[TyreusBot]

Well there was another hacking by a Mr. Sh3ll. You can see the Support topic here: http://forums.tyreus...age-taken-down/

We'd just like to take this time to let you know that we advise you to change your passwords to something with 100% security (you know that little password strength checker in cPanel?)

Your best bet at a good password is using the generator with all characters set to 15+ characters, DaReaper told me he has set his to over 20 characters.

Be Safe! View the original post...

[dbershevits]

I've set mine to 100% percent, and set to 20 characters as well. Let's hope that no-one else gets hacked.

[DaReaper]

By the way Nothings wrong now with my site , nothing was lost or deleted or edited... Just a small Hacking attempt

[Kevin M]

I highly doubt he cracked your password. It was more than likely a exploit in either cPanel or a CMS which you were running. Make sure that you are using the latest updates on all your web software!

[xiofire]

Kevin M, on July 26 2009 - 05:56 PM, said:

I highly doubt he cracked your password. It was more than likely a exploit in either cPanel or a CMS which you were running.

Can't hurt to reset to a stronger password.

[Kevin M]

Trinity, on July 26 2009 - 08:10 PM, said:

Can't hurt to reset to a stronger password.

How would you draw that conclusion from my statement?

It is true, though, that you should change your password on regular intervals.

[DaReaper]

i change my passwords every month , all of them , my email , cpanel etc... and yes he didn't find out my password , not he used an exploit , he defaced my website ... i dunno how but now i have reset all my folders permissions and taken backups of my whole website . According to Milw0rm there are no exploits yet found for the latest version of wordpress 2.8.2 < i'm using that . All my softwares are up to date.

[leegao]

DaReaper, on July 27 2009 - 03:44 AM, said:

i change my passwords every month , all of them , my email , cpanel etc... and yes he didn't find out my password , not he used an exploit , he defaced my website ... i dunno how but now i have reset all my folders permissions and taken backups of my whole website . According to Milw0rm there are no exploits yet found for the latest version of wordpress 2.8.2 < i'm using that . All my softwares are up to date.

Well here's a little trick that some people use. Novice hackers usually try every port on a machine to see whether there's a bind behind it. The most easily targeted is either the httpd/web interface on 80 or the MySQL interface. A lot of people actually tends to forget to reset their root password for MySQL, and the default installation doesn't delegate authority back to the mysql user if you run it as a service. On top of that, the remote mysql-admin interface provides an environment execution method meaning they can pretty much do whatever they want on your node. Of course, this isn't likely either.

[osshm]

leegao, on July 27 2009 - 07:10 PM, said:

Well here's a little trick that some people use. Novice hackers usually try every port on a machine to see whether there's a bind behind it. The most easily targeted is either the httpd/web interface on 80 or the MySQL interface. A lot of people actually tends to forget to reset their root password for MySQL, and the default installation doesn't delegate authority back to the mysql user if you run it as a service. On top of that, the remote mysql-admin interface provides an environment execution method meaning they can pretty much do whatever they want on your node. Of course, this isn't likely either.

u're right but how can you change files on an ftp with a mysql exploit ?

[Kevin M]

leegao, on July 27 2009 - 02:10 PM, said:

Well here's a little trick that some people use. Novice hackers usually try every port on a machine to see whether there's a bind behind it. The most easily targeted is either the httpd/web interface on 80 or the MySQL interface. A lot of people actually tends to forget to reset their root password for MySQL, and the default installation doesn't delegate authority back to the mysql user if you run it as a service. On top of that, the remote mysql-admin interface provides an environment execution method meaning they can pretty much do whatever they want on your node. Of course, this isn't likely either.

With a MySQL exploit you could do some damage, but you can't (generally) just edit files.

[DaReaper]

By the way This is not a MySQL Exploit !!!!! . Its defacement . I'll show you something : http://www.arabic-m....ites&h=Mr.Sh3ll << That link takes you to a site where all those people Take over other peoples website by DEFACEMENT ! . MY website is Top On the list , cause he defaced my website the latest .

See this if you want to know more about what is Website defacement : http://en.wikipedia....site_defacement

Well he must have used an exploit to get into to Web server / http protocol at port 80 , since firewalls usually does not block this port for malicious content , since it is left open. Well i probably can tell that he must have been using an IIS hack which is not detected by the firewall .
He must have Found a vulnerability in WordPress which i was using , even though its the latest version . Probably i'll have to wait till the next version comes out

I guess Tyreus should build a multi layer protection system for the server .

1) The attack should be identified at the service request level, probably at the system call or API call invocation. At this stage, the request hasn't executed yet. This is the perfect time since changes to the page have not yet been made. An effective technique is to use system call and API call

2) Administrator (root) resistant—Most hackers first gain privileged rights and then try to deface the site. Therefore, it's good practice to restrict the privileges of the Administrator account on a
Web server machine. Instead of the 'Administrator' account, only a specific predefined user (the Web master) should be allowed to modify the Web site content and configuration. The system should enforce this rule and fail malicious use of the Administrator privileges. interception.

3) Application access control—It makes no sense for an arbitrary application such as a text editor to modify a Web page (even if the user has the adequate privileges).

[Brad R]

Like you said, it is most likely a vulnerability in WordPres, there is nothing WE can do about it.
You seem to be the only one that has had an issue with Dafacement on WordPress.

1) 2) and 3) -> Things known as Password Authorization, Access Privileges, Firewalls, IP Deny, Brute Force Lockout and much much more are the equivalent of what you said.

How's that for multi-layered protection system?

Again, there is nothing WE can do.