One of my mates just got hacked...

[Mike]

Check this out..

 

http://www.snowskool.co.uk/

 

It's kind of a friend of a friend who it happened to, he was setting up a web site selling gap year holidays for students.. launched yesterday and hacked today

 

I'm not sure who he used to build and host the site but looks to me like PHP/MySQL and they've not changed any default passwords, hid any error messages or denied root access.... nice!

 

So basically he has access to the pages via a CMS system, and he can't get into it because they've changed the password... classic stuff.

 

His web developer and hoster is in US at the minute, so he won't be able to get anything done for a bit...

 

Am I right in thinking thinking there is nothing I can do for the bloke? can anyone see anything on the page?

 

Cheers

[Lewis]

SQL injection.

 

It's my bag if you want me to look at it for your mate.

[Mike]

SQL injection.

 

It's my bag if you want me to look at it for your mate.

 

I can't give you *anything* (in terms of passwords etc.), but if there is something you can do with the web layer, or something you can tell me to pass on? I would be very grateful

[Mike]

Lewis - The guy is (obviously) looking for a new partner to work with - he has content and designs, obviously lacking a secure hosting solution.... would you mind if I pass on your details?

[Lewis]

I can't give you *anything* (in terms of passwords etc.), but if there is something you can do with the web layer, or something you can tell me to pass on? I would be very grateful

 

TBH, without even an FTP password it's pretty much impossible without a lot of luck and knowing the exact CMS version (which I might then be able to use to exploit the same hole(s) the attacker did.

 

Feel free to pass my details on, I tend to only deal with business accounts including development now but at the very least I can advise him.

[Mike]

That would be great, thanks mate - I'll pass them on.

 

It's actually good to hear that there isn't a lot I can do!

[Lewis]

OK I can see he was using Joomla on a windows box.. I would need the exact version, does he have a DB backup I can use?

[Lewis]

It looks like they have actually removed (or moved) files which is possible under joomla itself but it also means they may have actually acessed his account by control panel or FTP.

 

Is he SURE they have changed his FTP passwords? If they have then he will need root access (admin on windows) or another account with access to his root directory to remove them. Does he know of other sites hosted on that box? They may be comprimised too now.

[Lewis]

I'm pretty sure it was SQL injection and that therefore other sites on that box are fine:

 

http://www.google.co.uk/search?client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&channel=s&hl=en&q=site%3Awww.snowskool.co.uk&meta=&btnG=Google+Search

 

All DB entries have been pre-populated using standard text, so long as he has a backup it shouldn't be hard to rectify. I would therefore suggest it is just his joomla password which wont work anymore - FTP should be fine!

[michael]

Turkish people continue to annoy me.

[Havard]

Turkish people continue to annoy me.

 

How have they annoyed you in the past Michael??

 

H.

[Lewis]

How have they annoyed you in the past Michael??

 

H.

 

Eveyone annoys him, he just made the comment apt to this situation....it doesn't mean he is no longer annoyed by everyone else!

[DamanC]

How have they annoyed you in the past Michael??

 

H.

 

Kebab standards are dropping

[Konrad]

How have they annoyed you in the past Michael??

 

H.

 

Visit Berlin, you will know

[Mike]

It looks like they have actually removed (or moved) files which is possible under joomla itself but it also means they may have actually accessed his account by control panel or FTP.

 

Is he SURE they have changed his FTP passwords? If they have then he will need root access (admin on windows) or another account with access to his root directory to remove them. Does he know of other sites hosted on that box? They may be compromised too now.

 

He's not the most technical of guys, and he's not even sure what CMS he's using....!?

 

I think he's put a lot of trust in this US based Developer/Hosting guy, which is a shame.. hopefully the guy will surface and sort it out.

 

As to how many other sites are on that box, I have no clue - he didn't even know which ISP it's with?! it's probably hosted out of the developers bed room for all I know!

[michael]

How have they annoyed you in the past Michael??

 

Armenia, Northern Cyprus, friend driven mad in relationship with Turkish news reporter, football violence, terrorism... they just seem like an angry bunch.

 

Shame really as the country looks quite worthy of a visit.

[Lewis]

He's not the most technical of guys, and he's not even sure what CMS he's using....!?

 

I think he's put a lot of trust in this US based Developer/Hosting guy, which is a shame.. hopefully the guy will surface and sort it out.

 

As to how many other sites are on that box, I have no clue - he didn't even know which ISP it's with?! it's probably hosted out of the developers bed room for all I know!

 

No probs:

 

CMS: Joomla http://www.joomla.org/

Domain purchased through: Pipex (nominet registry)

DNS provided by : realnameservers.com

IP: 83.245.63.97

Hostname: krypton.lon.periodicnetwork.com

Either hosted by or services provided by : https://www.redfoxuk.com/

 

Could easily be a reseller though. Does he have any contact details for the guy you can provide me with? Worth knowing exactly who is hosting it.

[Mike]

That's really useful, thanks for that

 

I will find out who the hosting was with...

 

I'd be interested to know, so I don't use them in the future!