• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

Help - "Arabian h4x0r Owned Your Box"

A

azoundria

New Member
Dozens of hosting clients have had a mysterious index page appear on their websites - like the following:

http://abdooh.ismywebsite.com/

Other files seem intact.

When I do a Google search I see I am not the only one:

http://www.google.ca/search?q="Arabian+h4x0r+Owned+Your+Box"&hl=en&filter=0

Does anyone know what's going on? At first I thought someone had created a whole bunch of mirror sites by registering multiple accounts but some clients who I know had valid sites before are reporting this.

I can contact the people who host the sites and emails mentioned in the source of the page, maybe even get the addresses shut down - but that would likely only shut off communication with the hacker and not solve anything.

Any help?
 
I remember I found an experienced hacker who was trying a whole bunch of things to replace my index - and none of them worked. I've got a deal with a paid host for the space so I don't deal directly with the server. How would I find out where to find or fix the vulnerability?

I was thinking this might be a new thing - because so many people have been attacked by it (even the Saudi Arabia government). Just refresh the Google results and you can see - the number is changing as sites are attacked and fixed!
 
Is normally achieved in shared hosting environments, when php isn't secured properly it's possible to use a program like phpshell to gain root access, if you have the time to waste that is ...
 
I had one of my old hosting accounts hacked through a hole in an image hosting script. PHPShell was uploaded, an eggdrop bot was compiled, all index pages were replaced with the hackers page and then the account was suspended. Needless to say, I don't use free software anymore unless its actively developed. I wouldn't even touch any of those scripts you can buy with full resell rights.
 
Happened to me years ago.... I never really cared that much. If someone is enough of a loser to spend that much time just to replace my index page... I don't need to get pissed off about it.


I can see how it might be a problem when its a business or more professional site though.
 
I had one of my old hosting accounts hacked through a hole in an image hosting script. PHPShell was uploaded, an eggdrop bot was compiled, all index pages were replaced with the hackers page and then the account was suspended.
Click to expand...

Something is confusing me though - there are some sites that are still under construction displaying the default page. These were left entirely intact and untouched. Also, there is slight variation between some of the hacked pages. A few have soft background music - one even has a different image.

Happened to me years ago.... I never really cared that much. If someone is enough of a loser to spend that much time just to replace my index page... I don't need to get pissed off about it.

I can see how it might be a problem when its a business or more professional site though.
Click to expand...

The problem is not the index page - it's the fact that there is a vulnerability that has not been found. That someone could exploit that at a later date.

Is normally achieved in shared hosting environments, when php isn't secured properly it's possible to use a program like phpshell to gain root access, if you have the time to waste that is ...
Click to expand...

Does the government of Saudi Arabia run on a shared hosting environment? http://www.mtc.gov.sa/

:confused4
 
I said, it's normally achieved that way, normally being the operative word.

It wouldn't be that strange if they did have their public website on a shared service, afterall it's not likely to contain any sensitive information ...
 
I noticed a lot of those hacked sites were forums. Its likely the hacker used a common exploit in software that was in need of an update.
 
It's running old and most likely unpatched unsecured OS & software, php is only at 4.4.2 to start with so doesn't look like a good starting point :/
 
Yeah thats quite a pain in the ---. But thats what backups are for.

Fix your security then restore the effected accounts.
 
I would recommend reinstalling the box unless your positive this was a remote hack and not them actually gaining shell access to the box. Although, if this is a free hosting then it was probably one of your clients. If this is paid, I'd definitely make sure the box is secured and probably re-install for safe measure.

Keep everything updated....
 
serverorigin said:
I would recommend reinstalling the box unless your positive this was a remote hack and not them actually gaining shell access to the box. Although, if this is a free hosting then it was probably one of your clients. If this is paid, I'd definitely make sure the box is secured and probably re-install for safe measure.

Keep everything updated....
Click to expand...

Really? Reinstall a server with 100s of accounts becuse of index replacement?
The fact that they used and only did index replacement means they never had any real access to the box... its mostlikley a issue with some software your running, or a script clients are using.. Reinstalling will do nothing becuse your be just reinstalling the exploit... :fangel:

The best thing you can do is invest 100$ in to a sysadmin for a hour and he/she will have it totaly secure..
 
You must log in or register to reply here.
Back
Top