Re: [vox-tech] hacked site
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] hacked site
Jim, at this point I would consider your website compromised. Just because
you've changed the cPanel password doesn't mean that you've closed the hole
that the intruder used to gain access to your website. I would, at the
earliest possible moment, make a backup of everything and get it offsite
just in case the worst happens.
Next, I would perform an exhaustive survey of your website and determine
what new files have been placed there and if anything has been changed.
Finally, look at your website logs for that IP address (220.127.116.11)
to see what they've been doing. Somewhere in there is the clue as to how
they got into your website.
If it's just a weak ftp password, change it to stronger one. If it's a
MySQL injection (I don't see evidence of a database on your website but
that doesn't mean there isn't one there) then you'll need to have your
Regardless, you need to take action immediately to ensure that the intruder
isn't going to get access again. Next time they could be less kind and just
take your website down and/or erase all your content. Hackers coming in
from Asia are an unfortunate reality in the wild west we call the Internet...
-- Dave Spencer, PageWeavers
--- Original Message ---
Some company ( internetidentity.com ) that is contracted by Chase banking
sent me email saying that my web site was hacked. I also received a notice
from Google for a possible phishing web page. I confirmed this and found
someone hacked into my web site and placed a phony Chase credit card form
with all the bells and whistles. I contacted internetidentity via phone and
was told that they might have used a vulnerability in a shopping cart. I
talked to my hosting company and told them what had happened but they
couldn't tell me when or from where the attack came from.
I decided to look at my recent logs using CPanel. It showed me the latest
users and who has accessed my web site the most. I found a url of
18.104.22.168 that has frequented my web site the most. I usually am the
one that visits my site the most but not now. I searched for it online and
found that it is from Jakarta Indonesia. Could this be because Chase is
outsourcing some of their work over there? I know that they do that with
the Philippines. Could it alse be a possibility that the person(s) that
hacked my site are in that country?
I also noticed that some tried to access CPanel from 22.214.171.124 at
11:40 pm on 6/20/2011, shortly after I changed the password. Internet
search shows that this person is using a server ACBE7EEB.ipt.aol.com in
This intrigues me. I want to know more. Has anybody ever had this happen
to them? Are these two tied together somehow? I mean Kansas and Indonesia?
Hope all is well,
vox-tech mailing list