Account Hacked or just index page?

[Francisco]

Hi, one of my clients site was hacked and his index page was replaced with this:

[Collaps3 CREW] H4ck you!

What´s up admin? seens not well right?

No data lost but next time if you see me lauphing you better have a nice backup!

We are Observing Vini4p cannabis DD3str0y3r

if you wanna contact us use a mirc script and go to

/server -m irc.chatbr.org #Collaps3

mirc r0x msn sux!

.::by observing::.



Any ideas how they did this? is a windows server with php enable, Fix IP and anon ftp active.

They use a script? or they really hack account password?

[Brangwyn]

What software was powering the site, if you had anything like joomla, phpbb or other common package that was not patched and up to date then that's probably how .. just check the logs is all you'll really need to do to work out how probably.

[Francisco]

No package at all just plain htm files and php script for speed test.

[Brangwyn]

There had to be some way in, have you checked the logs thoroughly ? It could have been brute force, there is that Apache bot going around currently which uses brute force I believe but you've stated this was Windows so I very much doubt that was it.

I would highly suggest the owner of the site checks their computer for Malware and sypware etc becuase that's another way they could have gotten the password.

[Francisco]

Thanks, lets check that.

[jmbeach]

also a good practice to cycle out your Hsphere/FTP passwords often. How often depends on you - but I had several sites hacked, always on the same server, several years ago. Got on a 2-week password rotation and has been fine ever since.

Also, make sure your passwords are strong. My rule? Minimum 12 characters, alpha-num, plus dash or underscore.

Given time, any jackass can crack your password if you keep it the same for long enough.