Joomla! Discussion Forums

Hi all,

I have a question for the community, especially for those in the SECURITY know.

I was recently notified by my hosting provider about a hack to one of my sites and while reviewing the logs, I found a URL to a site where the hackers scripts are stored.

I'm not sure if this hacker is "using" this site to store/access his bag of tricks or if the site owner is the hacker.

Advice please?

TIA!
Roger

Could be both.  I found links similar to what you found.  The website linked to looked legitimate, but when I did more research I found out that it was not a real company and a cover for hacker attacks.

If it is the hackers site, then what can be done about shutting it down? I've done a whois search for the domain and that didn't turn up any usefull info.

I don't want to notify the site owner that the site is being used for hacking, just in case it is the hackers site. Don't want to tip him/her/themo off.

You may be able to notify the ISP or Hosting provider, but you will at least need to find that information from a whois or traceroute to the domain.

Roger,

You need to get the IP address of the server.  This can be done a variety of ways, for example, open a dos prompt on Windows and do "ping http://www.site.com" and it will say something to the effect of pinging 10.10.1.184 or something like that.  Copy that sequence of numbers then go to www.arin.net.  On the right of that page there is an input box to "Search Whois".  This is different than a regular domain whois as it is a whois for IP addresses.  Paste the IP address into that box then click search.  Hopefully it isn't on a major network and it will just take you to a page that shows who is responsible for the IP block, usually an ISP or hosting company and it will show an Abuse contact.  Shoot them an email with all the info you have and the log files and hope they do their job.  If the IP is part of a big network it will say to search some other sites whois registry, go there, enter the IP again in their search box and then you should get the correct information for the abuse contacts.  Then do as before. 

Good luck.  Also, don't expect anything besides an automated reply.  They, including the company I work for, almost never respond as it is generally unnecessary once the problem has been rectified or violated their privacy policies. 

You need to be aware too that the host can only take action if the site is breaking their terms of contract. Cracking is not illegal in many parts of the world and even where it is there are often caveats (like, cracking a site is ok as long as there is no resultant financial damage over $xxxx), so many of these blackhats are able to operate perfectly legitimately.

Some of the sites operate in the "public interest" and have the explots documented "for information" with disclaimers that they are not responsible if the exploit code it taken and used maliciously.

Just thought I would point this out as some get very upset when a host/ISP does not appear to take action.  Many don't even send an automated responder to abuse reports, but that does not mean they do not check them out. There are hundreds of blackhat sites around and many of the crackers defacing Joomla sites are part of "security teams" whose sites provide public information to assist people in tightening up code.  For me, I just accept that cracking happens but I find it quite useful to be able to find exactly what was run to break in. Those that leave links to the exploit, or who give email addresses so they can be contacted, are often quite willing to help close the holes they found.

In my experiece, nobody cares about the facts and proves you have against hackers, crackers or script kiddies (raw access files, error logs, jaddah), unless your very big and can afford to sue. Reports  to official bureaus, agencies or abuse adresses will make you see that fighting them it totally useless.

Just backup the raw log files. They might come in handy some day.

I have to disagree.  Sure, there are some providers that don't care and probably do nothing but working at a service provider has taught me just how seriously some companies take these reports.  The company I work for actively fights hackers, scammers, spammers, etc. on a daily basis and we are glad to do it because we know that we are making the internet a little bit better for all of us.  However, if you know of a provider that does not work to stop these jokers I highly suggest you refuse to do business with them.  There are better companies out there that could use your support.