I just found that my website www.247nigeria.com has been hacked!

What can I do to get rid of this hacker?

Contact your web host.

This is very funny. Contact you host right and before it is too late.

I have contacted my host Smartweb, but I am yet to get a reply.
But my webmaster said he is investigating it.

What investigation will take 8 hours to go through before getting the site back to normal?

Download all site content to a local drive and do any analysis you want.

Delete all site content (except the cgi_bin folder and .httaccess file), remove any suspicious line in the httaccess file and check the cgi_bin folder for any suspicious files.

Check database for any suspicios database and database users

Change all logins.

Reupload a fresh copy of your site.

So your visitors can see your site when they visit while you and others concerned do any investigation.

This is how to do damage control, not to sit back and investigate while your gateway to the entire cyber community is welcoming them with a hackers page.

For your investigations, ask your host to check their apache logs for your account to see what files were created or modified in recent times.

No one should register with smartwebng. They are only to collect money and not fix problems for customers when need be.

Forget about getting replies maybe you will get one 3 days later.


FYI. When you are working with web applications. You should have a setup like this.

1. Setup subversion system on your computer
2. Develop on your computer locally. wampserver easy to setup.
3. Upload finished product.
4. If your database gets regular updates your can setup a cron job to be backing up your db
5. Use google analytics it will definitely help if you know how to read the stats.


So if your site gets hacked you can delete, upload a new copy, review your last backup for anything suspicious, upload if satisfied and everyone is happy like nothing happened.

But of course you dont have direct access to mysql db with smartweb, you cant do remote connections and phpmy admin is not working except you run php scripts to dump your database into mysql.

I do not plan to do any database stuff with smartwebng. I will be moving my content off. My main goal of getting a service with them immediately was because myname.com was available and I had to get it fast. So now I can go back to my former host company when I wish and setup a proper system.

Smartwebng will tell you not to email that you already have an opened ticket. you try to use their ticketing system but it doesnt work it is broken so you send an email and they reply saying stop opening new tickets. lol

I understand the type of structure smartwebng has so thats their wahala.

Well to be quite frank i think the person who manages the website will be more concerned about virus than the host after all smartwebng is just a reseller.but i find it odd about hackers gaining access to your site, i was under the impression that sensitive files the Apache directives .htaccess should be given only a read permission and also enabling URL Rewrite engine on your server. any way your host should also treat the issue as soon as possible it can happen to anyone it happened to PUNCH before when we were managing their site, it's nothing new

pc guru:

Well to be quite frank i think the person who manages the website will be more concerned about virus than the host after all smartwebng is just a reseller.but i find it odd about hackers gaining access to your site, i was under the impression that sensitive files the Apache directives .htaccess should be given only a read permission and also enabling URL Rewrite engine on your server. any way your host should also treat the issue as soon as possible it can happen to anyone it happened to PUNCH before when we were managing their site, it's nothing new

You say you find it odd hackers gaining access to their site and yet in another line, you concede that it can happen to anyone even Punch.

So what gives?

Well i said anyone could get Hacked but its rare if Much Security measures are made as for Punch, it was a simple SQL Injection nothing major

Thank you for your help.

The webmaster and Smartweb responded over the weekend and the site is back online.

I've restored the site from backups taken on September 8th. I've checked and it seem to be online at this time. Unfortunately, the logs for the time of the compromise appear to have rotated off of the server already. It appears that these sites is been compromised via vulnerabilities in the scripts however. I've enabled extended logging on these sites, if there is any recurrence we should have better evidence as to what exactly happened. I apologize for the inconvenience.
Best regards,
Murtala M
Level 2 support administrator
SmartWeb Nig Ltd
smartwebng.com

But I will forward your solutions to them.

glad to know your site is back online. Logs 'rotating off of the server' beats my comprehension. I thought logs were there to serve as logs for history purposes, how then can a log with a unique timestamp be overwritten or 'rotated'? Well what do i know?

OMG, and this people call themselves "Competent".
This is the DUMBEST thing I have heard in years. Yea there is no guarantee of avoiding "hackers", but servers would at least have a way of preserving logs, and maybe it was an insider job.

Come to think of it, if someone can gain access to their server logs, that means they are not worth being resellers or hosts, Naija for Life. Funny things happen in funny places.

Now they've lost over 100 people here, and on Fb, as its going 2 go on status updates. Lol Social networking in action.

Probably a Wordpress Vulnerability.

Dual Core:

glad to know your site is back online. Logs 'rotating off of the server' beats my comprehension. I thought logs were there to serve as logs for history purposes, how then can a log with a unique timestamp be overwritten or 'rotated'? Well what do i know?

