Serious hacker problem.
I posted this message in the Joomla forums, but perhaps I can get more help here.
A page of mine got hacked a year ago.
In the last few months, I have noticed that around 6 AM Eastern time, the message "Hacked by Sarbot" shows up, and that's all I see on the page.
Here is the thing: the page is fine after 8 AM Eastern time. This problem appears from time to time. So the page seems hacked for at least two hours, And during that time, the domain's IP changes to another IP, probably the hacker's. We have blocked that IP using a Joomla module and the problem continues. We have completely re-installed Joomla. We thought the problem was in the cache, but there's nothing there. It seems to be running on a timer, but the thing is we changed our provider as well.
The hacker is Sarbot511, and he goes after Joomla pages from time to time. He did this to us like a year ago.
A theory of mine is that GoDaddy is the problem somehow, since we registered the domain with them, but how can a domain change IPs from time to time? Can Joomla be re-directing it on a cron?
Can you provide a link to the page and even better also post the source? I'm also curious on what leads you to believe the ip is changing? And how did you figure this out (usually 2 hours isn't enough time to see dns changes for a site)?
If the ip of the server is actually changing then it is more than likely the dns server for the domain thats the issue (as even if the server itself was hacked, its ip seen from the client side can't be changed without updating the dns records).
I typed this in my Linux shell:
And when the site is hacked, another domain shows up. When the site returns to normal, the ip is different.
If its changing back and forth that fast i'd guess it may be a dns cache poisoning attack. When it happens and you see the ip changed on your machine with nslookup, then try doing it here:
And see if you get the same results. Assuming its not a dns server high up in the chain, if its a dns cache attack then you should see a different result from centralops. If you get a different result from the two, then you should use nslookup to further drilldown and identify which dns server is providing the poisoned cache.
The good news, is that if it is a dns cache attack then it is more than likely a local issue and not a global one. Actually, if you're in an organization (at work) while this happens it could be as simple as your main local dns server (most mid to large companies have a local one) being attacked.
hello,my name is mike and im the owner of this site,working with rpcarnell to solve this-i recently looked up the nslookup and the site is reflecting another server-our site is being served on justhost and not infrenion,so what do you think it may be,here is the info i retrieved,as far as i know,justhost and infrenion are not associated,could it be a godaddy issue,where our domain comes from;
mydvdtrader.com IN SOA server: ns18.infrenion.com
email: serial: 2010031600
minimum ttl: 86400
Edit by admin: no contact info permitted on the forum, thank you
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)