www.webdeveloper.com
Results 1 to 5 of 5

Thread: Serious hacker problem.

  1. #1
    Join Date
    Feb 2005
    Location
    Florida
    Posts
    219

    Serious hacker problem.

    I posted this message in the Joomla forums, but perhaps I can get more help here.

    A page of mine got hacked a year ago.

    In the last few months, I have noticed that around 6 AM Eastern time, the message "Hacked by Sarbot" shows up, and that's all I see on the page.

    Here is the thing: the page is fine after 8 AM Eastern time. This problem appears from time to time. So the page seems hacked for at least two hours, And during that time, the domain's IP changes to another IP, probably the hacker's. We have blocked that IP using a Joomla module and the problem continues. We have completely re-installed Joomla. We thought the problem was in the cache, but there's nothing there. It seems to be running on a timer, but the thing is we changed our provider as well.

    The hacker is Sarbot511, and he goes after Joomla pages from time to time. He did this to us like a year ago.

    A theory of mine is that GoDaddy is the problem somehow, since we registered the domain with them, but how can a domain change IPs from time to time? Can Joomla be re-directing it on a cron?

  2. #2
    Join Date
    Mar 2010
    Posts
    672
    Can you provide a link to the page and even better also post the source? I'm also curious on what leads you to believe the ip is changing? And how did you figure this out (usually 2 hours isn't enough time to see dns changes for a site)?
    If the ip of the server is actually changing then it is more than likely the dns server for the domain thats the issue (as even if the server itself was hacked, its ip seen from the client side can't be changed without updating the dns records).

  3. #3
    Join Date
    Feb 2005
    Location
    Florida
    Posts
    219
    I typed this in my Linux shell:

    nslookup mydvdtrader.com

    And when the site is hacked, another domain shows up. When the site returns to normal, the ip is different.

  4. #4
    Join Date
    Mar 2010
    Posts
    672
    If its changing back and forth that fast i'd guess it may be a dns cache poisoning attack. When it happens and you see the ip changed on your machine with nslookup, then try doing it here:
    http://centralops.net/co/

    And see if you get the same results. Assuming its not a dns server high up in the chain, if its a dns cache attack then you should see a different result from centralops. If you get a different result from the two, then you should use nslookup to further drilldown and identify which dns server is providing the poisoned cache.
    The good news, is that if it is a dns cache attack then it is more than likely a local issue and not a global one. Actually, if you're in an organization (at work) while this happens it could be as simple as your main local dns server (most mid to large companies have a local one) being attacked.

  5. #5
    Join Date
    Dec 2010
    Posts
    1
    hello,my name is mike and im the owner of this site,working with rpcarnell to solve this-i recently looked up the nslookup and the site is reflecting another server-our site is being served on justhost and not infrenion,so what do you think it may be,here is the info i retrieved,as far as i know,justhost and infrenion are not associated,could it be a godaddy issue,where our domain comes from;

    mydvdtrader.com IN SOA server: ns18.infrenion.com
    email: serial: 2010031600
    refresh: 86400
    retry: 7200
    expire: 3600000
    minimum ttl: 86400
    Edit by admin: no contact info permitted on the forum, thank you

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles