OMG, I been hacked

[Danielx386]

I just got a PM from a forum menber, saying that my website got Hacked on it, and ask it look right. Anyway, I did check just then, and I saw that I been hacked. Can someone please explain how I read the log files in cpanel?

Thanks

 

[leafypiggy]

First, I'd alert a staff member, which I am currently doing.

Second, I'd await instructions from a staff member.

 

[Alejandro]

Hello,

If you had an easy to guess password they could have gotten in guessing it. There is no access log you can check, the only thing I can advice you to do is to change your cPanel password and make it secure, user symbols (^%@!*&) and capitalize, etc.

Regards,

 

[Smith6612]

Looks like a typical script kiddie hit your Wordpress Installation if this was in fact a hacking attempt. If Wordpress has been remaining updated (there was an update for WP ~2 weeks ago), then a staff member will need to take a look at this, which is what they'll need to do none the elss.

EDIT: Alejandro beat me to it, but his help is the first thing anyone should do after a hacking attempt.

 

[Danielx386]

Hello all,

1: the access log. I'm talking about the raw access log, and I found it.

2: At one point I recalled deleting the wp-comfig.php to do a clean install of wordpress, since I got a messy database, and it seens that I forgot to do the clean install before logging off (so that part is my fault, I havn't been well lately. I been in a large forum fight not long ago)

3. I got the IP address of the person who did the reinstall. Is it possable to do a IP search on this forum?

4. Can you see the IP address of every PM that is being sent?

I do understand that it partly my fault, because anyone was able to do a clean install, but isn't it illegal? Would'nt I be in trouble if this idiot posted some porm or sex images?

Thanks

 

[adamparkzer]

Hello all,

1: the access log. I'm talking about the raw access log, and I found it.

2: At one point I recalled deleting the wp-comfig.php to do a clean install of wordpress, since I got a messy database, and it seens that I forgot to do the clean install before logging off (so that part is my fault, I havn't been well lately. I been in a large forum fight not long ago)

3. I got the IP address of the person who did the reinstall. Is it possable to do a IP search on this forum?

4. Can you see the IP address of every PM that is being sent?

I do understand that it partly my fault, because anyone was able to do a clean install, but isn't it illegal? Would'nt I be in trouble if this idiot posted some porm or sex images?

Thanks

You can't really do much with the IP address to identify who did it. Even if you did, the damages you suffered are minimal. The most you could get out of the hacker is money for lost ad revenue (if you get money through advertisements) and potential earnings from publicizing your content.

And yes, you would be responsible if any pornographic images were posted while you were hacked. You are responsible for selecting a complex password, and you are responsible for keeping your computer free of viruses and keyloggers that may allow other people to access your account.

 

[leafypiggy]

PM me the IP address, I will have an administrator match it.

Or give it to Chris, who will probably post right after me.

 

[Smith6612]

Hello all,

1: the access log. I'm talking about the raw access log, and I found it.

2: At one point I recalled deleting the wp-comfig.php to do a clean install of wordpress, since I got a messy database, and it seens that I forgot to do the clean install before logging off (so that part is my fault, I havn't been well lately. I been in a large forum fight not long ago)

3. I got the IP address of the person who did the reinstall. Is it possable to do a IP search on this forum?

4. Can you see the IP address of every PM that is being sent?

I do understand that it partly my fault, because anyone was able to do a clean install, but isn't it illegal? Would'nt I be in trouble if this idiot posted some porm or sex images?

Thanks

2: Might want to be more careful next time. The developers of the scripts always warn against not finishing an install.

3: Only admins who have access to the forum ACP or any other log can perform an IP look-up.

4: Everything on the forum is tied to an IP address. This post for example will have an IP attached to it. Any PMs I send out will have an IP attached to it, which is useful should someone report something.

 

[garrettroyce]

I woudn't rely on IP address information. It could be a college or university. The user could even read this post and have their IP address changed (I know how to do it on Comcast, it's not a secret and it takes 2 seconds to do). Even if the staff were willing to let you have this information, which I don't think they would because they have to keep people's privacy, I don't think you could do anything. It sounds like you accidentally left the door open and someone walked in.

I'm sorry your site got messed up though, that sucks

 

[Danielx386]

Yeah eather way, I'm thinking of adding this address to the black list that I got, so this person will never be able to see my site again. Is that going to be a biggest mistake that I would ever make?

 

[Smith6612]

Yeah eather way, I'm thinking of adding this address to the black list that I got, so this person will never be able to see my site again. Is that going to be a biggest mistake that I would ever make?

I wouldn't say it's a mistake, but if it's a Dynamic IP address it would at least prevent someone from viewing your site until their IP changes. If this "hacker" is in fact really a hacker who is devoted to trying to take your site down, they will eventually get back in. This case looks to be something as simple as a 14 year old Script Kiddie that just goes around "pwning" severely unsecured websites on their free time. Quite obvious judging by the note they left.

 

[garrettroyce]

I would add them to the block list, but there are still proxies and many many other means of defying your block. There's really no harm in trying, unless you somehow block yourself or 127.0.0.1 (which could be very interesting to see what that does ).

 

[Smith6612]

I would add them to the block list, but there are still proxies and many many other means of defying your block. There's really no harm in trying, unless you somehow block yourself or 127.0.0.1 (which could be very interesting to see what that does ).

You just reminded me of a very funny IRC chat I've come across on other forums. 127.0.0.1 is the perfect trap for them script kiddies who don't know a thing or two about networking (half of them don't I'm sure).

 

[xav0989]

You just reminded me of a very funny IRC chat I've come across on other forums. 127.0.0.1 is the perfect trap for them script kiddies who don't know a thing or two about networking (half of them don't I'm sure).

Who hasn't heard of that one!
Anyway, I think we are getting a bit far from the real issue here. So is the issue resolved Daniel?

 

[Danielx386]

Good question, Chris and I are working together to find if it a menber of this forum. I sent copies of the PM that I got, along with the user name of the person who sent the PM. I gave him the IP address of where the reinstall taken place. It look like it under control for now.

At this point, an I free to clean up my blog, and start again? Or should I wait?

 

[xav0989]

Maybe lock it (change admin password and such)

 

[adamparkzer]

Good question, Chris and I are working together to find if it a menber of this forum. I sent copies of the PM that I got, along with the user name of the person who sent the PM. I gave him the IP address of where the reinstall taken place. It look like it under control for now.

At this point, an I free to clean up my blog, and start again? Or should I wait?

Remember to always keep backup copies of your blog. That way, even if you are hacked, you won't be losing anything that you write.

 

[Danielx386]

Maybe lock it (change admin password and such)

Yeah, I will change the admin password, and email address, so that the password can't be reset.

 

[garrettroyce]

This may be too obvious, but nonetheless, if you used that password elsewhere, make sure you change it there as well.

 

[Danielx386]

Good call, I'm not one of those who use the same password for everything, thank god