More hacking

[Faulkner]

Sorry folks! If you're still out there, that is...

The webcode on our site has been heavily hacked. Each web page, whether in the Forum, Showcase, or anywhere -- contains a hidden link that issues a "click" to a viagra website. There's no possibility of infection for your home computer; it's just a way for the perpetrator to collect revenue based on the number of clicks his advertisement receives.

I had my service provider restore a prior version of the webcode, thinking that version lacked the hack; not only does that version have the hack too, but my service provider screwed up the restore. That's why you couldn't get in.

I have a real mess on my hands. I have to package up all the code on the website, download it, write a program to scrub it of the hack, upload it again and depackage it. Maybe I can get to this on Labor Day -- there's just too much stuff going on right now.

Life is too short to deal with this bull****. But I will, because your cars -- and my friends -- are too precious to me.

Sorry for the inconvenience.

Dan

[rogerh]

Little do I realise how MUCH effort Dan puts in to keep this site afloat-many people would NOT endure the continual assaults from hackers worldwide, and I applaud Dan for his temerity and perserverance and computer talent.
Dan, is it so bad to leave the hidden promo's where they are? Kind of like leaving the beehive in the tree as long as they don't bother anyone?
I visit only one other site with any regularity..Dave Stragand's FL. Do you suppose he deals with all these annoyances with similar frequency? Is this a question of acquiring a more expensive firewall or program or whatever?
Roger

[Faulkner]

Little do I realise how MUCH effort Dan puts in to keep this site afloat-many people would NOT endure the continual assaults from hackers worldwide, and I applaud Dan for his temerity and perserverance and computer talent.
Dan, is it so bad to leave the hidden promo's where they are? Kind of like leaving the beehive in the tree as long as they don't bother anyone?
I visit only one other site with any regularity..Dave Stragand's FL. Do you suppose he deals with all these annoyances with similar frequency? Is this a question of acquiring a more expensive firewall or program or whatever?
Roger

No, the hacks have to go. More importantly, the barn door needs to be closed -- else, the number of ongoing hacks will compound the problem, and bring the website to its knees. I'm afraid I have to eliminate them; I don't know what else to do.

It may very well be that Dave has a more secure provider; but then, I pay about $150 a year to mine, and I suspect he pays much more to his -- which he underwrites with contributions from members; he has to; and, I myself am a contributor. But I'd prefer to underwrite the cost of my website myself. No, I just have to better educate myself about potential holes that allow exploits (e.g., the guestbook software is one such exploit I've recently learned about) and close them up.

C'este LaVie!

Dan

[big m]

I can't even imagine what it is like to run a website such as this. Dan, keep up the good work, we all appreciate it!

I, personally, have not been able to get on the forum for close to two months, I would log in, and the page would refresh, and I would find myself logged out. This is the first time I have been able to stay logged in.

Hackers can go straight to hell as far as I am concerned! This world would be a much better place if these idiots used their talents constructively. ---John

[Faulkner]

Hackers can go straight to hell as far as I am concerned! This world would be a much better place if these idiots used their talents constructively. ---John

Dang! You guessed my new database password, John

I've identified all the corrupted files -- over 1000 of them. I've built a script to replace them, now I just have to execute it -- perhaps tonight. And then I've got to go about closing barn doors...

(*sigh*) Thanks for bearing with me.

Dan

[Faulkner]

Well, all of the static web pages are scrubbed; so are the dynamic webpages of the Forum. Also, the database was hacked! I've removed that hack as well...

But there's still a #@(!*#$@!!! hack somewhere, and I can't find it. I've submitted an incident report to the phpBB folks (who write this Forum software), in the hopes they can help me find it.

Meanwhile, my home computer is flaking out. And my DVD burner crapped out, and work is hell, and...

Enough about me...

I'll get back on my feet again. It's just that right now, I'm having a heckuva time.

Dan

[Dick Koch]

Dan - Sounds like you need to take Faulkner out of the garage, crank er up, take a slow leaisurly drive to KFC. It always soothes me when I get stressed out. Four pieces dark, original, slaw, biscuit with extra honey. Damn, that shounds so good I think I'll go myself.
Dick.

