My sites were hacked ... can't log in to cpanel

[k89mmk]

Both of my sites were hacked since last night. They are
www.ontherock.ca and
www.freedomdesign.ca

All index.htm and index.php files were replaced with a page with the title "_|_Owned!! By nEt^DeViL_|_ For Lebanon !", and it contains pictures with captions like "What CNN never shows you" and "Israeli girls write messages on a shell at a heavy
artillery position firing into civilians inside Lebanon" and a pop up "For Lebanon ! ... T4ck3 7h3 M4x1MuM 53CUR17Y N3X7 71M3 ... Okay !!" (Click the maximum security next time .... okay).

I can still access the files through ftp and it seems that only the index.* files have been replaced ... So I fixed those, but when I try to load any other page or subdirectory (including cpanel) I get an Internal Server Error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@baby.ontherock.ca and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Help!?!?!

[Angel]

Mine also they have been hacked, Cpanel too.

Quote:

Originally Posted by k89mmk

Both of my sites were hacked since last night. They are
www.ontherock.ca and
www.freedomdesign.ca

All index.htm and index.php files were replaced with a page with the title "_|_Owned!! By nEt^DeViL_|_ For Lebanon !", and it contains pictures with captions like "What CNN never shows you" and "Israeli girls write messages on a shell at a heavy
artillery position firing into civilians inside Lebanon" and a pop up "For Lebanon ! ... T4ck3 7h3 M4x1MuM 53CUR17Y N3X7 71M3 ... Okay !!" (Click the maximum security next time .... okay).

I can still access the files through ftp and it seems that only the index.* files have been replaced ... So I fixed those, but when I try to load any other page or subdirectory (including cpanel) I get an Internal Server Error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@baby.ontherock.ca and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Help!?!?!

[NIS-Francisco]

We're getting this checked by our security team as we speak. We will update you guys.

Francisco

[NIS-Francisco]

Our Security team has logged into the affected server, and are investigating the binary file or executable affected, that allowed the hacker to get access to the Administrator access.

Hacker has remplaced all the index.php, no mySQL e-mails or anything else appears to have been affected.

We will update you shortly, thank you for your patience.

Francisco

[NIS-Francisco]

Update from Security Team

Quote:

root@mainstream [~]# uname -r
2.6.9-39.ELsmp
root@mainstream [~]#

Its vulnerable to a root exploit.

I am not sure if this is the entry point yet, but it very well could be.

boule 32298 0.0 0.0 1408 192 ? Ss Aug10 0:00 ./65500
root@mainstream [/proc/32298]# ls -l
total 0
dr-xr-xr-x 3 boule boule 0 Aug 10 12:35 ./
dr-xr-xr-x 141 root root 0 Aug 6 16:13 ../
dr-xr-xr-x 2 boule boule 0 Aug 11 09:41 attr/
-r-------- 1 boule boule 0 Aug 11 09:41 auxv
-r--r--r-- 1 boule boule 0 Aug 11 08:25 cmdline
lrwxrwxrwx 1 boule boule 0 Aug 11 09:41 cwd -> //
-r-------- 1 boule boule 0 Aug 11 09:41 environ
lrwxrwxrwx 1 boule boule 0 Aug 11 08:25 exe -> /home2/boule/public_html/boule/pm/add_ons/mail_this_entry/port/65500*
dr-x------ 2 boule boule 0 Aug 10 12:40 fd/
-rw-r--r-- 1 boule boule 0 Aug 11 09:41 loginuid
-r-------- 1 boule boule 0 Aug 11 09:41 maps
-rw------- 1 boule boule 0 Aug 11 09:41 mem
-r--r--r-- 1 boule boule 0 Aug 11 09:41 mounts
lrwxrwxrwx 1 boule boule 0 Aug 11 09:41 root -> //
-r--r--r-- 1 boule boule 0 Aug 11 08:25 stat
-r--r--r-- 1 boule boule 0 Aug 11 08:30 statm
-r--r--r-- 1 boule boule 0 Aug 11 08:25 status
dr-xr-xr-x 3 boule boule 0 Aug 11 09:41 task/
-r--r--r-- 1 boule boule 0 Aug 11 09:41 wchan
root@mainstream [/proc/32298]#


root@mainstream [/home2/boule/public_html/boule/pm/add_ons/mail_this_entry/port]# ls -l total 116 drwxr-xr-x 2 boule boule 4096 Feb 8 2004 ./ drwxr-xr-x 3 boule boule 4096 Aug 10 12:35 ../
-rw-r--r-- 1 boule boule 23472 Aug 10 12:35 14568 -rwxr-xr-x 1 boule boule 24680 Aug 10 12:35 35651* -rwxr-xr-x 1 boule boule 27666 Aug 10 12:35 4000* -rwxr-xr-x 1 boule boule 28336 Feb 3 2003 65500* root@mainstream [/home2/boule/public_html/boule/pm/add_ons/mail_this_entry/port]#


It is running on this port:

tcp 0 0 0.0.0.0:65500 0.0.0.0:* LISTEN 32171 14060252 32298/65500



I am still looking into it.