What if they have a way of discarding log files after a certain period? Some log files can grow quite large especially news sites and cms based sites.

Though 'rotating off the server' may sound outlandish but there is some rotating done.

Instead of rotating off the server, he should have just said, the log files were deleted or moved. But its not entirely strange for people to periodically delete log files to conserve space and memory.

brother we are taliking about a matter of days here not even up to a week. it makes no sense in my opinion.

Dual Core:

brother we are taliking about a matter of days here not even up to a week. it makes no sense in my opinion.

+1.

Logs are meant to be kept over time esp. if the need for forensics arise but what if the log was actually cleaned lets say by the hac.ker?

Slyr0x:

but what if the log was actually cleaned lets say by the hac.ker?

Then they should say so in plain English and stop churning up technical terms into a professional lie that the client wont even bother arguing over cuz he/she doesnt understand a thing.

Dual Core:

Then they should say so in plain English and stop churning up technical terms into a professional lie that the client wont even bother arguing over cuz he/she doesnt understand a thing.

U sure aint expecting a Web Hosting Company telling her clients 'Our Security Sucks plus our logs got rm -rfed' now dyu?. The 'professional lie' is what keeps 'em in business.

Hello Guys,
My name is Murtala M my nick name is ibtihaj, i work with smartwebng.com and i am a Linux Certified Network Administrator which i know much about sever and hacking issues.
I am the one that handle the hacking Issue of www.247nigeria.com which i reply him with the quote he posted in this forum, i saw the comments that some members posted in this forum which i decided to post this knowledge on hacking and how to prevent it.

I talk about (the logs for the time of the compromise appear to have rotated off of the server already) what i mean with this is that the hacker clean up the logs after he has uploaded his index since he has access to the site, 90% of hackers clean up the logs after they finish what they wan to do.

I want you to understand that any website in the world can be hacked but that does not mean you will not put all the necessary security in your server.

Some of popular websites that we know are being hacked eg:

Google.com is hacked you can read the article here: http://www.nydailynews.com/news/world/2010/01/14/2010-01-14_security_experts_china_hacked_google_to_steal_us_defense_secrets.html

Facebook.com is hacked the link is here: http://thecurrentaffairs.com/facebook-hacked-by-turkishbbc-facebook-lossfacebook-page-hacked-by-turkish-muslimfacebook-drawn-muhammad-s-w-a-day.html

FBI is been Hacked the link is here: http://www.infoworld.com/d/security-central/fbi-gets-hacked-video-blogger-sacked-411

My main reason of posting this is to tell the public how they can prevent their website from Hacking.

How can I prevent hacking?

1. The most important thing to do is keep your passwords a secret. If you must give a password to someone, be sure to change it when they are done using the access. Don't write your passwords down or share them with too many people. Periodically change your passwords. You can find more by searching "How can I make a stronger password?"

2. Along the same idea, you need to make sure your personal computer does not have viruses, trojans, keyloggers, etc.

3. Keep your scripts and downloaded programs updated. Always upgrade to the latest version of your blog, forum, shopping cart, etc.

4. Do not have writable file permissions. The correct permissions are normally 755 or 644, and you can check these in your File Manager. Most users know to avoid 777 permissions, but you really want to avoid any permission settings which allow Group and World writing. (That's anything ending in 7, 6, 3, or 2. The first number can be one of these, but not either of the last two numbers.)

That's all for now
Thank you all for contributing in this topic
Murtala M
Level 2 support administrator
SmartWeb Nig Ltd
smartwebng.com

Interesting.

ibtihaj:

I talk about (the logs for the time of the compromise appear to have rotated off of the server already) what i mean with this is that the hacker clean up the logs after he has uploaded his index since he has access to the site, 90% of hackers clean up the logs after they finish what they wan to do.

iGuessed as much. Dyu mean access to the site or r00t[at]your server?

If nairaland was full of post as this, we all will be better after one hour in nairaland. That is a good move smartweb. I hope Murtala you had company permission to submit this post you did. You are doing the right thing but could get in company trouble for doing it. That said, i am impressed.

Nice move by SmartWeb,

ibtihaj:

Hello Guys,
My name is Murtala M my nick name is ibtihaj, i work with smartwebng.com and i am a Linux Certified Network Administrator which i know much about sever and hacking issues.
I am the one that handle the hacking Issue of www.247nigeria.com which i reply him with the quote he posted in this forum, i saw the comments that some members posted in this forum which i decided to post this knowledge on hacking and how to prevent it.

I talk about (the logs for the time of the compromise appear to have rotated off of the server already) what i mean with this is that the hacker clean up the logs after he has uploaded his index since he has access to the site, 90% of hackers clean up the logs after they finish what they wan to do.

