oh ive been hacked...

[Ralara]

no, for reals

http://www.vivicide.co.uk/archive/

my file uploady place


just went to upload a file for a daythread and... i got presented with ... that.

heh.


actual hackers have gone on to my website and removed the content and replaced it with an image of some "procoderz" from albania.



well, you got to start somewhere, I guess.

[evil edna]

not the first time an eastern european boy has forced himself into your personal domain is it, if you know what k mean

[Ralara]

not the first time an eastern european boy has forced himself into your personal domain is it, if you know what k mean

bravo

[Chakrai]

Maybe they used some sort of back orifice.

[Ralara]

unless it was snake....

password was reset, got on it eventually... and my stuff is still there jsut everything is redirecting...

bleh

[whispous]

y0u g0t t4k3n t0 th3 0wnz0n3

[Maximillian]

Definitely a Python injection via a unguarded backdoor, allowing them to fill your server with unwanted code.......

[Ralara]

unless it was snake....

password was reset, got on it eventually... and my stuff is still there jsut everything is redirecting...

bleh

DNS looks fine... no redirection... not sure how they've done it tbh.

oh well at least my files are still there, somewhere.

[Ralara]

entrox halp

[halbarad]

I've seen similar things before, if your using a CMS then they can get in through holes in that if it's not up to date. The other way would be for them to upload a script file which is renamed to a png or jpg and then when the server attempts to load it then it runs the code. Check most of your php/html files and you might find a bunch of code at the top or bottom of the file which is run whenever the page is accessed and keeps the code spreading through the site.

The one time it happened to me I had to manually clear up all the files (could probably do it with a batch file or something but cba looking that up). Took about an hour to go through everything.

[Ralara]

oh that was... relatively easy

Code:

<hrml>

<head>

<SCRIPT TYPE="text/javascript">

<!--

//Disable right click script

//visit http://www.rainbow.arch.scriptmania.com/scripts/

var message="i3DSecurity Was Here, No Right clicking!";

///////////////////////////////////

function clickIE() {if (document.all) {(message);return false;}}

function clickNS(e) {if

(document.layers||(document.getElementById&&!document.all)) {

if (e.which==2||e.which==3) {(message);return false;}}}

if (document.layers)

{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}

else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function("return false")

// -->

</SCRIPT> 

<meta http-equiv="Content-Language" content="en-us">

<title>[ #Procoder'z ]</title>

</head>

<body link="#808080" text="#0066CC" bgcolor="#000000" background="file:///C:/Users/CT/Hacks/WebSite%20Hacking/later">

<div style="border-style: solid; border-width: 1px; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px">

	<center>

	<img border="0" src="http://www.sonyardianto.com/i3D/blue_binary_code_1024_768.jpg" width=100% height="291"><font size="7" face="Proxy 1"><b> 

	#Procoder'z Team Albanian<br>

	</b>

	</font><span class="Apple-style-span" style="font-family: courier new">

	<em style="font-style: normal; font-weight: 700"><font color="white" font size="3">

	RetnOHacK ~ WeedHoaX ~ B!JemBeX ~ mR.thg ~ pY7h0n ~ Sanimorphic_Tux<br>

		<img src="http://i.imgur.com/VxhHy.png" height=350 width=470 ><br>

<embed src="http://www.youtube.com/v/YnilceL4FwU?version=3&autoplay=1" width=1 height=1>

that is now my index.php file...

I think I know how they did this now... heh.

[Spawinte]

Congratulations to these fine Albanian gentlemen but isn't hacking peoples personal websites with out of date security a bit sad? I mean I assume the only reason Ralara didn't have it locked down was the "who on earth would want to hack my shit" mentality.

edit: just opened a few files after you fixed the site and YOU HAVE ISSUES.

[Ralara]

Congratulations to these fine Albanian gentlemen but isn't hacking peoples personal websites with out of date security a bit sad? I mean I assume the only reason Ralara didn't have it locked down was the "who on earth would want to hack my shit" mentality.

pretty much. It was just a script that lists the items in a directory (minus .php, .html etc) and a simple file uploader - no security to it cos it's not super valuable... i hardly use it.. was just there cos sometimes it's convenient to upload a funny pic i see when im at work or a net cafe or whatever and don't have access to FTP.

so yeah, out of all the websites why they'd pick mine I have no idea v0v

[Sacul]

Congratulations to these fine Albanian gentlemen but isn't hacking peoples personal websites with out of date security a bit sad? I mean I assume the only reason Ralara didn't have it locked down was the "who on earth would want to hack my shit" mentality.

edit: just opened a few files after you fixed the site and YOU HAVE ISSUES.

everything gets a new meaning when talking with and or a bout ralalalal

p.s.
is that your penis under willy.jpeg?

[Ralara]

edit: just opened a few files after you fixed the site and YOU HAVE ISSUES.

nothing actually illegal.

well, tbh im not sure wht else they've put on there so I'd be careful before going through files. Anything before july 2012 should be ok - near as i can tell this happened on 6th july.

[Ralara]

is that your penis under willy.jpeg?

maybe


just so you know, my site has never been "hidden" - the only thing that displayed there before was a nicely formatted page, listing all the contents, and an upload form.

[Ralara]

logs for 6th july (when it happened) are here btw:

www.vivicide.co.uk/logs.txt

that's from midnight to midnight. If anyone wants to make head or tail of that, be my guest.

All PWs etc have been changed now.

[Joshua Foiritain]

Code:

<body link="#808080" text="#0066CC" bgcolor="#000000" background="file:///C:/Users/CT/Hacks/WebSite%20Hacking/later">

Procoderz indeed. Linking to your hardrive makes websites faster. Also the rest of the HTML is pretty terribly coded as well, guess procoderz dont use standards?

also, guessing this is the bit where they modified your index.php;

Code:

95.180.199.x - - [06/Jul/2012:13:01:50 +0200] "GET /r00t.php?&s=r&cmd=edit&file=./index.php HTTP/1.1" 200 21647 archive.vivicide.co.uk "http://archive.vivicide.co.uk/r00t.php?&s=r&cmd=dir&dir=." "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11" "-"

95.180.199.x - - [06/Jul/2012:13:02:03 +0200] "POST /r00t.php?&s=r& HTTP/1.1" 200 4593 archive.vivicide.co.uk "http://archive.vivicide.co.uk/r00t.php?&s=r&cmd=edit&file=./index.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11" "-"

[Ralara]

http://www.facebook.com/Procoderz.Team


AHAHAHAHAHAHAHAHA

[Durzel]

That r00t.php is something (a rootkit) they would've uploaded, if you go back further in the log you will probably find where they uploaded it (likely using your dodgy upload form that didn't bother to check the file type of anything that was uploaded).

If it's just your website that's been defaced then you're probably quite lucky. I'd check to see no extra accounts have been created on the server, etc.