Jump to content


Photo

Hacked by K@lem?


  • Please log in to reply
9 replies to this topic

#1 Stormgaard

Stormgaard
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 08 July 2006 - 02:00 PM

I run a WoW/Gaming guild website and woke up to find we'd been hacked by "Turkish Hacker K@lem" (whoever the f*ck that is).  Anyways, I did a quick Google search on "K@lem" and found that he's hit other fantasy/gaming sites before - there are a lot of cached pages out there with examples of his work.

Anyone know how to fix the damage he causes?

Here's our site: http://www.se7ensamurai.com

#2 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 08 July 2006 - 02:06 PM

Looks like a redirect exploit rather then a hack...

#3 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 08 July 2006 - 02:08 PM

I don't know how your site is supposed to look. But I think it's just the title that has been changed, and a news item has been posted on the front page.

Edit: I found this in the source code:
<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/">
three times after each other. Remove it in the skin and it will be fixed.

#4 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 08 July 2006 - 02:10 PM

No it's a redirect exploit.. Look in your php-nuke, near the footer of the whole site, you will see 3 lines.

<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/"> </head><br>
<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/"> </head><br>
<meta http-equiv="refresh" content="10;URL=http://serseri_2784.sitemynet.com/hacked/"> </head><br>

That right there is what redirects you. I'm guessing he got access to an admin account and posted a custom footer with that info.


Hes basically a script kiddy, because any real "hacker" would just totally delete the php-nuke install and upload his own index.html/php  ;D

#5 Stormgaard

Stormgaard
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 08 July 2006 - 02:20 PM

I was thinking I could just delete the news item, but he's somehow made it that I can't access the admin module.  I type in my username and password and once I hit enter it just refreshes all over again, asking for my username and password again.

#6 Stormgaard

Stormgaard
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 08 July 2006 - 02:24 PM

He must have had access to the Admin account (though I'm not sure how) - I think he changed my Admin username and Password.

#7 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 08 July 2006 - 02:26 PM

Change it again in the database. You just need to know how it's encrypted (most likely MD5 or SHA1).

#8 Stormgaard

Stormgaard
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 08 July 2006 - 02:31 PM

This may sound like a dumb question - but how do I do that?  Via FTP?  Via my Hosting Controller?

#9 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 08 July 2006 - 02:34 PM

I would contact my host if I were you. They might possibly be able to tell when the last time your site was accessed via ftp then cross reference that with any web static software that you may have like webalizer or urchin. If so you can get there IP address and report them to there ISP.

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#10 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 08 July 2006 - 02:45 PM

This may sound like a dumb question - but how do I do that?  Via FTP?  Via my Hosting Controller?


phpMyAdmin if that is installed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users