I Have been Attacked :((

I need a Help. Last week my index.html was been changed "Defaced by ..." and I have changed it again to my old index. I have changed all my Passwords, but Last Night my index was changed again to empty white page.

Now I have change it again to my index, but I have to prevent site, because it is not safely now, they can change it again when they want. İt was the twice happened last night.

Please HELPPPPPP (((((((

[NMS]

Make sure they did not install a script on your website which permits a user to get in your website and change stuff. If you do not have a lot of ciles, I suggest you to go in with ftp and delete everything and upload again. Change your password again.

[IanS]

Quote:

Originally Posted by NMS

Make sure they did not install a script on your website which permits a user to get in your website and change stuff. If you do not have a lot of ciles, I suggest you to go in with ftp and delete everything and upload again. Change your password again.

Also make sure all the scripts you do have running are secure, things like BulletinBoards are the latest versions.

It's at this point someone also adds, chmod things to 600 - but I can never remember which bits (or who chimes in )

[(jj)]

Quote:

It's at this point someone also adds, chmod things to 600 - but I can never remember which bits (or who chimes in )

At minimum, the config pages

[B&T]

The #1 question - What are you running on your site?

I see phpbb - they just issued a security patch version.

Looks like some other CMS also? They are usually invitations to get hacked.

[joshuamc]

There is a lot of useful information regarding hacked or defaced websites on this forum. You may wish to start here:
http://forum.powweb.com/showthread.p...acked+websites

[quick5pnt0]

What version of phpbb is that? If it is under 2.0.11 goto phpbb.com and update it because there have been numerous security updates in the last few releases.

Thank you very much for your answers.

I have just updated my forum from 2.0.10 to 2.0.11. And I have a Photo albüm in forum, I made this close to the users upload, only admin I have made.

And I look to any scripts in my htdocs file, but I coulnd't see any. But only a text I have found their name c:\apache\htdocs\cart\chat\msg.txt , I didn't remember so file, I have uploaded and I couldn't delete this in cuteftp. What mean this?

I have changed all my passwords. Is there any, I must done? Thanks a lot.

[joshuamc]

c:\apache\htdocs\cart\chat\msg.txt ? Are you running a local server?


If you have changed all your passwords and updated the forums, that is a good start. As cumbersome as it is, its a good idea to make sure that your passwords are strong and that you do not use the same password for everything.

One time, I have used for testing apache server, maybe is this. But I couldn't delete, is that normal?

The last Forum Updates is good I think, maybe it was the safety problem. I hope that, It was my last safe problem. Thank you very much.

[Croc Hunter]

Quote:

Originally Posted by IanS

It's at this point someone also adds, chmod things to 600 - but I can never remember which bits (or who chimes in )

It's me!!..
Chmod all index.php files to 644
Chmod all other .php files to 600

By 'strong passwords' Joshuamc means use a combination of letters and numbers eg: my.56HolDen FoRd67-owner 1209rastA.Mon etc.

Never Chmod anything to 666 or 777
Change all usernames and passwords
Delete all old FTP user accounts
Run a good antivirus and spychecker

[B&T]

Quote:

Originally Posted by Croc Hunter

It's me!!..

[kirk]But . . . but . . . I . . . thought . . . it was me[/kirk]

Hi, firstly thanks very much for your answers. I have some questions.

1) I want to BAN this domain IP to not connect to my site? 66.98.140.13 How can I done this? I have learn that any DDOS attack from this IP to my site. This is a DDOS attack program and it use this domain IP. How can I Ban this?

2) And I don't use CGI-BIN folder, this is cause to some attacks I think. Can I this file delete, is that make any problem?

[Skunkboy]

In your htaccess file, add the following code--changing the IPs to suit your needs--each command on one line each:

order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

You can deny access based upon IP address or an IP block. The above blocks access to the site from 123.45.6.7, and from any sub domain under the IP block 012.34.5. (012.34.5.1, 012.34.5.2, 012.34.5.3, etc.)

You can also set an option for deny from all, which would of course deny everyone. You can also allow or deny by domain name rather than IP address (allow from .powweb.com works for www.powweb.com or virtual.powweb.com, etc.)

