Whole Web Server Hacked!
Posted: Wed Aug 23, 2006 8:15 am
Just woke up (1:30pm) to a text from a client saying his website has been hacked and replaced with some anti-war stuff. So I'm thinking, sh*t, I've got some extra work to do today...
I log on to check it out, it wont load... neither will my website, or anyone elses on my web server, but I'm logged into FTP, and the files are the same...
I download index.php from the website in question:
LOL. They've swapped every index.php in my web space for this.
I contact the admin, I told him I can't even view anything on my webspace, he say's we got hacked last night, I *think* oops, thats probably my fault, he says, they replaced every index.php file on the whole webserver with a bogus one!
I didn't actually get to see the page, and I can't be bothered wasting my time in loading it myself, but I'm told it had dead kids on it and stuff, sick b*stards.
Is this a common page that hackers are using now? Seems alot of them refer to war and stuff...
Edit: Put some line breaks in so it doesn't break the forum...
I log on to check it out, it wont load... neither will my website, or anyone elses on my web server, but I'm logged into FTP, and the files are the same...
I download index.php from the website in question:
Code: Select all
<html>
<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Mavideniz</title>
</head>
<body bgcolor="#000000" text="#808080">
<meta http-equiv="refresh"content="160;URL=http://www.scubaconsult.at/user">
<p align="center">
<embed src="http://www.mmavideniz.org/01.mp3" loop="1" autostart="true" hidden "true" width="128" height="128" align="left"></p>
<p align="center">
<font color="#FFFFFF">
<img src="http://www.mavideniz.org/atam.gif" width="152" height="108"></font></p>
<p align="center" style="margin: 0 1"><b>
<font size="7" face="Courier" color="#FFFFFF">HACKED BY METLAK</font></b></p>
<p align="center" style="margin: 0 1"><b>
<font face="Courier" size="7" color="#FFFFFF">NO WAR </font></b></p>
<p align="center" style="margin: 0 1"><b>
<font size="65" face="Courier" color="#ffffff">!!!!!!!!STOP WAR!!!!!!!!</font></b></p>
<p align="center"><font color="#FFFFFF">
<OBJECT ID="MediaPlayer" WIDTH=468 HEIGHT=374 classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112"
standby="Loading Microsoft Windows Media Player components..."
type="application/x-oleobject">
<PARAM NAME="FileName" VALUE="http://video.haber7.com/81.wmv">
<PARAM NAME="ShowControls" VALUE="0">
<PARAM NAME="ShowDisplay" VALUE="0">
<PARAM NAME="ShowStatusBar" VALUE="0">
<PARAM NAME="AutoSize" VALUE="1">
<Embed type="application/x-mplayer2"
pluginspage="http://www.microsoft.com/windows/windowsmedia/download/"
filename="http://video.haber7.com/81.wmv"
src="http://video.haber7.com/81.wmv"
Name=MediaPlayer
ShowControls=0
ShowDisplay=0
ShowStatusBar=0
width=468
height=351>
</embed></OBJECT></font></p>
<p align="center"><font face="Courier New, Courier, mono" color="#ffffff">
<img src="http://www.thememoryhole.org/war/gulfwar2/22march-ap.jpg" width="348" height="512"></font></p>
<body onUnLoad="xopentr('http://www.mavideniz.org/forum')">
<Script Language=JavaScript Type="Text/JavaScript">
function xopentr(url_pop)
{
var PopWidth=400;
var PopHeight=300;
var PopLeft = (window.screen.width-PopWidth)/2;
var PopTop = (window.screen.height-PopHeight)/2;
xopenvar=window.open(url_pop,'xopenvar','toolbar=yes,status=yes,menubar=yes,location=yes,
directories=yes,resizable=yes,scrollbars=yes,width='+PopWidth+',
height='+PopHeight+',top='+PopTop+',left='+PopLeft);
}
</Script>
<p align="center"><font color="#00FF00">mavideniz.org/forum açýlmýþtýr.</font></p>
I contact the admin, I told him I can't even view anything on my webspace, he say's we got hacked last night, I *think* oops, thats probably my fault, he says, they replaced every index.php file on the whole webserver with a bogus one!
I didn't actually get to see the page, and I can't be bothered wasting my time in loading it myself, but I'm told it had dead kids on it and stuff, sick b*stards.
Is this a common page that hackers are using now? Seems alot of them refer to war and stuff...
Edit: Put some line breaks in so it doesn't break the forum...