Site Hacked!!!!

Discussion in 'Troubleshooting' started by slohand, Jan 14, 2008.

  1. slohand

    slohand New Member

    Joined:
    Jul 10, 2007
    Messages:
    6
    site hacked logfile pics attached

    So someone hacked my website last night from IP 208.53.170.15 i took pics just one of my logs so you guys can see what they did and maybe prevent this in the future, my site was up todate with the last security patch and they still beat it,

    they exported my memberlist and then deleted it, and then changed the admin password so i could not access the site for a while, now i have to inform all my members their information has been compromised sigh i have gotten with my ISP got a copy of all the log files, notified the police, the credit card merchants and in the process now of notifying customers, thought i would let you guys know there is a loophole that needs to be fixed.

    i wont post pics here because of file sizes but will include links to them for you to see

    Pic1

    Pic1
  2. Sergei

    Sergei aMember Pro Customer

    Joined:
    Mar 6, 2006
    Messages:
    96
    Hmm, what version of PHP and MySQL are you using. Registrar globals on off?
  3. slohand

    slohand New Member

    Joined:
    Jul 10, 2007
    Messages:
    6
    PHP 4.4.4
    MYSQL 4.1.22

    Globals are off, and even have a .htaccess making them off
  4. stevedj68

    stevedj68 New Member

    Joined:
    Mar 19, 2007
    Messages:
    2
    I was up to date with securities and someone hacked my system through Amember. Sounds like this is a recurring theme!!! They set up a Phishing site in my Amember files...a French bank!!! I am in the process of having Amember investigate but still waiting to hear...meanwhile, I am losing business...I am not happy about this...I hope amember does something immediately.:mad:
  5. slohand

    slohand New Member

    Joined:
    Jul 10, 2007
    Messages:
    6
    site suspended because of amember

    yesterday i reported my site was hacked on the forum, today my site was shut off and and a email sent saying that my server was used for phishing some italian bank, access was gained through Amember including a IRCBOT that was put in a tmp folder and activated , I am afraid to use this script any longer.
  6. booforum

    booforum Member

    Joined:
    May 20, 2005
    Messages:
    186
    Is anyone going to answer this?
  7. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,279
    Merged threads into one because of the same issue.
    In both situations security fix was not implemented right.

    Master value in your php.ini is set to ON
    .htaccess that you have in aMember folder (from http://www.amember.com/p/Main/SecurityNote04) was created on Jan 14.
    You can see this in log before Jan 14 all requests to secpay.inc.php generate 200 response code after Jan 14 - 403(forbidden)

    P.S. If you need any further info or help in this, please contact me via helpdesk.
  8. abgcompu

    abgcompu New Member

    Joined:
    Jan 1, 2008
    Messages:
    8
    I am very concern about that.

    How do I check to make sure this ocrrect on my site.
    Not all of us here knows all the techincal aspect of setrting up thescript right.
    It was setup for me by amember tech support hopefully they make sure everything is in the right place.
  9. itstrish

    itstrish New Member

    Joined:
    Mar 3, 2008
    Messages:
    10
    hi everyone

    in additon to the security notes page that Alex referenced above, you need to consider the most common (and most overlooked) way that sites are hacked. No, it's not sql injection attacks. It is spyware on your PC.

    Spyware "keyloggers" are very very common. (that's a double-very) These programs record your keystrokes, including credit card numbers, and passwords, saving the info to a hidden datafile on your pc. Then later your datafile is transmitted to a rogue site. These rogue sites (hackers) have a HUGE daily supply of fresh credit card numbers, passwords, paypal passwords, etc, in fact so much that they have time to abuse just a small percentage of what is collected.

    Front door access....
    Thru the use of keyloggers, it's really easy for any hacker to get front door password access to your amember admin, and to your hosting account admin, gmail, popaccount, paypal, and just about any account for which you have a password. My friend is an attorney and he kept getting hit by spammers who were using his email account to send out mass spam. He had thought he was protected by Norton. I told him to buy Spysweeper which he did, and this uncovered some spwware including two nasty keyloggers. Then he got very interested and on my advice he installed SpybotSD which found yet more spyware. Bottom line: Your server-side security may be rock solid and tight, but there's a better than average chance you have keyloggers on your pc.

    trish : - )
  10. itstrish

    itstrish New Member

    Joined:
    Mar 3, 2008
    Messages:
    10
    ps...

    My suggestion is to run SpybotSD plus at least one other (e.g. Spysweeper) and if you also have a version of Norton Security with spyware protection, great. In most cases, when one spyware is found on my PC, the other two spyware sweepers missed it. So double-up or triple-up on your protection.

    Worth mentioning...The thing about spyware is that it's really hard to get rid of, here's why: If your PC is infected with say 4 spywares, and your software identifies and removes just 3, then the remaining spyware may act as a gateway to let dozens of other spywares onto your PC. Yes, your software may find and remove most of those, but if there's even one remaining, it will let more spywares onto your pc, and you're dinked.

Share This Page