As far as the cgi-bin, if you don't have any scripts in there, then they're not abusing it. But at the same time - yes, you can delete it if you don't want it.

[B&T]

Quote:

Originally Posted by blueprins

I want to BAN this domain IP to not connect to my site?

See all your options here:
http://prettyworthless.com/tips.php?...ck_traffic#tip

Thanks a lot

[nmctwx]

I use php-nuke and it is one of the more attacked CMS's out there. I made a small script that renames the admin.php file to something that isn't easily guessed. When I need to admin, I just name it back to admin.php.

Also I have this in my .htaccess file

Code:

<Files admin.php>
Order deny,allow
Deny from all
Allow from 88.77.
</Files>

This makes it so only users with ip addresses that begin with 88.77 will be able to access the admin.php. Not a total solution, but another piece to help with security.

[B&T]

Quote:

Originally Posted by nmctwx

I use php-nuke and it is one of the more attacked CMS's out there. I made a small script that renames the admin.php file to something that isn't easily guessed. When I need to admin, I just name it back to admin.php.

Also I have this in my .htaccess file

Code:

<Files admin.php>
Order deny,allow
Deny from all
Allow from 88.77.
</Files>

This makes it so only users with ip addresses that begin with 88.77 will be able to access the admin.php. Not a total solution, but another piece to help with security.

Both very good techniques. I do the IP restriction on my admin scripts as well, but I use all four IP numbers. It only changes when my cable modem gets a reset (which never happens).

Hi,

Now I have been under attack at this time. DDOS attack is this, and their IP is 85.96.95.3

I have changed my htacces file so:

Quote:

IndexIgnore *
order allow,deny
deny from 85.96.95.3
allow from all
AddType application/x-httpd-php .htm
AddType application/x-httpd-php .html

But the attack is giong now.

I still give this fail and on White page:

Quote:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@askmasali.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Why I can't get any help from Moderators and Admin? İsn't it a Big Problem, I have daily 4000 Hits and my site is closed for two days

I Find anything today :

My When I delete my .htacces file in htdocs my index.html and the others link going on Except Forum and my php files. And when I my .htacces reupload all the site inside index.html give the 500 Fail Page :

Quote:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@askmasali.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

And My .htacces is normal, and it doesn't contain any fail. İt is as below :

Quote:

IndexIgnore *
AddType application/x-httpd-php .htm
AddType application/x-httpd-php .html

So I think that the attackers have made anything about .htacces file. ? İf I delete my h.tacces file, I can reach my index and the others HTML links, BUT I couldn't reach to my FORUM and the others PHP files.

Please help me İmmediate

The first Duty Of Hosting is the Prevent the WebSites From all Attacks. I Search this event and I have talked with the attackers, and I have any wrong. This was be Happened Because of the Safety Problem of Powweb.

Please Solve your some Safety problems, and prevent this attacks in the future. Please help to me, to reactive my Site again.

I have 9000 members in My Forum, But my forum didn't work. This is the third day. I'm still waiting this From PoWWEB.

[tbonekkt]

Quote:

Originally Posted by blueprins

IndexIgnore *
AddType application/x-httpd-php .htm
AddType application/x-httpd-php .html

That's incorrect. Use the following instead:

Code:

IndexIgnore *
AddHandler application/x-httpd-php .htm .html

[stevel]

PowWeb does all it can to prevent attacks on its servers, but if site owners install software with security holes, it is not PowWeb's responsibility to fix them. Simply saying that it is PowWeb's fault doesn't make it so.

I am not Hacker, I can't know it how did they. But I have some so Friends from hackers and they also say that this last attacks is because of hole of my Hosting. However I have talk with the attackers and they have also said that because of hole of the Hosting. They have stopped the attacks but İn that time I can't any chance to do my site reactive. So you can make it reactive.

Please review my account, review the servers and make it reactive. I want this immediate please, today is the fourth day.

[(jj)]

The users and moderators on this forum can not help you, you will need to contact abuse@powweb.com to get this straightened out. This is something that needs to be handled by the employees of Powweb (moderators are not employees).