[vox-tech] my site was hacked

Tue Jan 26 04:31:15 PST 2010

Gandalf: Thank you for the detailed explaination, I'll read it again.
I checked my pages, only index.html was replaced, what really upset me
is that now it's 48 hours after I sent the request to the ISP, still
no response; I can understand now hacking does happend and I can fix
the problem myself, but their services disappoint me.

On Tue, Jan 26, 2010 at 12:32 AM, Gandalf  Parker <gandalf at any1can.net> wrote:
>
> Ive worked as admin for ISPs. And one of those was owned by a law firm.
> I will take a stab at this.
>
> On Mon, 25 Jan 2010, Hai Yi wrote:
>> The website hasn't been restored yet, even I wrote an urgent email to
>> the support of my ISP, lunarpages.com, no response after 24 hours
>> except for an automatic email. This host used to be a good one,
>> responding to the requests in time and to the point; however it's
>> becoming a disappointment in recent years, I think it's time for me to
>> move my business else where.
>
> Hacks happen. The defenses for hacks are developed and distributed after
> hacks occur. One event by itself is not a good reason to move. In fact,
> its rather like a lightening strike. The fact that they got a wakeup call
> means that moving to one that is still asleep could be a bad move.
>
> On the other hand, this is a simple attack with a simple fix. From the
> sound of it I would expect that every index.htm, index.html, main.html,
> home.html and a long list of other main pages were simply overwritten with
> the signature webpage for bragging rights. A simple script should be able
> to go to the backups and restore every modified page. Any ISP that is slow
> on this might be worth moving away from.
> Id recommend Sonic.net
>
>> Anyway, I hope someone here can help me with a few questions: does the
>> ISP bear responsibility for such a security breach?
>
> Yes and no. You copied your pages to their server. Your alternative was
> doing your own. They would only have to show reasonable effort. But they
> can be sued for loss of business if you can show the amount prior and
> after.
>
>> My homepage is replaced by the hacker's page of some crap, is that the
>> best he can do? what kind of attack it is? are they able to access my
>> data? I checked that my files are still there, but not sure if the
>> hacker has made a copy.
>
> They got into someones account. That account could be highly compromised
> but its unlikely they bothered looking thru everyones stuff on the server.
> Once they plant their flag (the replaced index pages) they usually delete
> every trace they can behind them and leave. The account they got into
> might have lost everything in their directories in the cleanup/escape.
>
> Do you have a copy of the webpage on your machine? You really should no
> matter what ISP you go to. Just upload the page back to your account.
>
> DISCLAIMER: these are of course my one opinions of what I would do if this
> was me. The "safe and appropriate" instructions would be much harsher.
> Usually something like delete everything, reformat, start over.
>
> Gandalf  Parker
> --
> Saying your system is secure should be considered the same as saying
> your food is too hot. Its a temporary condition which is going away even
> as you speak.
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>