This happened this morning, I believe. I saw a post about it early when I logged on today.
Here's the question: Is the site self-hosted or is it hosted by another company? I have two sites that are hosted by a hosting company. I called them today and asked what they could do if my site was hacked like this one was. The Tech Support guy told me that I could call them on the phone and they'd confirm who I was, based on the information they have there. They'd then put a placeholder page on the site, after removing the data. I could then re-upload my site at my convenience, once they changed the passwords for me.
If it were on my own server, it would have been even easier. The hacked site would no longer be visible, because I'd just unplug the connection to the net until I had the site restored.
I guess I don't get why this hacked version is still up and available. Anyone have any idea?
Nope. As a webmaster of several sites and general web-geek, I can't fathom why they couldn't at least replace it with a stupid little "Website Temporarily Down" page or something.
I guess they have a very unresponsive hosting company, or nobody on staff who really understands the most basic workings of internet technologies.
MensNewsDaily.com is virtually hosted on a multi-host system run by hostway.com.
sasumata$ nslookup www.mensnewsdaily.com Server: localhost Address: 127.0.0.1 Name: www.mensnewsdaily.com Address: 64.41.127.150 sasumata$ whois -h whois.arin.net 64.41.127.150 OrgName: Hostway Corporation OrgID: HSWY Address: 1 N. State St. City: Chicago StateProv: IL PostalCode: 60602 Country: US NetRange: 64.41.64.0 - 64.41.127.255 CIDR: 64.41.64.0/18 NetName: HOSTWAY-05 NetHandle: NET-64-41-64-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS.SITEPROTECT.COM NameServer: NS2.SITEPROTECT.COM Comment: RegDate: 2001-02-15 Updated: 2001-05-14 TechHandle: AN94-ARIN TechName: Administrator Network TechPhone: +1-312-994-7690 TechEmail: noc@hostway.com OrgTechHandle: AN94-ARIN OrgTechName: Administrator Network OrgTechPhone: +1-312-994-7690 OrgTechEmail: noc@hostway.com
my guess?
they used front page extensions to hack and overflow the memory buffer, and used the open priviledges to change the ownership, password and access parameters to RWX --- ---.
the server people cannot even READ the raw files.
and since they are on a virtual host, there is no way to do anything but kill the server AFTER they transfer all of the other sites to another one.
and that takes time especially if they are running 'enterprise' systems for businesses on the same server... the security piplelines will allhave to be rewritten, and the real danger, is that root has been sacrificed on the alter of multiple virtual hosting... and that they may not even be able to run a backup tape on the machine, before pulling the plug.
and the hackers may be using that to compromise the other sites on that server.
just my guess, and probably WRONG.