l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2011 Jun 21 14:55

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] hacked site
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] hacked site

Jim, at this point I would consider your website compromised. Just because
you've changed the cPanel password doesn't mean that you've closed the hole
that the intruder used to gain access to your website. I would, at the
earliest possible moment, make a backup of everything and get it offsite
just in case the worst happens.

Next, I would perform an exhaustive survey of your website and determine
what new files have been placed there and if anything has been changed.
Finally, look at your website logs for that IP address (
to see what they've been doing. Somewhere in there is the clue as to how
they got into your website.

If it's just a weak ftp password, change it to stronger one. If it's a
MySQL injection (I don't see evidence of a database on your website but
that doesn't mean there isn't one there) then you'll need to have your
programs fixed.

Regardless, you need to take action immediately to ensure that the intruder
isn't going to get access again. Next time they could be less kind and just
take your website down and/or erase all your content. Hackers coming in
from Asia are an unfortunate reality in the wild west we call the Internet...

-- Dave Spencer, PageWeavers

--- Original Message ---

Some company ( internetidentity.com ) that is contracted by Chase banking 
sent me email saying that my web site was hacked.  I also received a notice 
from Google for a possible phishing web page.  I confirmed this and found 
someone hacked into my web site and placed a phony Chase credit card form 
with all the bells and whistles. I contacted internetidentity via phone and 
was told that they might have used a vulnerability in a shopping cart.  I 
talked to my hosting company and told them what had happened but they 
couldn't tell me when or from where the attack came from.

I decided to look at my recent logs using CPanel.  It showed me the latest 
users and who has accessed my web site the most.  I found a url of  that has frequented my web site the most. I usually am the 
one that visits my site the most but not now. I searched for it online and 
found that it is from Jakarta Indonesia.  Could this be because Chase is 
outsourcing some of their work over there?  I know that they do that with 
the Philippines.  Could it alse be a possibility that the person(s) that 
hacked my site are in that country?

I also noticed that some tried to access CPanel from at 
11:40 pm on 6/20/2011, shortly after I changed the password.  Internet 
search shows that this person is using a server ACBE7EEB.ipt.aol.com in 

This intrigues me.  I want to know more.  Has anybody ever had this happen 
to them?  Are these two tied together somehow?  I mean Kansas and Indonesia?

Hope all is well,

Jim George
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.