Hacked

[fireball3004]

Our website has been hacked twice both maliciously. We're not entirely sure but we think the IP addresses were from Germany though they posted the Brazilian flag the first time. Does anyone have any suggestions how to secure our website?

[EHaskins]

What kind of server? Who is hosting it? We'll need more info if you want us to help.

EDIT: I did a whois lookup on punahourobotics.org, and it appears that your site is hosted by BlueHost.com. Assuming you haven't been playing with DNS settings so you can self host your site, I doubt there is much you can do. Other than change hosting companies.

EDIT: I took to long to edit my post.

[whytheheckme]

Are youtalking about punahourobotics.org (69.89.25.188)?

I see that you are using bluehost as your web hosting company. They kindly kept your personal info safe from the WHOIS database, but unfortunatley left a slew of information about themselves instead of paying to have it show up as anonymous.

It looks like they have ports 23 and 53 buttoned up well, which is good for you.

Ports 80 and 21 are open, which are expected (perhaps you can request secure FTP instead?). I also see 110 open, which is pop3 (do you have an email server?)

I also ran a custom scan on 3389, which is closed (another big relief).

You really need to talk to bluehost and find out exactly how the intruder got in (which port, service, and hacking method.) You are running off a server called box188 on their system. Ask them to send you a report on all secure traffic on this box.

If the problem persists, change hosting companies. There is obviously a problem with the security of their hosting.

Jacob

[EHaskins]

Quote:

Originally Posted by whytheheckme

I also ran a custom scan on 3389, which is closed (another big relief).

Is there anyone hosting anything who is stupid enough to leave RDP exposed?!?!

[Uberbots]

Has this been a consistent problem with blue host? If so, we might have to think about changing web hosts...

[whytheheckme]

Quote:

Originally Posted by EHaskins

Is there anyone hosting anything who is stupid enough to leave RDP exposed?!?!

ummmmmmmmmmmmmmmmmm

In my early days of webhosting, I left my RDP open so I could access my webserver from anywhere (hey! give me a break... I was 8...)

Now-a-days, I actually DO have RDP open on my domain (which is run out of my datacenter), but my gateway (that I built, its a P4 w/ 2.5 GB RAM fyi) forwards the RDP port to a specific Terminal Server, that is set up soley for that purpose. Once logged into the Terminal Server, you can access a secure area of my network (using encryption) which allows you to Remote Desktop any of the servers on my network (I run 7 servers 24/7 on my domain).

So in short, I guess the answer is ME!!!

But I think I have the security measures to compensate. My domain has been running over 2 years without a problem (not referring to uhsserobotics.com, I'm referring to my personal domain that I use for remote services... FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter).

Jacob

[EHaskins]

Quote:

Originally Posted by whytheheckme

So in short, I guess the answer is ME!!!

Ok, I should have said who would be stupid enough to do that without some insane amount of security.

EDIT: Just curious, what the power consumption of a setup like that? And whats it take to keep them cool?

EDIT: Your gateway is a P4 with 2.5gb of ram?!?! My server is only a p4 with 1gb!

[Uberbots]

Quote:

Originally Posted by whytheheckme

ummmmmmmmmmmmmmmmmm

In my early days of webhosting, I left my RDP open so I could access my webserver from anywhere (hey! give me a break... I was 8...)

Now-a-days, I actually DO have RDP open on my domain (which is run out of my datacenter), but my gateway (that I built, its a P4 w/ 2.5 GB RAM fyi) forwards the RDP port to a specific Terminal Server, that is set up soley for that purpose. Once logged into the Terminal Server, you can access a secure area of my network (using encryption) which allows you to Remote Desktop any of the servers on my network (I run 7 servers 24/7 on my domain).

So in short, I guess the answer is ME!!!

But I think I have the security measures to compensate. My domain has been running over 2 years without a problem (not referring to uhsserobotics.com, I'm referring to my personal domain that I use for remote services... FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter).

Jacob

I envy your amount of servers, enthusiasm, and money.
I wish i had the resources to run such a system.

[EHaskins]

Quote:

Originally Posted by whytheheckme

FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter).

Jacob

Have you noticed a decrease in traffic lately? I get a GoDaddy parked free page if I try to view it.

[whytheheckme]

Quote:

Originally Posted by Uberbots

I envy your amount of servers, enthusiasm, and money.
I wish i had the resources to run such a system.

