Help on website hacker please :-(
16 April 2007, 11:29 PM
#1
Help on website hacker please :-(
A couple of days ago my website homepage was altered, not majorly but whowever it was used my ftp login to gain access. A friend also found script in the site which stole passwords.
Now, im no computer genius and am just looking to answer a few questions i have. The website in question is also a forum, so i have access to IP addresses of the users.
Anyway, i emailed the hosting company for the FTP logs and this is what they sent back.
Its pretty much double dutch to me.
Is there anyway, the IP addresses given by the host could have been spoofed to give a false IP address, ie, not the IP address of the person logging in?
Any help would be much appreciated.
Boro
Now, im no computer genius and am just looking to answer a few questions i have. The website in question is also a forum, so i have access to IP addresses of the users.
Anyway, i emailed the hosting company for the FTP logs and this is what they sent back.
The following are the entries from the FTP log excluding your own IP of course:
Sun Apr 15 13:39:59 2007 1 172.203.240.21 9559 /public_html/index.php b _ o r ******* ftp 0 * c
Sun Apr 15 13:41:34 2007 1 172.203.240.21 9930 /public_html/index.php b _ i r ******* ftp 0 * c
Those are the only entires.
Looking at the authentication log it seems they tried only twice with the wrong password before successfully logging in. If you have not already done so we would strongly advise changing your account password:
Apr 15 13:39:37 bert vsftpd(pam_unix)[25626]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.203.240.21
Apr 15 13:39:39 bert vsftpd(pam_unix)[25628]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.203.240.21
The IP address is issued by AOL:
Sun Apr 15 13:39:59 2007 1 172.203.240.21 9559 /public_html/index.php b _ o r ******* ftp 0 * c
Sun Apr 15 13:41:34 2007 1 172.203.240.21 9930 /public_html/index.php b _ i r ******* ftp 0 * c
Those are the only entires.
Looking at the authentication log it seems they tried only twice with the wrong password before successfully logging in. If you have not already done so we would strongly advise changing your account password:
Apr 15 13:39:37 bert vsftpd(pam_unix)[25626]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.203.240.21
Apr 15 13:39:39 bert vsftpd(pam_unix)[25628]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=172.203.240.21
The IP address is issued by AOL:
Is there anyway, the IP addresses given by the host could have been spoofed to give a false IP address, ie, not the IP address of the person logging in?
Any help would be much appreciated.
Boro
17 April 2007, 08:59 AM
#2
Scooby Regular
Join Date: May 2006
Posts: 213
Likes: 0
Received 0 Likes
on
0 Posts
Hello Mate,
Sorry to hear the news ...
Unfortunately its entirely possible for someone to spoof their IP address. There are a number of ways to do it but the best way to think about a hacker gaining access with a false IP is like this....
Step1>Gain Access to a college or university computer system (often used as they have limited funds and dont have the time, money or staff to be able to keep on top of it all or protect their systems.
Step2>Do the same again
Step3>Do the same again
Step4>Do the same again
Bare in mind that the sites they access can be anywhere in the world so they are not hard to find if you know what you are looking for.
Step5>They effectively relay of each of these address to the site they want to attack so you end up with the IP address of the last server they came from.
e.g Hacker>University1>University2>Univercity3>Univerc ity4> (they get university 4 ip address and this is what you see in your logs) The clever part comes when Mr. Hacker puts a little file on University 4 servers that deletes all logs every night. If you were to attempt to trace him/her you would only be able to take it as far as University 4 before the crumb trial disappears. Make sense?? Sorry my explanation is a little pants and sounds very hard to do but in relality its fairly quick.
In addition to this, there are individuals out there from the hacker fraternity that other hackers know they can use to relay off etc.
Of course, the above requires a bit of knowledge and the feeling is that 90% of hackers are kids using readily available tools on the net. So its worth doing some lookups on the address you were provided and contact the ISP. They might just be able to help, you never know... they may already be investigating loads of other complaints and this might help them track who ever it is down.
Hope it helps mate... Best advice.... is to make your username and passwords even more secure using upper/lower case, numbers and a long password... If they used your FTP details they either knew your details, got lucky and guessed them or used a brute force tool. If they used the latter it would take a fairly long time to work out a complex password and your ISP should have multiple attempts to log in written in their logs.
**Just read your post again and they gained access within two attempts... you need to question your password and username. If they are complicated then someone knows it!.
Good Luck matey!
Sorry to hear the news ...
Unfortunately its entirely possible for someone to spoof their IP address. There are a number of ways to do it but the best way to think about a hacker gaining access with a false IP is like this....
