Radified Community Forums
http://radified.com/cgi-bin/yabb2/YaBB.pl
Rad Community Non-Technical Discussion Boards >> YaBB Forum Software + Rad Web Site >> Site Hacked
http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1389919278

Message started by Rad on Jan 16th, 2014 at 6:41pm

Title: Site Hacked
Post by Rad on Jan 16th, 2014 at 6:41pm
The site has been hacked. [ today = january 16, 2014 ]

I had to restore [ first time ever ] the back-up from Jan 14.

Somebody somehow got my FTP log-in. The main site password.

They modified various javascript files in order to write to a file on a server down near the border between Mexico and San Diego (Chula Vista).

I think the server is in the US, but not sure.

This morning I noticed the browser said > "Waiting for site > vacance-petit-prix.com"

I say > WTF .. we should not be going there.

Hours later > more info.

Site was accessed via FTP from the IP listed, which traces to somewhere near NYC;


Code:
Wed Jan 15 05:01:56 2014 0 86.109.167.242 1605 /home/radif2/public_html/guides/matching_columns.js a _ o r radif2 ftp 1 * c


Title: Re: Site Hacked
Post by Rad on Jan 16th, 2014 at 6:43pm
And then this morning again from a different IP, as shown here:


Code:
Thu Jan 16 04:16:11 2014 0 95.80.214.220 299 /home/radif2/joecool/public/javascripts/application.js a _ i r radif2 ftp 1 * c


this IP also traces down to near the border of San Diego with Mexico.

At first, after the back-up was restored .. it looked not good .. but then I closed all rad pages and cleared the browser cache and > vola!

No more going to that vacance-petit-prix.com site, which is probably a hacked server itself.

The server here contains French, but sometimes it kicks you over to a Spanish-language page at Wordpress (hosted by).

If they had a better server, I might not have even noticed. But the page kept waiting .. which made me investigate further.

The server they were sending data to could obviously not handle the load. =)

Title: Re: Site Hacked
Post by Rad on Jan 16th, 2014 at 6:49pm
So close all rad pages and clear browser cache and let me know if you notice any quirkiness.

Any delays or sluggishness.

Especially any > "waiting for this weird, strange site"

Title: Re: Site Hacked
Post by Brian on Jan 16th, 2014 at 6:52pm
Rad,

Will you be able to recover the missing posts?

Title: Re: Site Hacked
Post by Rad on Jan 16th, 2014 at 7:01pm
here is a file via grep (uber powerful unix search-thingie)


Code:
Jan 15 04:42:31 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/matching_columns.js downloaded  (1605 bytes, 2056.72KB/sec)
Jan 15 04:42:32 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/matching_columns.js uploaded  (2671 bytes, 10.87KB/sec)
Jan 15 04:59:16 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/clone/matching_columns.js downloaded  (1605 bytes, 2007.19KB/sec)
Jan 15 04:59:17 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/clone/matching_columns.js uploaded  (2671 bytes, 9.49KB/sec)
Jan 15 05:01:56 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/guides/matching_columns.js downloaded  (1605 bytes, 1991.70KB/sec)
Jan 15 05:01:57 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/guides/matching_columns.js uploaded  (2671 bytes, 15.20KB/sec)
Jan 15 05:07:49 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js downloaded  (1605 bytes, 3715.21KB/sec)
Jan 15 05:07:50 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js uploaded  (2671 bytes, 9.97KB/sec)
Jan 15 05:12:38 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/vps/matching_columns.js downloaded  (1605 bytes, 17395.95KB/sec)
Jan 15 05:12:39 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/vps/matching_columns.js uploaded  (2671 bytes, 10.84KB/sec)
Jan 16 04:16:24 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/matching_columns.js downloaded  (2756 bytes, 3845.30KB/sec)
Jan 16 04:16:25 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/matching_columns.js uploaded  (1677 bytes, 10.38KB/sec)
Jan 16 04:16:53 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/clone/matching_columns.js downloaded  (2756 bytes, 6145.46KB/sec)
Jan 16 04:16:53 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/clone/matching_columns.js uploaded  (1677 bytes, 10.25KB/sec)
Jan 16 04:17:21 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/guides/matching_columns.js downloaded  (2756 bytes, 6795.22KB/sec)
Jan 16 04:17:24 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/guides/matching_columns.js uploaded  (1677 bytes, 10.35KB/sec)
Jan 16 04:20:01 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js downloaded  (2756 bytes, 34.72KB/sec)
Jan 16 04:20:02 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js uploaded  (1677 bytes, 10.29KB/sec)
Jan 16 04:20:10 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/vps/matching_columns.js downloaded  (2756 bytes, 7120.65KB/sec)
Jan 16 04:20:11 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/vps/matching_columns.js uploaded  (1677 bytes, 9.93KB/sec)

Title: Re: Site Hacked
Post by Rad on Jan 16th, 2014 at 7:03pm
So it looks like these fvckers spent ALL DAY "working on" the site.

Looks like they  started around 6AM East coast time.

And quit about 3PM East coast time.

WTF?

Title: Re: Site Hacked
Post by Christer on Jan 17th, 2014 at 4:21am
Yesterday, the forum was "impossible". It took "forever" to load and didn't respond. I had to close the browser to get out of it. This morning, everything is back to normal.

