Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Pages: 1 2 
Send Topic Print
Site Hacked (Read 35711 times)
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Site Hacked
Jan 16th, 2014 at 6:41pm
 
The site has been hacked. [ today = january 16, 2014 ]

I had to restore [ first time ever ] the back-up from Jan 14.

Somebody somehow got my FTP log-in. The main site password.

They modified various javascript files in order to write to a file on a server down near the border between Mexico and San Diego (Chula Vista).

I think the server is in the US, but not sure.

This morning I noticed the browser said > "Waiting for site > vacance-petit-prix.com"

I say > WTF .. we should not be going there.

Hours later > more info.

Site was accessed via FTP from the IP listed, which traces to somewhere near NYC;

Code:
Wed Jan 15 05:01:56 2014 0 86.109.167.242 1605 /home/radif2/public_html/guides/matching_columns.js a _ o r radif2 ftp 1 * c 


 
WWW  
IP Logged
 

Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #1 - Jan 16th, 2014 at 6:43pm
 
And then this morning again from a different IP, as shown here:

Code:
Thu Jan 16 04:16:11 2014 0 95.80.214.220 299 /home/radif2/joecool/public/javascripts/application.js a _ i r radif2 ftp 1 * c 



this IP also traces down to near the border of San Diego with Mexico.

At first, after the back-up was restored .. it looked not good .. but then I closed all rad pages and cleared the browser cache and > vola!

No more going to that vacance-petit-prix.com site, which is probably a hacked server itself.

The server here contains French, but sometimes it kicks you over to a Spanish-language page at Wordpress (hosted by).

If they had a better server, I might not have even noticed. But the page kept waiting .. which made me investigate further.

The server they were sending data to could obviously not handle the load. =)
 
WWW  
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #2 - Jan 16th, 2014 at 6:49pm
 
So close all rad pages and clear browser cache and let me know if you notice any quirkiness.

Any delays or sluggishness.

Especially any > "waiting for this weird, strange site"
 
WWW  
IP Logged
 
Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Site Hacked
Reply #3 - Jan 16th, 2014 at 6:52pm
 
Rad,

Will you be able to recover the missing posts?
 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #4 - Jan 16th, 2014 at 7:01pm
 
here is a file via grep (uber powerful unix search-thingie)

Code:
Jan 15 04:42:31 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/matching_columns.js downloaded  (1605 bytes, 2056.72KB/sec)
Jan 15 04:42:32 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/matching_columns.js uploaded (2671 bytes, 10.87KB/sec)
Jan 15 04:59:16 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/clone/matching_columns.js downloaded (1605 bytes, 2007.19KB/sec)
Jan 15 04:59:17 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/clone/matching_columns.js uploaded (2671 bytes, 9.49KB/sec)
Jan 15 05:01:56 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/guides/matching_columns.js downloaded (1605 bytes, 1991.70KB/sec)
Jan 15 05:01:57 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/guides/matching_columns.js uploaded (2671 bytes, 15.20KB/sec)
Jan 15 05:07:49 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js downloaded (1605 bytes, 3715.21KB/sec)
Jan 15 05:07:50 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js uploaded (2671 bytes, 9.97KB/sec)
Jan 15 05:12:38 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/vps/matching_columns.js downloaded (1605 bytes, 17395.95KB/sec)
Jan 15 05:12:39 host pure-ftpd: (radif2@86.109.167.242) [NOTICE] /home/radif2//public_html/vps/matching_columns.js uploaded (2671 bytes, 10.84KB/sec)
Jan 16 04:16:24 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/matching_columns.js downloaded (2756 bytes, 3845.30KB/sec)
Jan 16 04:16:25 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/matching_columns.js uploaded (1677 bytes, 10.38KB/sec)
Jan 16 04:16:53 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/clone/matching_columns.js downloaded (2756 bytes, 6145.46KB/sec)
Jan 16 04:16:53 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/clone/matching_columns.js uploaded (1677 bytes, 10.25KB/sec)
Jan 16 04:17:21 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/guides/matching_columns.js downloaded (2756 bytes, 6795.22KB/sec)
Jan 16 04:17:24 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/guides/matching_columns.js uploaded (1677 bytes, 10.35KB/sec)
Jan 16 04:20:01 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js downloaded (2756 bytes, 34.72KB/sec)
Jan 16 04:20:02 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/nortonghost/matching_columns.js uploaded (1677 bytes, 10.29KB/sec)
Jan 16 04:20:10 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/vps/matching_columns.js downloaded (2756 bytes, 7120.65KB/sec)
Jan 16 04:20:11 host pure-ftpd: (radif2@95.80.214.220) [NOTICE] /home/radif2//public_html/vps/matching_columns.js uploaded (1677 bytes, 9.93KB/sec)

 
WWW  
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #5 - Jan 16th, 2014 at 7:03pm
 
So it looks like these fvckers spent ALL DAY "working on" the site.