Step1>Gain Access to a college or university computer system (often used as they have limited funds and dont have the time, money or staff to be able to keep on top of it all or protect their systems.
Step2>Do the same again
Step3>Do the same again
Step4>Do the same again
Bare in mind that the sites they access can be anywhere in the world so they are not hard to find if you know what you are looking for.
Step5>They effectively relay of each of these address to the site they want to attack so you end up with the IP address of the last server they came from.
e.g Hacker>University1>University2>Univercity3>Univerc ity4> (they get university 4 ip address and this is what you see in your logs) The clever part comes when Mr. Hacker puts a little file on University 4 servers that deletes all logs every night. If you were to attempt to trace him/her you would only be able to take it as far as University 4 before the crumb trial disappears. Make sense?? Sorry my explanation is a little pants and sounds very hard to do but in relality its fairly quick.
In addition to this, there are individuals out there from the hacker fraternity that other hackers know they can use to relay off etc.
Of course, the above requires a bit of knowledge and the feeling is that 90% of hackers are kids using readily available tools on the net. So its worth doing some lookups on the address you were provided and contact the ISP. They might just be able to help, you never know... they may already be investigating loads of other complaints and this might help them track who ever it is down.
Hope it helps mate... Best advice.... is to make your username and passwords even more secure using upper/lower case, numbers and a long password... If they used your FTP details they either knew your details, got lucky and guessed them or used a brute force tool. If they used the latter it would take a fairly long time to work out a complex password and your ISP should have multiple attempts to log in written in their logs.
**Just read your post again and they gained access within two attempts... you need to question your password and username. If they are complicated then someone knows it!.
Good Luck matey!
17 April 2007, 11:28 AM
#4
Scooby Regular
iTrader: (3)
Join Date: Aug 2004
Location: Muppetising life
Posts: 15,449
Likes: 0
Received 0 Likes
on
0 Posts
Leading on from BuRR's advice that means you need to make sure you home machines are clear of spyware and such like. The packet sniffer he takes about could be installed on your machine, and capture your password and username for the hacker to use at a later point.
17 April 2007, 11:29 AM
#5
Scooby Regular
iTrader: (3)
Join Date: Aug 2004
Location: Muppetising life
Posts: 15,449
Likes: 0
Received 0 Likes
on
0 Posts
Oh and if you have upset and technically minded neighbours and are using a wireless network, they could be listening in to your network traffic.
I am not sure of the levels of security you need to protect a wireless network, but I am sure someone here can point you to a good guide.
I am not sure of the levels of security you need to protect a wireless network, but I am sure someone here can point you to a good guide.
17 April 2007, 12:47 PM
#6
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
only way to properly secure a home wireless network with home routers is either use WPA or WPA2 with long complex passwords
Mac Filtering, SSID stealthing, DHCP disabling don't really give much if any security
this site makes long passwords for you
Generate a Secure Password - kurtm.net
Mac Filtering, SSID stealthing, DHCP disabling don't really give much if any security
this site makes long passwords for you
Generate a Secure Password - kurtm.net
18 April 2007, 11:33 PM
#7
Scooby Regular
Join Date: Jun 2003
Posts: 6,702
Likes: 0
Received 0 Likes
on
0 Posts
Use a serious passphrase or decent password size, say 15 characters.
A good passphrase would be... idriveascoobyandlovethebloodything.. 34 Characters and easy to remember and this WONT be 'neighbour' cracked.. if they gain access again, then you know your system or server is compromised, rather than your password...
A good passphrase would be... idriveascoobyandlovethebloodything.. 34 Characters and easy to remember and this WONT be 'neighbour' cracked.. if they gain access again, then you know your system or server is compromised, rather than your password...
Trending Topics
20 April 2007, 10:48 AM
#9
Scooby Regular
Join Date: Nov 2000
Posts: 1,227
Likes: 0
Received 0 Likes
on
0 Posts
Was it a generic defacement or a personalised one?
ie. Were you hacked by a script kiddie, or by a "friend" who was just having a laugh.
If it was a personalised one I'd watch who you let on your computer and where you type your password in if you do so on "friends" pc's. If it was generic, then I'd follow the advise above.
J
ie. Were you hacked by a script kiddie, or by a "friend" who was just having a laugh.
If it was a personalised one I'd watch who you let on your computer and where you type your password in if you do so on "friends" pc's. If it was generic, then I'd follow the advise above.
J
Thread
Thread Starter
Forum
Replies
Last Post
jobegold@hotmail.co.uk
ScoobyNet General
2
27 September 2015 09:44 PM