Hack Question

New Member Joined: Jul 20, 2006 Posts: 7

Here again asking more questions... Embarassed

We now have an issue with the site we were dev'ing (btw, this is a volunteer job on our part, not something we are currently being paid to do). Any time anyone tries to access the site, be it the PHP portion or the current Splash page, a window pops up with "Enter username and password for 'backup' at 'http://our site url.com'" and has a place to enter a username or password. The site went down late last night. My husband did say before this happened there was a flooding attempt in requests for login accounts.

My question is, is this log-in and password for the back up an automated response from our server with the hosting company we go through, or does this mean somebody completely hi-jacked the account to the site? My husband upon logging into the FTP can see all the files are still there, nothing has been deleted. How do we go about rectifying this? Shocked

registered · Posted: Sat Jul 29, 2006 1:59 pm

I would ask your host if this is somehow their doing and I would also check to make sure someone has not hacked any of the files / directories that you are accessing. Sounds "fishy" to me, but I am not a hack expert.

Is it possible that one of you or your other teammates password protected the directory?

Posted: Sat Jul 29, 2006 2:32 pm

we seem to have figured out what happened. My husband said they flooded and crashed the database, then flooded and crashed the actual site, then brute forced their way into the FTP login and inserted an XML file (might be mistaken on the type of file there, I'm going off of memory of what he told me, and I'm not the best at knowing the difference between script and file types). Unfortunately the FTP log-in was also our hosting account log-in, so they did gain access to that as well. We've gotten the site back though, passwords are being changed across the board, and we'll be stepping up security. The hosting company that we re-sell for have the IP of the person that did it, and will be investigating, but because of liability issues can not release the information to us Mad

So i guess we'll see. Meanwhile I've asked him to check which version of Sentinel we have, and the group we are doing this for has said whatever software needs to be acquired or bought to secure this thing, just to do it. So, I'll also be looking through this site to see what's up for sale. If anyone has suggestions they would be most welcome, and thank you for taking the time to respond.

Square1

Posted: Sat Jul 29, 2006 2:35 pm

Well, nothing really for sale here on this site. This site is strictly kept "alive" through voluntary contributions of the community. There is no product to buy. This is all Open Source.

Hope you find what you are looking for.

Posted: Sat Jul 29, 2006 8:41 pm

If I may, I have never seen where an ip cannot be released due to liability, otherwise Sentinel couldnt list the ips of people who visit your site.

As for the brute force.

There are measures that can be taken from the server level to stop those, being able to brute force a sites ftp is about the same difficulty in being able to brute force the roots ftp.

I'd really sudjest that you find a more complete host with the correct security setup. Once dealing with floods(more likely ddos attacks), brute forcing and cpanel issues, You'll see how well a server CAN be setup to stop those but at the site level you are virtually helpless(to a point).