Looks like they  started around 6AM East coast time.

And quit about 3PM East coast time.

WTF?
 
WWW  
IP Logged
 

Christer
Übermensch
*****
Offline



Posts: 1360
Sweden


Back to top
Re: Site Hacked
Reply #6 - Jan 17th, 2014 at 4:21am
 
Yesterday, the forum was "impossible". It took "forever" to load and didn't respond. I had to close the browser to get out of it. This morning, everything is back to normal.
 

Old chinese proverb:
If I hear - I forget, If I see - I remember, If I do - I understand
 
IP Logged
 
Dan Goodell
Special Guest
*****
Offline



Posts: 552
N California


Back to top
Re: Site Hacked
Reply #7 - Jan 17th, 2014 at 6:09am
 
Interesting.  I use Pale Moon (a Firefox clone) with NoScript, so my surfing is with scripting turned off.  I had no trouble visiting the forum yesterday, even before the forum restoration.


 
 
IP Logged
 
lwolff123
Gnarly
*
Offline



Posts: 32
Los Angeles


Back to top
Re: Site Hacked
Reply #8 - Jan 17th, 2014 at 12:06pm
 
Not sure if this provides any useful information, but I repeatedly got virus alerts yesterday accessing the site.  I believe that AVG virus protection reported them as YP/redirect virus.  Even while deleting the quarantined files, they would come back each time I loaded the page or a different page.
 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #9 - Jan 17th, 2014 at 12:43pm
 
yes, that is certainly 'redirect' behavior.

yes, long as I disabled javascript or accesed the site thru a proxy (which disables javascript by default) I had NO PROBLEM.

I have been running servers for long enough that you can *feel* when things arent right.

I had problems similar to what Christer describes > had to shut down the whole freaking browser.

i should look into matching column lengths using CSS. Actually, I *did* .. back then. And the CSS method was significantly more complicated (tho impossible by no means) .. which is why I used javascript (simple).

I think they were into my laptop, too. For reasons I will not specify. But those reasons are now gone. Things were running better last night than they have in a long time. Like I had a new laptop.

I realize that, if you criticize the government, they will not be be pleased. So you must accept the consequences that comes with the territory. (Fvck them.)

(Obama is giving a speech today, isnt he?)

I have told people that .. if a true wizard-hacker wants to hack you .. you would have a wire up your butt right now .. and NOT EVEN KNOW IT.

Here is Dan's Pale Moon browser, which I had not even heard about:

http://www.palemoon.org/

.. but I can tell that I am interested already.

Quote:
Pale Moon is an Open Source, Firefox-based web browser for Microsoft Windows, focusing on efficiency and ease of use.
 
WWW  
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #10 - Jan 17th, 2014 at 1:00pm
 
Brian,

No. Sorry.

Does that suk a little or a lot?
 
WWW  
IP Logged
 

Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Site Hacked
Reply #11 - Jan 17th, 2014 at 1:52pm
 
A little. Only a few are gone.
 
 
IP Logged
 
Christer
Übermensch
*****
Offline



Posts: 1360
Sweden


Back to top
Re: Site Hacked
Reply #12 - Jan 17th, 2014 at 4:47pm
 
Quote:
yes, long as I disabled javascript or accesed the site thru a proxy (which disables javascript by default) I had NO PROBLEM.

I have Java (jre-7u51) installed but disabled. Maybe disabling is not enough?
 

Old chinese proverb:
If I hear - I forget, If I see - I remember, If I do - I understand
 
IP Logged
 
Dan Goodell
Special Guest
*****
Offline



Posts: 552
N California


Back to top
Re: Site Hacked
Reply #13 - Jan 17th, 2014 at 5:04pm
 
Rad wrote on Jan 17th, 2014 at 12:43pm:
Here is Dan's Pale Moon browser, which I had not even heard about:

http://www.palemoon.org/

.. but I can tell that I am interested already.



For anyone interested in checking it out, I suggest downloading the portable version of Pale Moon.  You can then play around with it without making any permanent changes to your system.

(FWIW, I use a lot of portable apps, including portable versions of Chrome, Firefox, Thunderbird, Filezilla, and more.  It's handy to be able to carry them around on a flash drive and/or setup duplicate copies configured for different environments.)



 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Site Hacked
Reply #14 - Jan 18th, 2014 at 10:26am
 
Christer,

Java is not Javascript.

Two totally different animals.

Only similar in name.

You install Java on your machine, but Javascript comes with browser.
 
WWW  
IP Logged
 
Pages: 1 2 
Send Topic Print