I LOOOOOVEEEE servers. For the most part, my servers are retired gaming computers from myself and my friends (1ghz and above). I have a few powerhouse servers (such as my multimedia servers) that I built from NewEgg specials and black friday deals etc.

But all in all, my entire setup hasn't actually cost me that much. Except for the additional $125 a month on the electric bill (oops). But I have a job, plus I rent out server space to my friends for backups and immediate access to their files and such, so it isn't a huge deal. I just find it superconvienent to open my laptop on the road, hit the BT-DUN connect button (Verizon EVDO with hacked BT-DUN on my Q... I LOVE IT), hit WinLogo-R, type mstsc, put in my domain, hit the enter button, and BAM.... I'm right at home. I can access my email, leave my instant messengers open 24/7, control music at home, check security (both physical in the house and web security), check on some of the hosting servers I have for friends (I actually host a couple of MUDs for a few MUD fanatic friends of mine). If I'm on a high speed connection somewhere, I can remote desktop into my terminal server and secure remote desktop to one of my main rigs and feel right at home. I can watch movies, play music, organize pictures, post on chief delphi, or whatever! I also have a VPN set up so that I can locally mount disk images on any computer and play video games on any computer (public kiosks, lab computers, etc).

I have a love for servers. I'm always looking to expand my domain (no pun intended )

Jacob

EDIT: BTW, this is completly off topic.

[whytheheckme]

Quote:

Originally Posted by EHaskins

Have you noticed a decrease in traffic lately? I get a GoDaddy parked free page if I try to view it.

Yeah, I know

Waiting for payment on the domain name to clear..... For some reason I thought it would be good to send the bill to the team as opposed to me (it's only 10 bux a year... I should have just done it)

Now I have to wait for the bill to go through the team's process for paying for it (which, I hope to god it doesn't require a purchase order or some other beurocratic thing like that.... ) I was told it should be cleared by friday *crosses fingers*

But the servers are up and running exactly like they should be!

Jacob

[Timothy D. Ginn]

I'm surprised that so far people have missed the obvious step of first looking at what you've got that you control before assuming that the problem is with the host (which it may well be, but, that shouldn't be the first thing to check for).

Questions you should ask yourself include:
What software do you have installed in your webspace? (check and make sure there aren't little temporary things installed just for testing that were never removed and never properly secured, this happens often)
Is it up to date? (this can especially be a problem if your team is using a CMS or old versions of phpBB2 or other forum software)
If what you've got is custom written, has it been checked over by someone knowledgable other than just the person who wrote it? If not, maybe it's time to audit it.
Assuming you have access to the web server access logs and error logs, read them carefully for the period of time before the last time you had problems. If the exploit is attacking something your team has control over, it's likely to appear strange and show up there. Be especially vigilant for things like phpShell and such which you don't recognize as being part of a normal type of request.

[robostangs548]

I have been using bravehost.com for close to 5 years now, and I have NEVER ran into something like this. It may cost a little more (I pay $4.99/mo with 30gig of space and 600gig of bandwidth) but I have had absolutely no problems with there service. If you ask me, there setup is the cleanest easiest to work with, and most secure setup that is out there. Check it out, I would definitely say that they are my favorite, because I also have a godaddy.com and hostmonster.com hosting account, but I am definitely gona switch them over, because I really was not impressed with there service. But seriously, that is ridiculous.

[wilsonmw04]

another site that I admin was hacked in the same way fairly recently. They replaced my site with some stupid splash screen, with the fools handle, a Turkish flag and a scrolling banner stating how "uber" this guy/gal was.

After some digging, We found that this person was exploiting a weakness in phpbb we were using. After updating the software, we haven't had a problem. no matter what you do you will always have a problem with security if you use a popular piece of software.

[whytheheckme]

It appears that this site is very cleancut and is lacking 3rd party apps (less the Google Gadget app, but I doubt there is a security problem in that). I looked at the source code, and everything looks HTML and Javascript.

Then I found forum.punahourobotics.org
It appears that they have the latest version of Simple Machines.

But I got to thinking, doesn't Simple Machines use MySQL, and PHP? That must mean that there is a MySQL server running on box188.bluehost.com, and perhaps this is the security hole. Check your MySQL version and patches, make sure it's all up to date.

What's odd is that a hacker would put this much effort into splashing a robotics team's website. Seems like it would be a fairly low-target kind of domain to hit.

Jacob