I joined here today becuase i dont know who to tell about what has happened, and what i feel is a catastrophic occurrence. I logged into my site this morning and there was a scrolling banner on my sites content: you have been hacked by (xxx). i forgot the name of it, at any rate, i searched my logs and was shocked to see who had been in my admin on that morning. i am pasting the log:
/admin.php?op=deletemsg&mid=5 Http Code: 200 Date: Jan 18 05:00:43 Http Version: HTTP/1.1 Size in Bytes: 28334 Referer: - Agent: Mediapartners-Google/2.1
i contacted my server admin, who done the upgrade on php-nuke for me, as you need ssh and i am on a shared server. i then sent an email to google to let them know this had occurred, and as of yet, they have not even acknowledged receipt of the notice. there is no mention of this type of activity on the net, as i have searched the big 3 SEs. if somebody in here knows or can help me get the word spread about this, that google needs to take a look at what is going on with that IP and the media bot.
I joined here today becuase i dont know who to tell about what has> happened, and what i feel is a catastrophic occurrence. I logged into> my site this morning and there was a scrolling banner on my sites> content: you have been hacked by (xxx). i forgot the name of it, at any> rate, i searched my logs and was shocked to see who had been in my> admin on that morning. i am pasting the log:>
i contacted my server admin, who done the upgrade on php-nuke for me,> as you need ssh and i am on a shared server. i then sent an email to> google to let them know this had occurred, and as of yet, they have not> even acknowledged receipt of the notice. there is no mention of this> type of activity on the net, as i have searched the big 3 SEs. if> somebody in here knows or can help me get the word spread about this,> that google needs to take a look at what is going on with that IP and> the media bot.
It's also possible that your hacker used an ad-version of Opera to hack your site, and that's usually directly followed by the Media bot. Did you see any other visitor right before the Media bot?
I joined here today becuase i dont know who to tell about what has>> happened, and what i feel is a catastrophic occurrence. I logged into>> my site this morning and there was a scrolling banner on my sites>> content: you have been hacked by (xxx). i forgot the name of it, at any>> rate, i searched my logs and was shocked to see who had been in my>> admin on that morning. i am pasting the log:>>
i contacted my server admin, who done the upgrade on php-nuke for me,>> as you need ssh and i am on a shared server. i then sent an email to>> google to let them know this had occurred, and as of yet, they have not>> even acknowledged receipt of the notice. there is no mention of this>> type of activity on the net, as i have searched the big 3 SEs. if>> somebody in here knows or can help me get the word spread about this,>> that google needs to take a look at what is going on with that IP and>> the media bot.>
It's also possible that your hacker used an ad-version of Opera to> hack your site, and that's usually directly followed by the Media bot.> Did you see any other visitor right before the Media bot?
Hmm.. - I notice one more thing: All the different urls, come back with exactly 28334 bytes. I'm thinking this Media bot didn't come firther than the admin.php page. I've just tried it myself - whatever I fill out after admin.php, I get the login screen. That's most likely what the Mediabot saw too, and whoever got in there before might be your hacker - not Mediabot.
I joined here today becuase i dont know who to tell about what has> happened, and what i feel is a catastrophic occurrence. I logged into> my site this morning and there was a scrolling banner on my sites> content: you have been hacked by (xxx). i forgot the name of it, at any> rate, i searched my logs and was shocked to see who had been in my> admin on that morning. i am pasting the log:
Depends on how you got "hacked", if the cracker got file system access he might have been able to change the log as well.
User agent can be forged easily, no idea about host.
With spoofing you can supply a different IP address. The problem is, the reply goes to that address, and there is no program expecting that reply.
Either the log has been cleaned up to remove traces, or the OP is looking at the wrong info. I doubt you can hijack the google bot (I mean, then the hacker would probably deface Google).
and so on. That's terra incognita for me, however what I have found in Apache manual is that logged information is IP taken from headers, but it can be also translated to hostname before logging (HostnameLookups On). Host name is taken from DNS, so if you have your own DNS server you may be able to forge this information too.
User agent can be forged easily, no idea about host.>>
With spoofing you can supply a different IP address. The problem is,>> the reply goes to that address, and there is no program expecting>> that reply. >
What is logged by Apache (and other servers) as host?>
and so on. That's terra incognita for me, however what I have> found in Apache manual is that logged information is IP taken> from headers, but it can be also translated to hostname before> logging (HostnameLookups On). Host name is taken from DNS, so> if you have your own DNS server you may be able to forge this> information too.
Yup, Apache does use DNS to translate IP to names. Quite some hosters turn this feature off. The only way someone can fake this is by hijacking the DNS that Apache uses. I guess this can be done, but I doubt someone defacing a page would go that far or has the abilities to do such a thing.
Defacing is mostly done via a weak spot in a script AFAIK.
On Fri, 20 Jan 2006 20:55:19 +0100, John Bokma <john@castleamber.com> wrote:
Yup, Apache does use DNS to translate IP to names. Quite some hosters > turn> this feature off. The only way someone can fake this is by hijacking the> DNS that Apache uses. I guess this can be done, but I doubt someone> defacing a page would go that far or has the abilities to do such a > thing.
Isn't it that DNS server serves - apart from other stuff - also some expiration information? I believe that's how Google select its datacenters. If you have your own DNS server for your own domain and you set the expiration to - say - 5 minutes - you are effectively forcing every Apache trying to log the information to ask _your_ DNS server about domain name. Thus you can change it in almost real time and there is no need to hijack DNS used by the local Apache.
I joined up as well to tell you what happened to me. Someone placed google ad service ads on my website and was collecting money for them. They changed my account passwords into my domain at godaddy. My website is now down because of this hack job because they not only added google ad service ads into my website, they changed some of my files as well, so when I tried to do an upgrade on the site, half of my files wouldn't transfer and the site went down. Luckily it will be up in a couple days.
May main concern is google will not respond to me about this in any way. I have emailed them several times. I know that google, per say, is not directly responsible for the hack job, as they are not directly responsible for your robot hack job, but I would like to know who was collecting money off of hacking my website. They hid these google ad service files behind other files so it took me weeks to find them. I realize this is a human doing this, not google. I just wish google was a little more caring about what people are doing with these bots, etc... There are enough problems on the internet as it is and google is supposed to be a reputable company, well, I no longer think so. I feel the same way about all of these websites that offer free anonymizers so people can shield their ips and hack sites. What is the purpose of that ?? At least charge the hackers, what are they stupid ?? They give them instruments to hack for free. Just stupid.
What is really, really bad is they got into my domain through godaddy. The money was being routed to a godaddy email, and godaddy just hedges me and keeps putting me on hold every time I try to discuss this with them. It was obviously one of their employees who did it. Just a sick bunch of stuff we deal with here. These companies that are supposed to be reputable are nothing better than the hackers themselves. Just garbage.
If you would like to report an abuse of our service, such as a spam message, please . Если Вы хотите пожаловаться на содержимое этой страницы, пожалуйста .