[Faulkner]

Is this a question of acquiring a more expensive firewall or program or whatever?
Roger

Well -- maybe a better service provider, Roger. If you read this rather boring thread below, you'll see that they were aware of potential exploits -- but did nothing about it. I discovered the failure point, and only when I pressed them on it did they volunteer to move me to a more secure environment.

(*sigh*) it's going to be a lot of work for me, but perhaps I'll do it...

Dan, Morton, Sun Sep 7 18:02:04 2008
Ticket re-opened

What version of cPanel is ix hosting?


Dmitriy P., Sun Sep 7 18:20:27 2008
Ticket Status was changed from Open to Waiting

Dear Dan.
Thank you for the word to support.

Thank you for update. You account located on control panel Hsphere v2.3. Should you have any further question feel free to contact us and we will be glad to assist you.

Kind regards,
Dmitry Pavlov
Technical Support
24/7 Live Chat

Rate This Reply:
Rate This Reply:


Dan, Morton, Sun Sep 7 19:00:50 2008
I wish to have this case escalated to Tier 3 support. Please read this advisory:

http://secunia.com/advisories/18447/

"Description:
M.Neset KABAKLI has reported a vulnerability in H-Sphere, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "login" parameter in "psoft.hsphere.CP" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:
http://[host]/psoft/servlet/psoft.hsphere.CP?action=login&login=

Code: Select all

The vulnerability has been reported in version 2.4.3 ( Patch 8 ) and prior.

Solution:
Update to version 2.4.3 Patch 9."  
 
 
Dmitriy P., Sun Sep 7 19:10:22 2008 
Ticket Status was changed from Open to Waiting

Dear Dan.
Thank you for the word to support.

Thank you for update. If you want we can migrate your account to the our new control panel Hsphere 3. Before we can perform a control panel migration for your account, there are several things we need to bring to your attention and require your confirmation. You must ensure you have a complete backup of all web related data which includes the following: 

All files you have uploaded
Databases
Email content
Below is a list of new features which are available for our Linux plans: 

Operating System: CentOS release 5 (Final)
apache-1.3.37
php-5.2.3 (Linux) or php-4.4.1
ImageMagick-6.2.8.0
Perl(v5.8.8 ) without mod_perl support
Python - 1.5.2
Python2 - 2.4.3-19.el5
OpenSSL - 0.9.8b-8.3.el5
Frontpage - 5.0.2.2635
Zend Extension Manager - 1.2.2
Zend Optimizer – 3.3.0
GD : 2.0.33-9.3.fc6
phpBB - 2.0.22-1
OSCommerce - 2.2ms2-3
curl - 7.15.5-2.el5
crontab - 1.10-8
Below is a list of new features which are available for our Windows plans: 

Operating System: Microsoft Windows Server 2003
IIS v.6.0
PHP 4.4.6 or PHP 5.2.0
.Net Framework v.1.1
.Net Framework v.2.0
MS SQL Server 2005
VBscript 7.5
ODBC mysql driver 3.51.04.00
Coldfusion MX 7.0.2.142559
Frontpage 2002
Once you have a backup of your content please let us know and we can continue with the migration. After the migration has been completed you will need to re-upload all content and recreate any databases and email accounts as well as pointing your domain nameservers to a new location. 

Your old IP Address and hosting content will remain active for two weeks to avoid downtime due to the propagation of the new nameservers. After two weeks the content will be removed from the old control panel. 

If you have Windows account and use ColdFusion please note that Coldfusion is not enabled on the new servers by default. You will have to enable this separately in Account Settings for extra cost $5/mo right after the move is completed. Coldfusion version will be upgraded to Coldfusion MX 7 (7.0.2.142559). We cannot proceed with platform switch if you do not agree with these conditions. 

Please reply to this ticket once you are ready for us to perform the switch and we will be happy to proceed.

Kind regards,
Dmitry Pavlov
Technical Support 
24/7 Live Chat
 [/quote]