wednesday am.

So not a lot of damage control needed.

-Russ H.

Is it hosted on some sort of shared host?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[CactusWren]

The situation with my website is different. Just in case anyone has the same issue:

Contact your hosting plan co immediately if you start receiving message failure messages from bogus addresses with your own URL.

Turns out hackers get into your email and start sending out SPAM! This can easily get your URL banned!

I am hoping my hosting co responds quickly now that I have contacted them...:smxE:

 

[Russ H]

Is it hosted on some sort of shared host?

No idea. The end of the first article does talk about shared hosting, but I don't know the details of the attack:

Hackers Hit Network Solutions Customers - PCWorld Business Center

Network Solutions Customers Hit By Web Defacement -- InformationWeek

-Russ H.

 

[LightHouse]

No idea. The end of the first article does talk about shared hosting, but I don't know the details of the attack:

Hackers Hit Network Solutions Customers - PCWorld Business Center

Network Solutions Customers Hit By Web Defacement -- InformationWeek

-Russ H.

The reason i asked is because of the level of difficulty. If the intruders were able to infiltrate that many dedicated boxes, that would be quite a feat. However I could see if it was a shared host, they would have to get in one machine and start infecting all the home directories of the clients partitions. I would move to a managed dedicated and get it locked up. the nice thing is it will have enough resources to run several sites if you are not doing a ton of traffic through it.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Russ H]

Thanks, Lighthouse.

My abysmal lack of understanding/knowledge of the interwebs shows here-- I appreciate your explaining your reason for asking!

-Russ H.

 

[slim_jim]

Another option, besides a dedicated server, would be a Virtual Server. Cheaper than dedicated hardware. A restore, if there were a problem, would be faster, due to snapshotting.

Can recommend someone, if interested. Please contact via PM.

HTH
James