Site Hacked - cPanel pw changed - etc, suggestions?

New Member Joined: Oct 10, 2004 Posts: 17

My site http://www.digitalnowhere.com was hacked... how I am not sure.

Yes I was using the same password on my GOD account as my cPanel hosting account.

Yes I contacted the hosting provider and had them change it to something totally different.

I then changed ALL of my passwords on all of my e-mail accounts, instant message, cPanel, etc etc.. All to something different, not all the same password.. but each one a different password with letters and numbers, 8+ characters long.

I wakeup this morning, he got into my cPanel again, changed my e-mail passwords, messed with my database etc.

At this moment, I have downloaded the newest ChatServ 7.4 Nuke Patched... Overwrote all the files on my site with those.. and activated the newest Sentinel, I am trying to tweak the sentinel quite a bit, I have the site in offline mode for now, it seems to be safe.. I have enabled the Http Auth on the admin side..

I am trying to fix some of the damage to the site now...

I have some questions if anyone knows.

How could he possably gey my cPanel password after it was changed to something I have NEVER used and not used on anything else.

I also ran some custom modifications in my News Module, I basically custom hacked the WYSG Editor and made it do macros into the news, but in my config.php I had to allow a lot of the HTML tags, would this have anything to do with it?

The guy is using a proxy, and attacking me from 217.172.149.4 which I have blocked at cPanel and Sentinel and their website is http://hvaonline.net/

Also I am looking for a good list of proxy IPs to block, along with some suggestions for Sentinel.

Thanks guys

Phiber0ptik

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Once he had access to your cPanel then he had either root and/or ftp access. He no doubt has planted a backdoor program into your account. He probably has added his own id/pass possibly. Scour your ftp site for any programs (possibly cgi) that you did not install.

Posted: Sun Oct 10, 2004 12:58 pm

Did that, seems to be totally clean now... Do you happen to know some good settings for all of the filters in Sentinel to add as a default, like the Strings, Request Method, and maybe a good proxy IP list?

Posted: Sun Oct 10, 2004 12:59 pm

BTW Everytime I turn "Block Proxies" ON in the configuration, it turns right off... Any ideas?

Posted: Sun Oct 10, 2004 1:08 pm

Can you save any settings at all? Normally that only happens if you haven't got all the tables installed correctly.

Posted: Sun Oct 10, 2004 1:10 pm

Yep, I can change the other settings and they stick.

registered · Posted: Sun Oct 10, 2004 1:12 pm

Check your nuke_nsnst_config table for the following two items. In one of the releases of NukeSentinel(tm) one or both were missing, don't remember which it was.:

Code:

INSERT INTO nuke_nsnst_config VALUES ('proxy_reason', 'admin_proxy_reason.tpl');


INSERT INTO nuke_nsnst_config VALUES ('proxy_switch', '0');

Posted: Sun Oct 10, 2004 1:14 pm

Getting an error, I even deleted those 2 entries first..

MySQL said:

#1136 - Column count doesn't match value count at row 1

Posted: Sun Oct 10, 2004 1:18 pm

Got it working.. I had to kill the config SQL tables, and re-insert them

Do you happen to know some good settings for all of the filters in Sentinel to add as a default, like the Strings, Request Method, and maybe a good proxy IP list?

Posted: Sun Oct 10, 2004 1:24 pm

1 proxy list I know of is http://www.atomintersoft.com/products/alive-proxy/proxy-list/

Request Method I have set to Email, Block, & Default page , in hte list box I have HEAD and SEARCH.

Posted: Sun Oct 10, 2004 1:26 pm

Ok thanks Bob, 1 last question is anyone knows..

EVERY time I try to turn the Harvester blocking on, I get a 403 Error... Any ideas?