Thursday, 24 March 2011

Hacked From 213.5.68.141

So, one of my less important sites got hacked the other day from 213.5.68.141 via a FTP hack possibly.  Having looked into this further it appears I am not alone as per the following sites comments :




And there is probably more !.  I was lucky enough to spot the hack less than 24 hours after it happened.  So you may be asking what was the hack and what did they do to my site (or if your reading this what have they done to your site) well for a start my .htaccess had been modified with redirects and on the root of my public_html was 2 directory’s one called “wetsuits” and the other called “kawaski”.


Wetsuits – this directory had 530 pages in total about 20Mb each link took you to some suspect site that said you had a virus, you know the type I mean. Also a bravia.php in this folder similar to the file below.

Kawaski – this had two files error_log and merge.php which seems to be some form of script they used to do it possibly.  Each of the files in here contain site content that the script has imported. 


According to my server logs they got in via FTP with my master password, my host says they got in via a PHP hack on the site, strange either way, but my host has now blocked this IP from all its servers.


See the images shown, click them to view full screen. Let me know if you been hacked also in this way.


6 comments:

Anonymous said...

My website (hosted with Cirtex) was also hacked from this IP address very recently. These are the logs - similar to yours a PHP file was uploaded & something was done to the .htaccess - not sure exactly what they mean though.

Mon Mar 21 05:17:28 2011 0 213.5.68.141 1906 /home/myusername/public_html/coops/bittorent.php a _ i r myusername ftp 1 * c
Mon Mar 21 05:17:32 2011 0 213.5.68.141 17895 /home/myusername/public_html/coops/bittorent.php a _ i r myusername ftp 1 * c
Mon Mar 21 05:17:32 2011 0 213.5.68.141 0 /home/myusername/public_html/.htaccess a _ o r myusername ftp 1 * c
Mon Mar 21 05:17:33 2011 0 213.5.68.141 21277 /home/myusername/public_html/.htaccess a _ i r myusername ftp 1 * c

Is there any point in reporting this to the abuse for their IP?

Unknown said...

Hi, thanks for the reply. Each time i read about the hacks from this IP it seems to be different stuff that is done to the site but in the same way, are you running Cpanel by any chance ? or a PHP web site, its either a Cpanel flaw or PHP i think from what i read. Not sure about reporting the IP, my host has blocked that ip totally on there firewalls now, i have also blocked it on another hosted server i have.

anna said...

This just happened to me, too -- files were uploaded on March 28th -- and the strange thing is that there is very little on my site, period. Two images and a homepage with one image (as well as two subdomains with entirely static content, except for some redirect rules). Absolutely no Wordpress or Joomla installations, and my control panel is DirectAdmin, not CPanel.

I'm on a shared environment, so perhaps that's why. The PHP version is fairly up to date (5.2.15, I believe)... maybe that's not good enough.

The subfolder was named "orgasmic". Charming.

Unknown said...

From other posts i read it could be a PHP issue or something to do with the FTP client they are using on the servers even maybe a bug in that. However it is been done is really good, i have a really really complex password and they got in with that, so who knows ! might as well have a password of password for what its worth on some systems.

tomo said...

I just noticed this attack on one of my sites. Annoyingly, Google had already flagged that site as "compromised", without actually emailing me.

Nonetheless, the attack changed .htaccess, uploaded a bunch of stuff to the directory "sinai/orchard", and modified my main Joomla template index.php to grab a bunch of spam links from "safebotslogs.net", that would *only* show up when the Googlebot hit my site.

I am working with my hosting provider to figure out where they came in. It seems incredible to me that they could brute force my FTP password without triggering any alarms.

Anonymous said...

My site hosted by supergreen was also hacked, similar story and yes, running cpanel. They are suggesting it might be me, but the email was weird... how did they know these files weren't mine etc..... I think there is more to be found about this issue.

Translate