Jump to content
Updating IPB tonight Read more... ×

Archived

This topic is now archived and is closed to further replies.

Stormgaard

Hacked by K@lem?

Recommended Posts

I run a WoW/Gaming guild website and woke up to find we'd been hacked by [b]"Turkish Hacker K@lem"[/b] (whoever the f*ck that is).  Anyways, I did a quick Google search on "K@lem" and found that he's hit other fantasy/gaming sites before - there are a lot of cached pages out there with examples of his work.

Anyone know how to fix the damage he causes?

Here's our site: http://www.se7ensamurai.com

Share this post


Link to post
Share on other sites
I don't know how your site is supposed to look. But I think it's just the title that has been changed, and a news item has been posted on the front page.

[b]Edit:[/b] I found this in the source code:
[code]<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/">[/code] three times after each other. Remove it in the skin and it will be fixed.

Share this post


Link to post
Share on other sites
No it's a redirect exploit.. Look in your php-nuke, near the footer of the whole site, you will see 3 lines.

[code]<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/"> </head><br>
<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/"> </head><br>
<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/"> </head><br>[/code]

That right there is what redirects you. I'm guessing he got access to an admin account and posted a custom footer with that info.


Hes basically a script kiddy, because any real "hacker" would just totally delete the php-nuke install and upload his own index.html/php  ;D

Share this post


Link to post
Share on other sites
I was thinking I could just delete the news item, but he's somehow made it that I can't access the admin module.  I type in my username and password and once I hit enter it just refreshes all over again, asking for my username and password again.

Share this post


Link to post
Share on other sites
He must have had access to the Admin account (though I'm not sure how) - I think he changed my Admin username and Password.

Share this post


Link to post
Share on other sites
Change it again in the database. You just need to know how it's encrypted (most likely MD5 or SHA1).

Share this post


Link to post
Share on other sites
This may sound like a dumb question - but how do I do that?  Via FTP?  Via my Hosting Controller?

Share this post


Link to post
Share on other sites
I would contact my host if I were you. They might possibly be able to tell when the last time your site was accessed via ftp then cross reference that with any web static software that you may have like webalizer or urchin. If so you can get there IP address and report them to there ISP.

Share this post


Link to post
Share on other sites
[quote author=Stormgaard link=topic=99872.msg393553#msg393553 date=1152369061]
This may sound like a dumb question - but how do I do that?  Via FTP?  Via my Hosting Controller?
[/quote]

phpMyAdmin if that is installed.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.