cloudy cloudy

Author Topic: Site Hacked  (Read 321 times)

0 Members and 1 Guest are viewing this topic.

Offline DeputyDawg

  • Posts: 970
  • Atlanta, GA
  • OS/Browser:
  • Win NT 10.0
  • Chrome 75.0.3770.80
    • Paul's Weather in Atlanta
Site Hacked
« on: June 11, 2019, 02:17:21 PM »
Hello all

I use Hostgator as my web hosting site for my weather page:   DeputyDawgWX.com

Recently they have sent me several different emails about security issues with my site.   One instance a phishing PHP file was placed on my site.  Hostgator shut me down until I removed it.

I got another email last night (note at the bottom they mention a file).

QUESTION: Is this happening to anyone else?  Is there anything I can do to prevent this?  Thanks


During a scan of our servers we identified malicious content in accounts under your control. We have quarantined the files listed below to prevent abuse. Please note that no services have been disabled and no legitimate content has been affected by this action. However, it is possible that other malicious activity may have disrupted your services.
 
The most important things you can do to ensure the security of your account are to make sure your software (e.g WordPress) is up-to-date, and that your passwords are strong. We strongly encourage you to change all of your account passwords and update all software as soon as possible to prevent any further compromises or abuse.
 
We understand that any risk to our network reputation is a risk to our customers' reputation and so we take third-party reports of network abuse seriously. In order to protect our shared reputation we may disable account services in the event of a third-party report of network abuse until we are confident that the account has been properly cleaned and secured. This email is to inform you of content found by our proactive scans, and is not the result of a third-party abuse report. No services have been disabled as a result of this discovery.
 
Additional information on HostGator's policies, and what activity is damaging to a network's reputation in general, is available in our knowledge base:
 
Acceptable Use Policy
My Account was Hacked

 
If you would like help in securing your account we recommend SiteLock, a security service and partner of ours. They can be contacted at 844-631-8637.
 
HostGator Security Department
 
Quarantined files:
http://spam.hgfix.net/1525907_quarantined_files.txt


Offline Banyarola

  • Posts: 104
  • Big indian, New York
  • OS/Browser:
  • Win 7/Srvr 2008R2
  • Chrome 75.0.3770.80
Re: Site Hacked
« Reply #1 on: June 11, 2019, 02:23:44 PM »
Looks more like SPAM to me...I would contact the site from their contact info and ask them about it..
You can also check your privacy settings on that site and see if you can opt out of any ads they may send out.. Also check their EULA and see if they give out your email to 3rd parties..

Of course, this is just my opinion others may say something else..
If You're Reading This In English, Thank A Vet..

Offline DeputyDawg

  • Posts: 970
  • Atlanta, GA
  • OS/Browser:
  • Win NT 10.0
  • Chrome 75.0.3770.80
    • Paul's Weather in Atlanta
Re: Site Hacked
« Reply #2 on: June 11, 2019, 02:33:35 PM »
Looks more like SPAM to me...I would contact the site from their contact info and ask them about it..
You can also check your privacy settings on that site and see if you can opt out of any ads they may send out.. Also check their EULA and see if they give out your email to 3rd parties..

Of course, this is just my opinion others may say something else..

Thanks, do you mean spam from the host site ?   How are these files (the one mentioned here as quarantined or the one not long ago which was a phishing PHP placed onto my site) getting on my weather site?   How does anyone have access to put files in to my site.  The phishing php was in public_html directory

I hope this makes sense

Offline Banyarola

  • Posts: 104
  • Big indian, New York
  • OS/Browser:
  • Win 7/Srvr 2008R2
  • Chrome 75.0.3770.80
Re: Site Hacked
« Reply #3 on: June 11, 2019, 02:39:14 PM »
Thanks, do you mean spam from the host site ?   How are these files (the one mentioned here as quarantined or the one not long ago which was a phishing PHP placed onto my site) getting on my weather site?   How does anyone have access to put files in to my site.  The phishing php was in public_html directory

I hope this makes sense

I have no idea what happened...I would change passwords...I'm sorry I can't help more....
If You're Reading This In English, Thank A Vet..