Title: Re: Site Hacked
Post by Dan Goodell on Jan 17th, 2014 at 6:09am
Interesting.  I use Pale Moon (a Firefox clone) with NoScript, so my surfing is with scripting turned off.  I had no trouble visiting the forum yesterday, even before the forum restoration.



Title: Re: Site Hacked
Post by lwolff123 on Jan 17th, 2014 at 12:06pm
Not sure if this provides any useful information, but I repeatedly got virus alerts yesterday accessing the site.  I believe that AVG virus protection reported them as YP/redirect virus.  Even while deleting the quarantined files, they would come back each time I loaded the page or a different page.

Title: Re: Site Hacked
Post by Rad on Jan 17th, 2014 at 12:43pm
yes, that is certainly 'redirect' behavior.

yes, long as I disabled javascript or accesed the site thru a proxy (which disables javascript by default) I had NO PROBLEM.

I have been running servers for long enough that you can *feel* when things arent right.

I had problems similar to what Christer describes > had to shut down the whole freaking browser.

i should look into matching column lengths using CSS. Actually, I *did* .. back then. And the CSS method was significantly more complicated (tho impossible by no means) .. which is why I used javascript (simple).

I think they were into my laptop, too. For reasons I will not specify. But those reasons are now gone. Things were running better last night than they have in a long time. Like I had a new laptop.

I realize that, if you criticize the government, they will not be be pleased. So you must accept the consequences that comes with the territory. (Fvck them.)

(Obama is giving a speech today, isnt he?)

I have told people that .. if a true wizard-hacker wants to hack you .. you would have a wire up your butt right now .. and NOT EVEN KNOW IT.

Here is Dan's Pale Moon browser, which I had not even heard about:

http://www.palemoon.org/

.. but I can tell that I am interested already.


Quote:
Pale Moon is an Open Source, Firefox-based web browser for Microsoft Windows, focusing on efficiency and ease of use.

Title: Re: Site Hacked
Post by Rad on Jan 17th, 2014 at 1:00pm
Brian,

No. Sorry.

Does that suk a little or a lot?

Title: Re: Site Hacked
Post by Brian on Jan 17th, 2014 at 1:52pm
A little. Only a few are gone.

Title: Re: Site Hacked
Post by Christer on Jan 17th, 2014 at 4:47pm

Quote:
yes, long as I disabled javascript or accesed the site thru a proxy (which disables javascript by default) I had NO PROBLEM.

I have Java (jre-7u51) installed but disabled. Maybe disabling is not enough?

Title: Re: Site Hacked
Post by Dan Goodell on Jan 17th, 2014 at 5:04pm

Rad wrote on Jan 17th, 2014 at 12:43pm:
Here is Dan's Pale Moon browser, which I had not even heard about:

http://www.palemoon.org/

.. but I can tell that I am interested already.



For anyone interested in checking it out, I suggest downloading the portable version of Pale Moon.  You can then play around with it without making any permanent changes to your system.

(FWIW, I use a lot of portable apps, including portable versions of Chrome, Firefox, Thunderbird, Filezilla, and more.  It's handy to be able to carry them around on a flash drive and/or setup duplicate copies configured for different environments.)




Title: Re: Site Hacked
Post by Rad on Jan 18th, 2014 at 10:26am
Christer,

Java is not Javascript.

Two totally different animals.

Only similar in name.

You install Java on your machine, but Javascript comes with browser.

Title: Re: Site Hacked
Post by Rad on Jan 18th, 2014 at 11:12am
This morning (Saturday) I had the studly dude at my web host runs the script to check for instances of the vacance- name, and the only hits came from html files where I/we had mentioned it.

So we are good .. as of Saturday morning, 9AM.

Plus I changed my site log-in password .. yet again.

Title: Re: Site Hacked
Post by Christer on Jan 18th, 2014 at 11:13am
Rad,
thanks for clarifying!

Title: Re: Site Hacked
Post by Rad on Jan 18th, 2014 at 11:51am
No problemo, amigo.

Seems that I need a way (method or tool) to IDENTIFY > all the sites that are being accessed by any given page.

If they can hack files to write to a file at vacance-p... then they can write to a file ANY WHERE. At any site. No? (I am thinking out loud.)

If I was hacking a site in a similar way, I would ENSURE that the destination site would never hang .. cuz that would give it away. "Waiting for WHO?"

So I posted a question over at CodingForums ..

http://www.codingforums.com/showthread.php?p=1384200#post1384200


Title: Re: Site Hacked
Post by Rad on Jan 18th, 2014 at 7:44pm
wow. coding forums plays a *video* ad.

sad.

Title: Re: Site Hacked
Post by Rad on Jan 19th, 2014 at 12:09pm
a dude sent me a private message


Quote:
Hi

Maybe this info will help. It's all the info I have, anyway.

1) in Google Chrome

ctrl+shift+i

this will bring up the Console

then RELOAD the page (ie refresh the page so the console can get the data)

then click on the NETWORK Tab -- you will see everything that has been loaded and everything you are connected to.

2) a Frirefox addon

http://www.mozilla.org/en-US/lightbeam/

Note, the Firefox browser has a multitude of info.

good luck

i wonder why he sent this info, privately.

Radified Community Forums » Powered by YaBB 2.4!
YaBB © 2000-2009. All Rights Reserved.