| Author |
 Topic  |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
 Posted - 21 March 2008 : 02:14:36
|
Grmbl...little over two hours ago oxle was brutally defaced by a (group of) ****er(s) calling him/themselves Sinaritx....
I was lucky enough to check my site when I woke up, cause I wanted to fix the last thing of the SkyDrive mod, and then I saw it...
Method of defacement ; probably not through the forum, but through IIS. (IIS W3-logfiles do not show ANY information....)
6 new files existed in my root since last night 23:54 (server time) ; default.htm, default.html, index.htm and index.html (all being the same file), isko.html and sina.html.
These last two files had this info:quote:
Command Tribulation was here - www.commandt.org - Jesus Loves you
I've undone the defacement, by removing those files, but still, this has me worried....how did they come in, is it an IIS leak, when will it happen again? 
I've contacted my provider (Wiktel) and informed them of the defacement.
Well, I've got to go to work now...let's hope the site doesn't get defaced again in the mean time. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 21 March 2008 02:15:26 |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 March 2008 : 03:34:28
|
is the server yours or is it a shared hosting account ?
if it is not yours you should contact the host imediately as that looks like a server compromise, if there is nothing in the IIS logs then it probably wasn't done through IIS but possibly via an uploaded ftp client |
 |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 March 2008 : 03:51:05
|
| I have seen similar hacks before and it looks like a server hack rather than a site hack, however if you allow file uploads you should ensure that the directories you can upload to do not have any execute permissions under IIS or windows |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 21 March 2008 : 05:33:44
|
| Indeed this is usually a server hack. One of the common entry points is corrupted Frontpage extensions. If you do have them installed and do not use them, remove them. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
|
|
golfmann
Junior Member
United States
450 Posts |
Posted - 21 March 2008 : 10:33:43
|
More than a bit disturbing to hit you in the morning, Marcel!
(and not the prettiest picture I have seen today, either!)
I'm glad you got it straightened out. |
|
|
| |
Topic |
|
Topic Locked
