| Author |
 Topic  |
|
|
redbrad0
Advanced Member
USA
3725 Posts |
 Posted - 03 October 2003 : 15:18:14
|
One of my customers sites just got hacked and they changed the default.asp page so the only thing that is displayed is...
quote:
Fatal Error ownz you BY: Elemento_pcx - #Ferror irc.objetivonet.com.br Fatal Error we are Elemento_PCX :: the_danz :: MAXMEX :: Ka0t1c -Sl4cK_r0oT- Elemento_pcx@yahoo.com.br não sabe como funciona entao aprende :P Cgi-bin%$ of iis5-webdav nc.exe ON :D
What does this message say at the bottom? Has anyone else had this problem? I am guessing they got on the FTP and changed the file, but I would think they would of deleted files also. |
Brad
Oklahoma City Online Entertainment Guide
Oklahoma Event Tickets |
|
|
Roland
Advanced Member
Netherlands
9335 Posts |
Posted - 03 October 2003 : 15:23:13
|
| According to intertran "não sabe como funciona entao aprende" means "into the knows how does it work entao she learns", assuming they wrote that in brazilian portuguese |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 03 October 2003 : 16:37:37
|
Sorry Roland, that is ... ahem... a translation that can be improved...  
I would translate it as: "if you don't know how it works, you'd better learn it". |
Snitz 3.4 Readme | Like the support? Support Snitz too |
Edited by - ruirib on 03 October 2003 16:38:17 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 03 October 2003 : 17:11:40
|
| how were they able to get in via ftp ? do you have anonymous ftp enabled ? |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 03 October 2003 : 17:31:47
|
Its not a hosting customer of mine, I told her to make sure to change the password on her FTP but wasnt really sure what to tell her on anything else.
Oh when I looked into it a little more they inserted 4 files.
index.html
index.htm
default.htm
default.asp |
Brad
Oklahoma City Online Entertainment Guide
Oklahoma Event Tickets |
Edited by - redbrad0 on 03 October 2003 17:32:32 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 03 October 2003 : 17:50:44
|
| may be worth checking if they have ftp logs, or in the iis logs incae they were uploaded via http |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
bethabernathy
Starting Member
10 Posts |
Posted - 03 October 2003 : 20:20:14
|
| Hi - I think what happened is that I had read, write, execute and delete set on the snitz folder. Do you think that was it? -Beth |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
bethabernathy
Starting Member
10 Posts |
Posted - 04 October 2003 : 13:41:33
|
Hi - I ran an analysis on the log files and they also hit the cgi-bin folder and the frontpage extension folders. So, it must be some sort of program where they can publish.
very strange? -Beth
|
|
|
|
bethabernathy
Starting Member
10 Posts |
Posted - 04 October 2003 : 14:15:58
|
More info:
link removed by admin. sorry but we don't really want links to sites telling people how to hack into other peoples machines.
-Beth |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 04 October 2003 : 14:53:06
|
| if someone was able to upload files to your server then it has a serious security problem, you should ensure all current patches are installed, and tye down the security on the server, if this is with a host, then move imediately. |
|
|
| |
Topic |
|
Topic Locked
