Hacked

Talk about musical instrument construction, setup and repair.

Moderators: kiwigeo, Jeremy D

Post Reply
User avatar
peter.coombe
Blackwood
Posts: 723
Joined: Fri Oct 15, 2010 2:52 pm
Location: Bega, NSW
Contact:

Hacked

Post by peter.coombe » Sat Nov 02, 2019 4:21 pm

I discovered some weird files on my web site today and deleted them, and then changed all passwords. Just a few minutes after deleting them I got an email from the host provider saying my site had been hacked with a phishing file (now deleted) and my account had been suspended. Now I can't do anything, can't log in, can't ftp, just have to wait for them to restore access so I can find out what the heck has been going on and fix it. GGGGRRRR. They are not fast responding to support. In the meantime 2 web sites are now cactus, even though the threat has been removed. Last time I was hacked was a time consuming major pain, so I guess this is likely to be the same or worse since the technology has moved on a bit from then. Twice in 20 years I guess is not too bad, but I hate these thieving scumbags with a passion.
Peter Coombe - mandolin, mandola and guitar maker
http://www.petercoombe.com

User avatar
Mark McLean
Blackwood
Posts: 1084
Joined: Thu Apr 10, 2008 2:03 pm
Location: Sydney

Re: Hacked

Post by Mark McLean » Sat Nov 02, 2019 7:17 pm

Peter,I am sorry for your pain and inconvenience.
This seems to be a major scourge of the web economy. I don’t make my living this way but I can see what a huge PITA it must be to deal with this - from individuals who are basically just vandals or extortionists. They should be the first against the wall come the revolution.

simonm
Blackwood
Posts: 176
Joined: Mon Sep 07, 2009 7:09 am

Re: Hacked

Post by simonm » Sat Nov 02, 2019 10:09 pm

My old website (devoid of content at the time) was banned by my service provider which meant that I had to move my email address to a 3rd party provider. The reason? Someone was attacking my empty site for a denial of service attack on some other site on the shared server it was hosted on. Attacking my site crippled the server which killed all the other sites on the same server - I assume one of them was being blackmailed. Easiest solution for provider was remove my site.

Back in the old days I remember finding a very basic scam site (for harvesting bank passwords) which was hosted on the town council website of a small Portuguese town. I let them know.

Good luck with getting your site back up and running.

User avatar
TallDad71
Blackwood
Posts: 191
Joined: Thu Jan 19, 2017 6:20 am
Contact:

Re: Hacked

Post by TallDad71 » Mon Nov 04, 2019 10:45 pm

There are literally thousands of websites that run on the same name servers as yours Peter, ns-1.ezyreg.com.

https://securitytrails.com/list/ns/ns-1.ezyreg.com

I guess they have locked yours down to protect the integrity of the other websites that sit on the same hard drives whilst they investigate the causes of the security breach. I have no advice on how to speed Netregistry up, but hopefully you'll see that whilst they are dumping on you, they are trying to protect their customers from potential harm.

Best of luck.
Alan
Peregrine Guitars

User avatar
peter.coombe
Blackwood
Posts: 723
Joined: Fri Oct 15, 2010 2:52 pm
Location: Bega, NSW
Contact:

Re: Hacked

Post by peter.coombe » Tue Nov 05, 2019 9:29 am

I don't have any beef about the sledge hammer approach. As you say, they are protecting their other users. My beef is that they advertise a 24hr support turnaround, but in practice that is some sort of a joke. Netregistry is now owned by MelbourneIT and they outsourced their call centres overseas. In the case of Netregistry it is in the Phillipines, and I have difficulty understanding some of their support people. MelbourneIT sounds like it is probably India. When MelbourneIT was smaller, I could call or email them and get an answer almost straight away from someone based in Australia, and the problem was fixed pronto. Last problem I had I waited for an hour mostly on hold, and in the end the problem is still there. I need to re-visit that problem later. They got too big for their boots. Their transfer of web customers from UberGlobal was an utter shambles. Many web sites down (mine was one of them, down for nearly 2 weeks), help desk in meltdown. The upside is their infrastructure seems to be very good. My web site was much faster and has been zero down time (after the shambles) until now. My other host providers always had random unscheduled down times.
Peter Coombe - mandolin, mandola and guitar maker
http://www.petercoombe.com

User avatar
peter.coombe
Blackwood
Posts: 723
Joined: Fri Oct 15, 2010 2:52 pm
Location: Bega, NSW
Contact:

Re: Hacked

Post by peter.coombe » Thu Nov 07, 2019 10:53 am

Progress. I have access back and a maintenance page is up. Now the real work starts. I been trawling through the logs and is interesting to see the hacking probes and what they are looking for, but is a needle in a haystack to pick up the actual exploit.
Peter Coombe - mandolin, mandola and guitar maker
http://www.petercoombe.com

User avatar
peter.coombe
Blackwood
Posts: 723
Joined: Fri Oct 15, 2010 2:52 pm
Location: Bega, NSW
Contact:

Re: Hacked

Post by peter.coombe » Sat Nov 23, 2019 11:51 am

Website is back again, with security scanning every 24hrs implemented. I never found the needle in the haystack, but I am fairly certain I know what happened. The website template uses the Bootstrap framework, a very popular utility that makes website development much easier. However, some versions of Bootstrap has cross site scripting vulnerabilities. This is when input from an untrusted source is not scanned properly and the untrusted source (i.e. the hacker) can fool the server to run scripts. Once you can run a script with the permissions of the website owner then you can do just about anything. I fished around the template code and sure enough the version of Bootstrap used is vulnerable. Phishing software was installed into my account and the hacker sent out thousands of emails with a link to the phishing software installed in my account. It probably mirrored an internet banking website or some other sensitive site designed to capture your password and fleece you of your money. Anyway, I deleted everything on the site, then did a major clean up of the web site, deleting everything in the template that I was not using. This was very time consuming, but since I don't capture any input it should not be vulnerable. However, the template is fully featured and a lot of stuff that does take input was still there, just not being used. I did download the latest version of the template, but as far as I can tell it is exactly the same, so the vendor has not upgraded the template to the latest version of Bootstrap. There are probably thousands of templates and Wordpress themes out there with security vulnerabilities. All this does not guarantee it won't happen again, the logs have shown me that hacking probes are happening all day every day, but at least I will be notified next time by the scanning package. The Netregister tech said it is not a matter of if you get hacked, but when you get hacked, so everyone with a web site needs to be aware it will probably happen to you eventually. The security scan of the re-built website showed no vulnerabilities, so hopefully I am safe for a while, but this episode has made me a little paranoid. No website means no sales.

The other problem I had was the site was black listed by Nortons. Took a few weeks after requesting it be removed, but looks like the black listing has now finally been removed. Phew!
Peter Coombe - mandolin, mandola and guitar maker
http://www.petercoombe.com

Post Reply

Who is online

Users browsing this forum: No registered users and 91 guests