[ubuntu-uk] Website Hacked.....

[Lucy]

2009/6/27 Harry Rickards <hrickards at l33tmyst.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lucy wrote:
> <snip>
>> What I did:
>>
>> $ ping furrycritters.co.uk
>>
>> This revealed both the IP address and the reverse lookup, in this case
>> victorious.eukhost.com (213.175.194.16).
>>
>> This was confirmed by doing:
>>
>> $ dig -x 213.175.194.16
>>
>> I also confirmed that it was running FTP, rather than SFTP by
>> telneting to port 21. Finally, going to the furrycritters.co.uk domain
>> in a web browser shows that hosting has been set up, but that no index
>> page has been uploaded. It also shows that the server is running
>> Apache and cPanel.
>>
>> I don't know how to lookup what other domains are using that IP
>> address though. Anyone else?
>>
>
> http://www.ip-adress.com/reverse_ip/213.175.194.16
>
> 412 sites on one IP. I just hope they've got load balancing.
>
[snipped list]

Thanks for that! Most of those sites appear to be working okay and as
they are all going to be low traffic I'd guess that one decent server
could just about cope..

But, I've just gone to furrycritters.co.uk in a browser (was telneting
to port 80 before, which gives a different response for some reason)
and it appears that it's been hacked by a group called CiH_H at CkErZ

A quick Google gave this website:
http://www.zone-h.org/archive/defacer=CiH_H@CkErZ

Which lists a number of sites that have been reported as having been
hacked by this group. Importantly it lists a mass defacement of sites
on the same IP address: 213.175.194.16. So, I'd guess that one of
those 412 sites had a vulnerability, or that someone sniffed the ftp
connections (or someone had a weak password or ...), and managed to
infect a number of/all sites.