Offline DeputyDawg

  • Posts: 970
  • Atlanta, GA
  • OS/Browser:
  • Win NT 10.0
  • Chrome 75.0.3770.80
    • Paul's Weather in Atlanta
Re: Site Hacked
« Reply #4 on: June 11, 2019, 02:41:56 PM »
No worries. I greatly appreciate you responding

Offline niko

  • syzygy
  • Global Moderator
  • Posts: 28,041
  • Crystal Ball broken! Please post the URL.
  • Northern California, U.S.A.
  • OS/Browser:
  • Win 7/Srvr 2008R2
  • Chrome 74.0.3729.169
Re: Site Hacked
« Reply #5 on: June 11, 2019, 03:32:48 PM »
Is that '/home4/paul/public_html/pay" directory something you installed? Those files look very suspicious to me...

Offline DeputyDawg

  • Posts: 970
  • Atlanta, GA
  • OS/Browser:
  • Win NT 10.0
  • Chrome 75.0.3770.80
    • Paul's Weather in Atlanta
Re: Site Hacked
« Reply #6 on: June 11, 2019, 03:58:33 PM »
Is that '/home4/paul/public_html/pay" directory something you installed? Those files look very suspicious to me...

Niko, Thanks.  I put nothing there - trust me.  I'm not skillful enough :)   I had someone set this up years ago for me

I can't access my Cpanel from here, but can at home

Btw how are you able to see this?

Offline niko

  • syzygy
  • Global Moderator
  • Posts: 28,041
  • Crystal Ball broken! Please post the URL.
  • Northern California, U.S.A.
  • OS/Browser:
  • Win 7/Srvr 2008R2
  • Chrome 74.0.3729.169
Re: Site Hacked
« Reply #7 on: June 11, 2019, 04:01:01 PM »
I'm looking in the listing of quaratined files linked in your first post.

Offline saratogaWX

  • Global Moderator
  • Posts: 5,918
  • Ken True
  • Saratoga, CA, USA 37:16:28N, 122:01:23W - Elev: 374ft.
  • OS/Browser:
  • Win NT 10.0
  • Firefox 67.0
    • Saratoga Weather
Re: Site Hacked
« Reply #8 on: June 11, 2019, 04:22:58 PM »
Yes, all the files in /home4/paul/public_html/pay/ are VERY SUSPICIOUS and should be deleted if you didn't install them.

Also, all the haccess.php files should be deleted too.  It looks like your site was compromised and a spammer installed unwanted software on your site.

Delete these on your site:
'/home4/paul/public_html/pay'
''/home4/paul/public_html/haccess.php'
'/home4/paul/public_html/unzip.php'
'/home4/paul/public_html/.well-known/haccess.php'
'/home4/paul/public_html/SEWN-images/haccess.php'
'/home4/paul/public_html/ac/haccess.php'
'/home4/paul/public_html/ajax-images/haccess.php'
'/home4/paul/public_html/alert-images/haccess.php'
'/home4/paul/public_html/alfacgiapi/haccess.php'
'/home4/paul/public_html/arrows/haccess.php'
'/home4/paul/public_html/bot/antibots1.php'
'/home4/paul/public_html/bot/haccess.php'
'/home4/paul/public_html/cache/haccess.php'
'/home4/paul/public_html/cgi-bin/haccess.php'
'/home4/paul/public_html/css/haccess.php'
'/home4/paul/public_html/davcon/haccess.php'
'/home4/paul/public_html/forecast/haccess.php'
'/home4/paul/public_html/home/haccess.php'
'/home4/paul/public_html/home/index.php'
'/home4/paul/public_html/home/myaccount.php'
'/home4/paul/public_html/home/signin.php'
'/home4/paul/public_html/home/system/blocker.php'
'/home4/paul/public_html/home4/haccess.php'
'/home4/paul/public_html/images/haccess.php'
'/home4/paul/public_html/jpgraph/haccess.php'
'/home4/paul/public_html/uploads/haccess.php'
'/home4/paul/public_html/walid/Checkers/PayPalDCP_Valid/index.php'
'/home4/paul/public_html/walid/Checkers/PayPalDCT_Valid/index.php'
'/home4/paul/public_html/walid/Checkers/PayPal_Valid/index.php'
'/home4/paul/public_html/wuicons/haccess.php'
'/home4/paul/public_html/wxreports/haccess.php'
'/home4/paul/public_html/wxwugraphs/haccess.php'

