[liberationtech] Help- Website hacked
Sky (Jim Schuyler)
sky at cyberspark.net
Tue Jul 19 15:38:05 PDT 2011
Clearly you are watching the site carefully, but if you would like us to scan it in real time and alert you about problems, we can do so. I just need your permission and need to know where to send alerts. See http://cyberspark.net/ for more information about this. We only do this for people exercising free speech and promoting human rights.
Until you are back up and running the alerts won't tell you much.
A couple of very important things - you should try to figure out something about the hack and be in a position to prevent attacks or slow down attackers in the future. Shared hosting can sometimes be a factor in these attacks and your ISP may be able to track that for you. You should try to recover your logs before you restore everything! Meaning not only web logs but syslog and any other underlying system logs, if they are available. Web logs will help you (or someone else) analyze what might have happened if it was a web-based attack (such as a SQL-injection). You should also save everything that is left on the server before you restore things, because you may find remote shells and other clues that would tell you something about the attack vector.
[Sky]
On Jul 19, 2011, at 2:07 PM, Yemen Revolution wrote:
> Great thank you for your help.
>
> They are working on the suggestions provided and hopefully everything will be back and running soon.
>
> From: danielo at cs.stanford.edu
> Date: Tue, 19 Jul 2011 16:36:27 -0400
> Subject: Re: [liberationtech] Help- Website hacked
> To: sina at anarchy.cx
> CC: peter.thoenen at yahoo.com; yemenrev at live.com; liberationtech at lists.stanford.edu
>
> And, if that fails, Google Cache to the rescue as well (gotta just take what you can get)
>
> http://webcache.googleusercontent.com/search?q=cache:KDq83_lyiEAJ:www.yemen4all.com/+yemen4all&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com
>
> D
>
> On Tue, Jul 19, 2011 at 4:30 PM, SiNA <sina at anarchy.cx> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ~$ nslookup yemen4all.com
> Server: 8.8.8.8
> Address: 8.8.8.8#53
>
> Non-authoritative answer:
> Name: yemen4all.com
> Address: 69.167.136.126
>
>
>
> Seems like it could have been a Joomla site, on shared hosting:
> http://yemen4all.com/administrator/
>
> ~$ whois 69.167.136.126
> Liquid Web, Inc. LIQUIDWEB-9 (NET-69-167-128-0-1) 69.167.128.0 -
> 69.167.191.255
>
> http://www.liquidweb.com/ They should still have backups!
>
> - --
> SiNA
> pgp 0x0B47D56D
>
>
>
>
> On 07/19/2011 11:23 AM, Peter Thoenen wrote:
> >> The Yemeni Revolution
> website, www.yemen4all.com was hacked by
>
> >> unknowns about two hours ago. Is there a way to get the
> website
>
> >> back without losing its content?
>
> >
>
> > Restore from tape
> _______________________________________________
>
> > liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> >
>
> > Should you need to change your subscription options, please
> go to:
>
> >
>
> >
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> >
>
> > If you would like to receive a daily digest, click "yes"
> (once you
>
> > click above) next to "would you like to receive list mail
> batched
>
> > in a daily digest?"
>
> >
>
> > You will need the user name and password you receive from
> the list
>
> > moderator in monthly reminders.
>
> >
>
> > Should you need immediate assistance, please contact the
> list
>
> > moderator.
>
> >
>
> > Please don't forget to follow us on
>
> > http://twitter.com/#!/Liberationtech
>
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJOJelyAAoJEJPBwXYLR9VtdvsP/jwPUdX8FXqUNRN5030Yu8Fb
> tOxm5dqRjEmRXojEWLGn2Ud4je8mnPOCCGHD4H5zp1JISUA2p6DJoTH4D7flCn+z
> VE51x1ePoxMOqEnr2Ona0GWqAei6JpuW4vogG3ilpCUbg1YXBUY8fQrFDFcC84S6
> mSf6ggqBKziV8yJti14K9m8SvRabc9UcGi5mGEjWWZOAq7arcbwGbZE4qfhMWTEL
> /jgyUqXQ7Qk17d0NbDi+JJMbIMeRxoIDKlB5lsYxJ1O28Ys+GIRpE+tUMxxXdlh5
> MWQoj2sLiOOnz309isK/EeBaJyNYNWGbXJKSY/FycCfdBtHmq7qfbCRLz/LJJ534
> p0kh63KCvBcevFqmRKvT7Mk6SqufWf4o3bLBcuCbrF68yuxMtAkHka1sWg2NAqw/
> ufK9JAwh3FbvF3RGlDlcLqp1h2RzXvtYGmYrS7vb58HHo+ploIm9l7vyH+HgDQut
> PLxfBUfQ05Vzriy2mGuGj78rKgBSiK0alyhB0HtLuU1FPXb/Z3tdsLkpK9fIYDUX
> VeLgCtmoaZXfBTXIkJCQ1orQqXyzcg/l522R+8jqPuYdy3+rYP7rqaJrI8OeWut1
> K/+6kl85OfStCSAIkGMhnNVrWNTAD+ym19OIymPBRhV92Q7z1246FOfqVnZfwzYE
> Q3Gjhnw//nmFUDCO3jwf
> =PwjT
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110719/e0efc74e/attachment.html>
More information about the liberationtech
mailing list