I want you to understand that any website in the world can be hacked but that does not mean you will not put all the necessary security in your server.

Some of popular websites that we know are being hacked eg:

Google.com is hacked you can read the article here: http://www.nydailynews.com/news/world/2010/01/14/2010-01-14_security_experts_china_hacked_google_to_steal_us_defense_secrets.html

Facebook.com is hacked the link is here: http://thecurrentaffairs.com/facebook-hacked-by-turkishbbc-facebook-lossfacebook-page-hacked-by-turkish-muslimfacebook-drawn-muhammad-s-w-a-day.html

FBI is been Hacked the link is here: http://www.infoworld.com/d/security-central/fbi-gets-hacked-video-blogger-sacked-411

My main reason of posting this is to tell the public how they can prevent their website from Hacking.

How can I prevent hacking?

1. The most important thing to do is keep your passwords a secret. If you must give a password to someone, be sure to change it when they are done using the access. Don't write your passwords down or share them with too many people. Periodically change your passwords. You can find more by searching "How can I make a stronger password?"

2. Along the same idea, you need to make sure your personal computer does not have viruses, trojans, keyloggers, etc.

3. Keep your scripts and downloaded programs updated. Always upgrade to the latest version of your blog, forum, shopping cart, etc.

4. Do not have writable file permissions. The correct permissions are normally 755 or 644, and you can check these in your File Manager. Most users know to avoid 777 permissions, but you really want to avoid any permission settings which allow Group and World writing. (That's anything ending in 7, 6, 3, or 2. The first number can be one of these, but not either of the last two numbers.)

That's all for now
Thank you all for contributing in this topic
Murtala M
Level 2 support administrator
SmartWeb Nig Ltd
smartwebng.com

LEVEL 2 SUPPORT ADMIN MY FOOT! WHY SHOULD YOU PEOPLE WHO CALL YOURSELVES WEB HOSTING ALLOW SOMEONE'S SITE TO BE HACKED? YOUR HOSTING SERVICES ARE POOR AND WHEN SOMEONE HOSTS A SITE WITH YOU PEOPLE, IT DOES NOT SHOW ON THE WEB. YOU AND ALL OF YOU WHO WORK IN SMARTWEB SHOULD BE ASHAMED OF YOURSELVES FOR CRYING OUT LOUD. I PAID FOR TWO DOMAINS AND ALL I EXPERIENCE AFTER THAT IS PROBLEMS HERE AND THERE. ALL YOU DO IS COLLECT 2K FROM PEOPLE, POCKET IT AND SIT YOUR STUPID AR$ES IN THAT YOUR BAUCHI ROAD OFFICE IN JOS DOING NOTHING TO HELP YOUR CLIENTS, AND YOU COME HERE TO CALL URSELF LEVEL 2 ADMINISTRATOR! NONSENSE! SHAME! SHAME!! SHAMEEEEEEEEEEEEEEEEEEEEEE ON SMARTWEB!!!!!!!!!!!!!

Decryptor:

[b]LEVEL 2 SUPPORT ADMIN MY FOOT! WHY SHOULD YOU PEOPLE WHO CALL YOURSELVES WEB HOSTING ALLOW SOMEONE'S SITE TO BE HACKED? YOUR HOSTING SERVICES ARE POOR AND WHEN SOMEONE HOSTS A SITE WITH YOU PEOPLE, IT DOES NOT SHOW ON THE WEB. YOU AND ALL OF YOU WHO WORK IN SMARTWEB SHOULD BE ASHAMED OF YOURSELVES FOR CRYING OUT LOUD.I PAID FOR TWO DOMAINS AND ALL I EXPERIENCE AFTER THAT IS PROBLEMS HERE AND THERE. ALL YOU DO IS COLLECT 2K FROM PEOPLE, POCKET IT AND SIT YOUR silly AR$ES IN THAT YOUR BAUCHI ROAD OFFICE IN JOS DOING NOTHING TO HELP YOUR CLIENTS, AND YOU COME HERE TO CALL URSELF LEVEL 2 ADMINISTRATOR! NONSENSE! SHAME! SHAME!! SHAMEEEEEEEEEEEEEEEEEEEEEE ON SMARTWEB!!!!!!!!!!!!![/b]

First off,To address your first line, Big sites get hacked. Facebook, Twitter, websites of top government agencies in the western world etc. Yes, web hosts should do all they can to protect clients sites but these things happen and some times, its due to a clients own insecure usage.

On the other hand, you said they just collect 2k from people and pocket it and dont offer commensurate service. If thats the amount you pay for your web hosting per annum, then maybe you get what you pay for really.

The Red flag for me was how long it took their site to load