This setup on your site is probably a PayPal phishing site to steal PayPal credentials.  Delete it NOW (and all those haccess.php files).
Ken True
Saratoga Weather
CWOP: CW1792
WeatherUnderground: KCASARAT1
Free weather website PHP scripts and WD website AJAX templates

Offline Banyarola

  • Posts: 104
  • Big indian, New York
  • OS/Browser:
  • Win 7/Srvr 2008R2
  • Chrome 75.0.3770.80
Re: Site Hacked
« Reply #9 on: June 11, 2019, 05:00:37 PM »
Ahhhhh,,,Ha!
I was partly right....

Thanks for jumping in guys...
If You're Reading This In English, Thank A Vet..

Offline DeputyDawg

  • Posts: 970
  • Atlanta, GA
  • OS/Browser:
  • Win NT 10.0
  • Chrome 75.0.3770.80
    • Paul's Weather in Atlanta
Re: Site Hacked
« Reply #10 on: June 11, 2019, 07:26:08 PM »
Yes, all the files in /home4/paul/public_html/pay/ are VERY SUSPICIOUS and should be deleted if you didn't install them.

Also, all the haccess.php files should be deleted too.  It looks like your site was compromised and a spammer installed unwanted software on your site.

Delete these on your site:
'/home4/paul/public_html/pay'
''/home4/paul/public_html/haccess.php'
'/home4/paul/public_html/unzip.php'
'/home4/paul/public_html/.well-known/haccess.php'
'/home4/paul/public_html/SEWN-images/haccess.php'
'/home4/paul/public_html/ac/haccess.php'
'/home4/paul/public_html/ajax-images/haccess.php'
'/home4/paul/public_html/alert-images/haccess.php'
'/home4/paul/public_html/alfacgiapi/haccess.php'
'/home4/paul/public_html/arrows/haccess.php'
'/home4/paul/public_html/bot/antibots1.php'
'/home4/paul/public_html/bot/haccess.php'
'/home4/paul/public_html/cache/haccess.php'
'/home4/paul/public_html/cgi-bin/haccess.php'
'/home4/paul/public_html/css/haccess.php'
'/home4/paul/public_html/davcon/haccess.php'
'/home4/paul/public_html/forecast/haccess.php'
'/home4/paul/public_html/home/haccess.php'
'/home4/paul/public_html/home/index.php'
'/home4/paul/public_html/home/myaccount.php'
'/home4/paul/public_html/home/signin.php'
'/home4/paul/public_html/home/system/blocker.php'
'/home4/paul/public_html/home4/haccess.php'
'/home4/paul/public_html/images/haccess.php'
'/home4/paul/public_html/jpgraph/haccess.php'
'/home4/paul/public_html/uploads/haccess.php'
'/home4/paul/public_html/walid/Checkers/PayPalDCP_Valid/index.php'
'/home4/paul/public_html/walid/Checkers/PayPalDCT_Valid/index.php'
'/home4/paul/public_html/walid/Checkers/PayPal_Valid/index.php'
'/home4/paul/public_html/wuicons/haccess.php'
'/home4/paul/public_html/wxreports/haccess.php'
'/home4/paul/public_html/wxwugraphs/haccess.php'

This setup on your site is probably a PayPal phishing site to steal PayPal credentials.  Delete it NOW (and all those haccess.php files).

