Websites hacked, can't find the file
Posted by crk91, 04-20-2009, 09:30 PM I don't know how this happened but someone got into my VPS and changed the main pages of most of my sites. Now what I noticed they didn't change any password, I was still able to access thru cpanel and delete the index.php which was sitting there.... but that was for only one case, the ones with forums and blog, I see the index.php but that's the original. There is no index.html or any other file but I still see that the page is hacked. I go "view source" on it and I see some XML code.... Is this somekind of XML injection hack? Please help me out here.
Posted by AstroNyu, 04-20-2009, 09:33 PM You could first help us out by giving out the url of your site and the xml code that you saw.
Posted by crk91, 04-20-2009, 09:38 PM Here is the url: fatlosstalk.com All the sites that were hacked have the same page... with same code...
Posted by hiabhilash, 04-21-2009, 01:25 AM Your website is inaccessible atm. Looks like the NS is down. Ping on NS fails. So do the dig. I am talking about NS1.MTLCORE.COM
Posted by vincent91326, 04-21-2009, 02:05 AM Thats why i tell people always have a back up.... Dont always think it wont happen to you and be lazy... l
Posted by crk91, 04-21-2009, 03:13 PM It's up I think...
Posted by jNive, 04-21-2009, 08:16 PM http://fatlosstalk.com/index.php indeed it is looking sick/ill You are running cpanel & apache 1.3 on a VPS - so using the VPS version of cpanel - would strongly look at upgrading apache since there are many security issues with the 1.x stream.
Posted by jNive, 04-21-2009, 08:47 PM it also appears as though mtlcore.com is running everything on that single VPS, including that site and the associated name servers. That DNS server (ns1 & ns2 are same machine) in question is open to abuse since it is allowing recursive lookups for any host. It is also running BIND 9.2.4 - pretty old.
Posted by jNive, 04-21-2009, 09:01 PM other sites showing signs of remote includes, hosted on your server. http://info-islam.org/ <-- include is denied http://carsdiscussion.com <-- same hack http://howtofta.com <-- same hack http://imagesx.net <-- looks ok http://livefta.com <-- no longer hosted on your server http://mercadodeals.com <-- same hack http://mtlcore.com <-- looks ok http://mytalklounge.com <-- no longer hosted on your server http://trix5.com <-- looks ok http://urjunk.com <-- looks ok http://wwwsitelinks.com <-- same hack I would look at your apache config and in any frontpage subfolders (most likely place for the exploit) since it is including an XML Word-Generated Document. Also check the .htaccess files and try a filesystem grep for any files containing some of the html source in the hacked pages