PDA

View Full Version : Website hacked


RDSdaEAGLE
27-02-2006, 12:30 PM
Our football clubs website has been hacked by some nice geeks called SilentlyX and BeLa. They've manipulated our forum so that it is covered by a CSS script which covers the whole screen in black and loads up two images (hosted on imageshack.us).

We've contacted our hosts but they're notoriously bad for getting back to us, so I'm wondering whether anyone knows how we could either get rid of the hacked CSS code or what else we could do.

Its very frustrating, because the forum is pretty essential to us, we use it to publish line-ups and to discuss tactics.

If you want to see what I mean, check

www.oxted-orient.co.uk/forum

Brett
27-02-2006, 12:51 PM
If they're not in the mosque, they're just destroying things. C*nts.

brighton_eagle
27-02-2006, 12:58 PM
Originally posted by RDSdaEAGLE
Our football clubs website has been hacked by some nice geeks called SilentlyX and BeLa. They've manipulated our forum so that it is covered by a CSS script which covers the whole screen in black and loads up two images (hosted on imageshack.us).

We've contacted our hosts but they're notoriously bad for getting back to us, so I'm wondering whether anyone knows how we could either get rid of the hacked CSS code or what else we could do.

Its very frustrating, because the forum is pretty essential to us, we use it to publish line-ups and to discuss tactics.

If you want to see what I mean, check

www.oxted-orient.co.uk/forum

Have you got FTP access to your webspace? If so, you can just remove their hacked code. It looks like they've just added some code over your forum code to obscure the page.

Your hosts really need to respond quickly to this though. Security is their responsibility. Is it paid for hosting?

brighton_eagle
27-02-2006, 01:00 PM
The fact it's the forum only indicates that the forum software you are using has big security holes that let them in.

davematt
27-02-2006, 01:02 PM
Twats. :veryangry

RickyB
27-02-2006, 01:04 PM
Could be an unpatched Apache vuln TBF. If it's on a shared server, it's yoru hosts responsibility to keep it patched. There's a good chance they've deleted everything else in your home directory so if you haven't backed up it and neither has your host, you may well be fscked.

BIG DAVE
27-02-2006, 01:06 PM
Originally posted by Brett
If they're not in the mosque, they're just destroying things. C*nts.

lol

brighton_eagle
27-02-2006, 01:08 PM
Originally posted by RickyB
Could be an unpatched Apache vuln TBF. If it's on a shared server, it's yoru hosts responsibility to keep it patched. There's a good chance they've deleted everything else in your home directory so if you haven't backed up it and neither has your host, you may well be fscked.

The rest of the site looks like it's still there and untouched. The forum homepage is still there. They've just inserted some code on the page with a div that is lying over the forum code and obscuring it. Looks easy enough from what I can see to fix.

Why on earth did they pick your site though?

Neil the Eagle
27-02-2006, 01:14 PM
Originally posted by RDSdaEAGLE


Its very frustrating, because the forum is pretty essential to us, we use it to publish line-ups and to discuss tactics.



You discuss your tactics on an open forum?? Bet your opponents love that - I think the Turks may have done you a favour!

RDSdaEAGLE
27-02-2006, 01:24 PM
Its not open. We've got certain forums which are hidden from visitors and those who are not Orient members.

RDSdaEAGLE
27-02-2006, 01:25 PM
Originally posted by brighton_eagle
The rest of the site looks like it's still there and untouched. The forum homepage is still there. They've just inserted some code on the page with a div that is lying over the forum code and obscuring it. Looks easy enough from what I can see to fix.

Why on earth did they pick your site though?

I would guess that our forum software hasn't been updated for a long time, its given them an easy target. That seems to be the consensus on the phpbb website.

brighton_eagle
27-02-2006, 01:27 PM
Well, the good news is it looks like it's just the front page of the forums which you provided the link to that has been hacked. I can still get to threads etc..

RickyB
27-02-2006, 01:28 PM
Originally posted by brighton_eagle
The rest of the site looks like it's still there and untouched. The forum homepage is still there. They've just inserted some code on the page with a div that is lying over the forum code and obscuring it. Looks easy enough from what I can see to fix.

Why on earth did they pick your site though? Prolly just a script, surely?

brighton_eagle
27-02-2006, 01:30 PM
Originally posted by RickyB
Prolly just a script, surely?

Looking for this vulnerability in the bulletin board code? Yeah, looks like you might be right.

RDSdaEAGLE
27-02-2006, 01:33 PM
Originally posted by brighton_eagle
Have you got FTP access to your webspace? If so, you can just remove their hacked code. It looks like they've just added some code over your forum code to obscure the page.

I think we do. Not sure how to access it though. Trilby does all the admin side of the main website.

How would I go about removing the code?

Your hosts really need to respond quickly to this though. Security is their responsibility. Is it paid for hosting?

It is, yeah. Not too impressed with them though, their live support team don't seem to have a clue, advising us to e-mail the support desk, only for the support desk not to reply for hours!

brighton_eagle
27-02-2006, 01:35 PM
Originally posted by RDSdaEAGLE


I think we do. Not sure how to access it though. Trilby does all the admin side of the main website.

How would I go about removing the code?



It is, yeah. Not too impressed with them though, their live support team don't seem to have a clue, advising us to e-mail the support desk, only for the support desk not to reply for hours!

Just edit out their code. If you PM me the FTP details I'll do it for you if you want. I'm out of the office now for a couple of hours though.

However, you might want to leave it so your hosts can see it and fix it for you.

brighton_eagle
27-02-2006, 03:24 PM
Dude, I've fixed this. See PMs.

RDSdaEAGLE
27-02-2006, 09:21 PM
A big thanks to b_e for sorting it out.

We've now updated the forum software, but its taken pretty much all day.

It looks good though!

www.oxted-orient.co.uk/phpBB/index.php

The Omen
01-03-2006, 02:22 AM
Count yourself lucky - mine got hacked by someone posing as Ebay. FBI got onto it and have banned ME from hosting with quite a few companies!

My website was only a personal php bbs as well... :(

Dave
01-03-2006, 07:20 AM
phpBB keeps having big security holes, if you are going to tun it you need to update it all the time

The Omen
01-03-2006, 11:11 AM
Originally posted by Dave
phpBB keeps having big security holes, if you are going to tun it you need to update it all the time

Which is what I didn't do stupidly.

A Wooden Fish On Wheels
01-03-2006, 10:49 PM
I remember when people used to deface websites of people like Microsoft, Sun, Bank of America, USAF, etc.

Now they do Oxted Orient's message board? Goes to show how far we have come in terms of internet and computer security really.

RDSdaEAGLE
01-03-2006, 11:35 PM
Originally posted by Dave
phpBB keeps having big security holes, if you are going to tun it you need to update it all the time

Indeedy, we've noticed that.

It seems quite a pain to upgrade the forum though, it was a bit of a challenge doing so with the current forum.

However, I think we can update it automatically through the website control panel.

Either way, its been a bit of a lesson.

A Wooden Fish On Wheels
03-03-2006, 04:00 PM
http://www.kb.cert.org/vuls/id/497400
http://www.kb.cert.org/vuls/id/113196
http://www.kb.cert.org/vuls/id/774686
http://www.kb.cert.org/vuls/id/920931
http://www.kb.cert.org/vuls/id/314347