Ken, THANKS!!!!!!!!!!!!!!!!!!!!!

I just did a remote session and think I got them all.   How were you able to determine these files, so I can check to ensure they are gone
How did someone get access to put them there
Anything else I should look for

Thanks a million

Offline saratogaWX

  • Global Moderator
  • Posts: 5,918
  • Ken True
  • Saratoga, CA, USA 37:16:28N, 122:01:23W - Elev: 374ft.
  • OS/Browser:
  • Win NT 10.0
  • Firefox 67.0
    • Saratoga Weather
Re: Site Hacked
« Reply #11 on: June 11, 2019, 11:34:43 PM »
Those files were in the validation exception link you posted in the top entry to this thread.

I did a bit of snooping around before those files were removed, and found that some of the stuff had been running since October, 2018 --

I've sent you a PM with further info...
Ken True
Saratoga Weather
CWOP: CW1792
WeatherUnderground: KCASARAT1
Free weather website PHP scripts and WD website AJAX templates

Offline saratogaWX

  • Global Moderator
  • Posts: 5,918
  • Ken True
  • Saratoga, CA, USA 37:16:28N, 122:01:23W - Elev: 374ft.
  • OS/Browser:
  • Win NT 10.0
  • Firefox 67.0
    • Saratoga Weather
Re: Site Hacked
« Reply #12 on: June 12, 2019, 07:38:02 PM »
We've finished disinfecting his site.. Original hack sometime early October, 2018.  Several species of malware included on the site since then by miscreants.  Latest malware was a banking/phishing set to capture bank/PayPal signins from the unwary.  Directory-by-directory search showed a few more lurking back-doors (now removed), and the main site is now clean.

The original hack was unlikely to come from an external HTTP access (no evidence of that in the logs) -- my guess is that either
1) another site on the same server was compromised and loose permissions allowed files to be saved in his document root, or
2) a vulnerability in cPanel allowed upload access to unauthenticated users or
3) the webserver was root-kitted back then and not detected for long enough for the miscreants to plant malware seeds on many sites on the webserver

We'll never know just how the initial compromise happened as no available logs point to a cause.

I was pleased to help debug the malware infection issues.. exercised my old 'defense-against-the-dark-arts' skills :)

Best regards,
Ken
Ken True
Saratoga Weather
CWOP: CW1792
WeatherUnderground: KCASARAT1
Free weather website PHP scripts and WD website AJAX templates

Offline DeputyDawg

  • Posts: 970
  • Atlanta, GA
  • OS/Browser:
  • Win NT 10.0
  • Chrome 75.0.3770.80
    • Paul's Weather in Atlanta
Re: Site Hacked
« Reply #13 on: June 12, 2019, 07:54:00 PM »
We've finished disinfecting his site.. Original hack sometime early October, 2018.  Several species of malware included on the site since then by miscreants.  Latest malware was a banking/phishing set to capture bank/PayPal signins from the unwary.  Directory-by-directory search showed a few more lurking back-doors (now removed), and the main site is now clean.

The original hack was unlikely to come from an external HTTP access (no evidence of that in the logs) -- my guess is that either
1) another site on the same server was compromised and loose permissions allowed files to be saved in his document root, or
2) a vulnerability in cPanel allowed upload access to unauthenticated users or
3) the webserver was root-kitted back then and not detected for long enough for the miscreants to plant malware seeds on many sites on the webserver

We'll never know just how the initial compromise happened as no available logs point to a cause.

Thanks Ken.... I cannot thank you enough for your help !!!!!!!!!   Much appreciated

I was pleased to help debug the malware infection issues.. exercised my old 'defense-against-the-dark-arts' skills :)

Best regards,
Ken

 

cumulus