Hackers

nwheat

New Member
Messages
2,690
Location
Central California
AAARRRGHHHH!!!
My website has been hacked into AGAIN!!! I've received 4 emails from people like this (the others did assume that the email didn't really have anything to do with my site):

I received this email saying that I have been billed for a subscription (SEE
COPIED EMAIL BELOW) that I know nothing about. Could you please contact me
immediately regarding this matter,

Thank you,
(name removed)

Dear (name removed).

Thank you for your subscription to
http://tangerinegecko.com/scken4183.html

You have been billed as KRBILL LLC for the amount of:
3.95(USD) for 3 days (trial) then 34.95(USD) recurring every 30 days .

Your new subscription identification number is:505,

Your membership access information is:
Username for your subscription: Simona
Password for your subscription: Yho56nD
E-mail: (name removed)

Membership website: http://tangerinegecko.com/scken4183.html

Thank you for choosing KRBill as the eMerchant for your subscription!
Customer Support/Cancel Your Subscription 12/09/2006 07:16



Obviously, if you by any chance receive one of these, ignore it! They added a page and a few other things onto my website and then sent out these awful scam emails. I have deleted the files, and changed my password, but what else can I do? At least it seems so completely outrageous that hopefully most people will realize it is a scam.
 
M

MDBalderas

Guest
Nancy,

Looks like you are hosting on startlogic.com? Based on the fact the only server they have that runs vDeck, which appears to be what your site is running on, is a windows server. The package appears to have ASP, .NET, Access DB with ODBC Support, MySql support, and Frontpage Server Extensions. All the formentioned have easy to exploit security flaws readily available on the internet, and unless they are properly secured and constantly updated can allow someone to compromise a site and add/remove files at will without even knowing your password. The one with the most issues is Frontpage Server Extensions, I don't install it or even offer it to my hosting customers. I haven't found anything online about compromises for vDeck yet, but wouldn't surprise me if there isn't a flaw or two in it, be it bad coding or just real easy to misconfigure from a standpoint of security, just given the scope of the number of things it allows you to control.

That all being said, in a world where *everything* is available online, hackers tend to be one step ahead of security and server adminsitrators and not the other way around.
 

Milwaukee Reptiles

Gecko Addict
Messages
325
Location
Milwaukee, WI
MDBalderas said:
Nancy,

Looks like you are hosting on startlogic.com? Based on the fact the only server they have that runs vDeck, which appears to be what your site is running on, is a windows server. The package appears to have ASP, .NET, Access DB with ODBC Support, MySql support, and Frontpage Server Extensions. All the formentioned have easy to exploit security flaws readily available on the internet, and unless they are properly secured and constantly updated can allow someone to compromise a site and add/remove files at will without even knowing your password. The one with the most issues is Frontpage Server Extensions, I don't install it or even offer it to my hosting customers. I haven't found anything online about compromises for vDeck yet, but wouldn't surprise me if there isn't a flaw or two in it, be it bad coding or just real easy to misconfigure from a standpoint of security, just given the scope of the number of things it allows you to control.

That all being said, in a world where *everything* is available online, hackers tend to be one step ahead of security and server adminsitrators and not the other way around.

I am using startlogic as well and it is not a windows box (granted, maybe the OP is on a windows box). Having vdeck does not immediately mean that it is a windows box (for example, my machine is st78.startlogic.com - running 4.11-STABLE FreeBSD 4.11-STABLE #0: Wed Apr i386). I've enver had a problem (granted, I use pretty secure passwords, use seperate e-mail and ftp passwords, and would never attempt to use any MS product in a server environment).

It's possible the whole box was compomised (in which case you should be complaining to them), or even a simple dictionary attack against your ftp could do it. Hell you might even have a virus on your local computer that sends them your e-mail password that it gets by scanning network traffic... could be damn near anything.
 

nwheat

New Member
Messages
2,690
Location
Central California
I'm just mortified that these emails are being sent to people from my website. I really don't know that much about computers, but I'll be doing my best to try to keep people out. This is the second time they've messed with me. This one is worse, though because I don't know how many people received these emails, or if they are even still being sent. At least the page is gone. Does it help to check the box that only allows changes from my IP address?

edit: I don't use any of the programs available. I made my site in Dreamweaver and upload it directly to the server since my "put" button doesn't work.

How do I know if the box was compromised? What is the box? I suppose I'll try to figure out how to complain to startlogic. Sometimes computers are not my friend.
 
Last edited:

Milwaukee Reptiles

Gecko Addict
Messages
325
Location
Milwaukee, WI
nwheat said:
I'm just mortified that these emails are being sent to people from my website. I really don't know that much about computers, but I'll be doing my best to try to keep people out. This is the second time they've messed with me. This one is worse, though because I don't know how many people received these emails, or if they are even still being sent. At least the page is gone. Does it help to check the box that only allows changes from my IP address?

edit: I don't use any of the programs available. I made my site in Dreamweaver and upload it directly to the server since my "put" button doesn't work.

How do I know if the box was compromised? What is the box? I suppose I'll try to figure out how to complain to startlogic. Sometimes computers are not my friend.
By the Box, I mean the physical server that is hosting your site (as well as other people's sites if you're on a shared hosting plan). There's not really any way for you to know, but you should still report the incident to startlogic so they can check their logs and close up any potential security problems on the server. I would also recommend changing every password you have for startlogic, including e-mail and ftp (use different passwords for each). Make sure they can't be found in a dictionary and use letters and numbers (and maybe a few symbols). If you're not already, you should also be sure that you're using a firewall and anti-virus product (Something like norton internet security has both), to help the off chance that your computer was hacked and that's how they got your password.

I'd recommend against checking the only from this IP box simply because if you're one dial-up, cable, or some dsl systems, your ip likely changes every so often.

I would probably submit a ticket to startlogic's technical support (if for no other reason then to allow them to check their logs and see if they can prevent it from happening again):
http://support.startlogic.com/index.php?_m=tickets&_a=submit
 

Visit our friends

Top