_______________________
Steven Ciaburri
Level 3 Administrator

[Angel]

Quote:

X-Gmail-Received: 1588ffb6ce416dfc9b21ba7ed87664385419fe13
Delivered-To: giatica @ gmail.com
Received: by 10.70.51.1 with SMTP id y1cs166975wxy;
Thu, 10 Aug 2006 22:59:12 -0700 (PDT)
Received: by 10.70.44.5 with SMTP id r5mr4400276wxr;
Thu, 10 Aug 2006 22:59:12 -0700 (PDT)
Return-Path: <angel @ mainstream.navigatoris.us>
Received: from mainstream.navigatoris.us ([65.254.49.203])
by mx.gmail.com with ESMTP id h13si2222974wxd.2006.08.10.22.59.12;
Thu, 10 Aug 2006 22:59:12 -0700 (PDT)
Received-SPF: neutral (gmail.com: 65.254.49.203 is neither permitted nor denied by best guess record for domain of angelr@mainstream.navigatoris.us)
Received: from angelr by mainstream.navigatoris.us with local (Exim 4.52)
id 1GBQ34-0005mC-IU
for 431 @ giatica.info; Fri, 11 Aug 2006 01:59:10 -0400
To: 431 @ giatica.info
From: webmaster@mainstream.navigatoris.us
Subject: Content-Transfer-Encoding: 7bitContent-Type: text/plainSubject: bcc: buletmann@aol.com36774cc4e8b574a42c7ed83d88494694
Message-Id: <E1GBQ34-0005mC-IU@mainstream.navigatoris.us>
Date: Fri, 11 Aug 2006 01:59:10 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mainstream.navigatoris.us
X-AntiAbuse: Original Domain - giatica.info
X-AntiAbuse: Originator/Caller UID/GID - [32008 501] / [47 12]
X-AntiAbuse: Sender Address Domain - mainstream.navigatoris.us
X-Source: /usr/local/cpanel/cgi-sys/formmail.pl
X-Source-Args: formmail.pl
X-Source-Dir: giatica.info:/cgi-sys

referrer: 431@giatica.info

uri: 431@giatica.info

useragent: 431@giatica.info

b1: 431@giatica.info

431@giatica.info:

[NIS-Francisco]

Two Exploits have been found.

We're contacting the website owners to let them know, that Joomla! board and PM_addons have been the cause of this incident.

Due to our privacy policy, we cannot disclose the websites URL's that were hacked. Unless the website owner posts it.

We are still working on this issue, you're not in the dark.

[NIS-Francisco]

We are proceeding to upgrade the systems kernel - and secure the system.

The Permissions of the folders of the hacked websites have been changed, so the hacker will not be able to RE-RUN the application or hack us back again.

As I said - We contacted the owners of the websites (our customers). To inmediattely Fix this problem, the change in permissions will prevent them from running the PHP scripts that caused this problem since the beginning. (Today)

All the compromises by this guy are listed on Zone-H.org - a quick link: http://old.zone-h.org/en/defacements...today/page=28/

This is to provide you with a link of the Hacker's activity of TODAY - We were not the only web-host / server / provider that was hacker, or has been hacked.

My personal opinion is that as long as it's fixed quickly, determined what caused the problem and resolve everything promply and in a timely manner is Priority #1 for us.

I have received a personal e-mail from a customer (to my email @navigatoris.us) - that they are moving to a more "professional" web-host.

I am not here to debate the decision, but I want to let you guys know, that we are an INTERNET web-host, notthing is 100% Secure in this industry. It's not like real life, that you can put hundreds and hundreds of armed guards in front of your house to feel secure.

Hackers nowadays are smarter, and they mostly use FREE Software, that is commondly used - in this case - JOOMLA was used, along with a plugin called PM Addons. Since the Source code of the Free Software is always "Open Source" they can "read" the code and see if it's viable to run any hacking attempts.

With that said - I would like to add that if any customer feels like we haven't corrected this issue in a timely manner or that we are not worthy of this month's payment from them - to contact me personally or send a ticket to me - I will get them credit for this issue.

Thank you for your business,
Francisco

[NIS-Francisco]

Server is currently power cycling - booting new kernel.

[Angel]

Dear Mr. Francisco:

I at least, am very happy with this hosting service.

Maybe can that exists other greater and important servants or solutions, but you have demonstrated to your professionalism and knowledge to me to do in many occasions offering customized excelent support until even in software that I use, thing to which is not forced.

We are with you!