[vox-tech] my site was hacked

Gandalf Parker gandalf at any1can.net
Mon Jan 25 21:32:12 PST 2010 

Ive worked as admin for ISPs. And one of those was owned by a law firm.
I will take a stab at this.

On Mon, 25 Jan 2010, Hai Yi wrote:
> The website hasn't been restored yet, even I wrote an urgent email to
> the support of my ISP, lunarpages.com, no response after 24 hours
> except for an automatic email. This host used to be a good one,
> responding to the requests in time and to the point; however it's
> becoming a disappointment in recent years, I think it's time for me to
> move my business else where.

Hacks happen. The defenses for hacks are developed and distributed after 
hacks occur. One event by itself is not a good reason to move. In fact, 
its rather like a lightening strike. The fact that they got a wakeup call 
means that moving to one that is still asleep could be a bad move.

On the other hand, this is a simple attack with a simple fix. From the 
sound of it I would expect that every index.htm, index.html, main.html, 
home.html and a long list of other main pages were simply overwritten with 
the signature webpage for bragging rights. A simple script should be able 
to go to the backups and restore every modified page. Any ISP that is slow 
on this might be worth moving away from.
Id recommend Sonic.net

> Anyway, I hope someone here can help me with a few questions: does the
> ISP bear responsibility for such a security breach?

Yes and no. You copied your pages to their server. Your alternative was 
doing your own. They would only have to show reasonable effort. But they 
can be sued for loss of business if you can show the amount prior and 
after.

> My homepage is replaced by the hacker's page of some crap, is that the
> best he can do? what kind of attack it is? are they able to access my
> data? I checked that my files are still there, but not sure if the
> hacker has made a copy.

They got into someones account. That account could be highly compromised 
but its unlikely they bothered looking thru everyones stuff on the server. 
Once they plant their flag (the replaced index pages) they usually delete 
every trace they can behind them and leave. The account they got into 
might have lost everything in their directories in the cleanup/escape.

Do you have a copy of the webpage on your machine? You really should no 
matter what ISP you go to. Just upload the page back to your account.

DISCLAIMER: these are of course my one opinions of what I would do if this 
was me. The "safe and appropriate" instructions would be much harsher. 
Usually something like delete everything, reformat, start over.

Gandalf  Parker
-- 
Saying your system is secure should be considered the same as saying
your food is too hot. Its a temporary condition which is going away even
as you speak.

More information about the vox-tech mailing list