Websites hacked, can't find the file

Posted by crk91, 04-20-2009, 09:30 PM
I don't know how this happened but someone got into my VPS and changed the main pages of most of my sites. Now what I noticed they didn't change any password, I was still able to access thru cpanel and delete the index.php which was sitting there.... but that was for only one case, the ones with forums and blog, I see the index.php but that's the original. There is no index.html or any other file but I still see that the page is hacked. I go "view source" on it and I see some XML code.... Is this somekind of XML injection hack? Please help me out here.
Posted by AstroNyu, 04-20-2009, 09:33 PM
You could first help us out by giving out the url of your site and the xml code that you saw.
Posted by crk91, 04-20-2009, 09:38 PM
Here is the url: fatlosstalk.com All the sites that were hacked have the same page... with same code...
Posted by hiabhilash, 04-21-2009, 01:25 AM
Your website is inaccessible atm. Looks like the NS is down. Ping on NS fails. So do the dig. I am talking about NS1.MTLCORE.COM
Posted by vincent91326, 04-21-2009, 02:05 AM
Thats why i tell people always have a back up.... Dont always think it wont happen to you and be lazy... l
Posted by crk91, 04-21-2009, 03:13 PM
It's up I think...
Posted by jNive, 04-21-2009, 08:16 PM
http://fatlosstalk.com/index.php indeed it is looking sick/ill You are running cpanel & apache 1.3 on a VPS - so using the VPS version of cpanel - would strongly look at upgrading apache since there are many security issues with the 1.x stream.
Posted by jNive, 04-21-2009, 08:47 PM
it also appears as though mtlcore.com is running everything on that single VPS, including that site and the associated name servers. That DNS server (ns1 & ns2 are same machine) in question is open to abuse since it is allowing recursive lookups for any host. It is also running BIND 9.2.4 - pretty old.
Posted by jNive, 04-21-2009, 09:01 PM
other sites showing signs of remote includes, hosted on your server. http://info-islam.org/ <-- include is denied http://carsdiscussion.com <-- same hack http://howtofta.com <-- same hack http://imagesx.net <-- looks ok http://livefta.com <-- no longer hosted on your server http://mercadodeals.com <-- same hack http://mtlcore.com <-- looks ok http://mytalklounge.com <-- no longer hosted on your server http://trix5.com <-- looks ok http://urjunk.com <-- looks ok http://wwwsitelinks.com <-- same hack I would look at your apache config and in any frontpage subfolders (most likely place for the exploit) since it is including an XML Word-Generated Document. Also check the .htaccess files and try a filesystem grep for any files containing some of the html source in the hacked pages

Was this answer helpful?

 Print this Article

Also Read

Released Sql Server 2008 Express without SSMSE 08

Posted by IceDog, 08-18-2008, 12:27 AMI'm sure most of you know that they released the Sql Server...

PHP - MySQL Select Help

Posted by HostRefugee-Vince, 03-19-2007, 05:25 AMHi, I have a populated database with the date...

Revecom Down

Posted by David@Digisurge, 09-11-2001, 01:25 AMAnyone else getting 404 errors for their Revecom...

Have they put HW or Software RAID ??

Posted by madrilian, 04-22-2009, 02:05 AMI have recently ordered a new server and I asked for two...

Barracuda Load Balancer

Posted by Dualism, 03-27-2008, 05:46 PMHello, I am just interested to know, if it is possible to...