[vox-tech] hacked site

David Spencer, Internet Handyman spencer at pageweavers.com
Tue Jun 21 09:45:43 PDT 2011 

Jim, at this point I would consider your website compromised. Just because
you've changed the cPanel password doesn't mean that you've closed the hole
that the intruder used to gain access to your website. I would, at the
earliest possible moment, make a backup of everything and get it offsite
just in case the worst happens.

Next, I would perform an exhaustive survey of your website and determine
what new files have been placed there and if anything has been changed.
Finally, look at your website logs for that IP address (114.79.43.146)
to see what they've been doing. Somewhere in there is the clue as to how
they got into your website.

If it's just a weak ftp password, change it to stronger one. If it's a
MySQL injection (I don't see evidence of a database on your website but
that doesn't mean there isn't one there) then you'll need to have your
programs fixed.

Regardless, you need to take action immediately to ensure that the intruder
isn't going to get access again. Next time they could be less kind and just
take your website down and/or erase all your content. Hackers coming in
from Asia are an unfortunate reality in the wild west we call the Internet...


-- Dave Spencer, PageWeavers


--- Original Message ---

Some company ( internetidentity.com ) that is contracted by Chase banking 
sent me email saying that my web site was hacked.  I also received a notice 
from Google for a possible phishing web page.  I confirmed this and found 
someone hacked into my web site and placed a phony Chase credit card form 
with all the bells and whistles. I contacted internetidentity via phone and 
was told that they might have used a vulnerability in a shopping cart.  I 
talked to my hosting company and told them what had happened but they 
couldn't tell me when or from where the attack came from.

I decided to look at my recent logs using CPanel.  It showed me the latest 
users and who has accessed my web site the most.  I found a url of 
114.79.43.146  that has frequented my web site the most. I usually am the 
one that visits my site the most but not now. I searched for it online and 
found that it is from Jakarta Indonesia.  Could this be because Chase is 
outsourcing some of their work over there?  I know that they do that with 
the Philippines.  Could it alse be a possibility that the person(s) that 
hacked my site are in that country?

I also noticed that some tried to access CPanel from 172.190.126.235 at 
11:40 pm on 6/20/2011, shortly after I changed the password.  Internet 
search shows that this person is using a server ACBE7EEB.ipt.aol.com in 
Kansas.

This intrigues me.  I want to know more.  Has anybody ever had this happen 
to them?  Are these two tied together somehow?  I mean Kansas and Indonesia?

Hope all is well,

Jim George
http://evesautomotive.com

More information about the vox-tech mailing list