Portal Home > Knowledgebase > Articles Database > how he hack it? paypal pisshing site
how he hack it? paypal pisshing site
| Posted by pueblosnet, 10-06-2010, 05:12 AM |
| Hello! today another website have been hacked but this time without any CMS, form, permission problems or insecure password, so how they did it?
The website was with that url
http://paypal.com.secure.login.cmd.p....com/index.php
So I think they gain access to the cpanel account to create subdomains, any idea about where to start from?
|
| Posted by sysadm2, 10-06-2010, 06:44 AM |
| could you give bit more explanation regarding the issue ? Is it like, your cPanel account got hacked and a new sub-domain was created ?
|
| Posted by pueblosnet, 10-06-2010, 06:53 AM |
| thanks for you reply,
they add firstly a subomain named
paypal > customerdomain.com
then added another subdomain to paypal one so
paypal > .com.secure.login.cmd.path1.login.cmd.path2.login.cmd.path1.cmd.path2.login.cmd.path1.cmd.path5.login.cmd.path3.customerdomain.com
It's as they have completely accesso to cpanel/ftp/etc, not just a defacement
|
| Posted by sysadm2, 10-06-2010, 07:03 AM |
| Oh..ok. This they must be doing after hacking the server password, I mean without accessing the cPanel.
Also, I had seen issues, in which the hacker have access to our personal system. Probably, to the machine from where you are accessing and storing the passwords and other details. So, for now, remove the sub-domains and other stuffs which has got added. Also make sure that, there isn't any unusual file existing, do a complete check on the server. Then also change passwords associated with your personal machine.
|
| Posted by pueblosnet, 10-06-2010, 07:23 AM |
| Yes, I was thinking about a trojan perhaps, but the customer connect using Mac, so that it's difficult to be too. I'm asking the customer now if anyone have access to the ftp or if he connect using any windows system.
|
| Posted by jphilipson, 10-06-2010, 09:24 AM |
| Yeah, sounds like they had the account password. Most likely a trojan on the client's system or a password sniffer; or just a really weak password.
|
| Posted by YoVPS, 10-06-2010, 10:18 AM |
| Yeah.maybe a really weak password,you should change it
|
| Posted by pueblosnet, 10-07-2010, 01:15 AM |
| The password was Rfffk2LRzDbp, secure enough.
The customer always connect from his Mac, no virus possible then.
|
| Posted by Techbrace, 10-07-2010, 08:32 AM |
| There are many possibilities on how an account got compromised. For one, your customer might be using the same password for any applications/DB users on their website. Need a thorough investigation. Contact your DC or server management team.
|
| Posted by xeonfan, 10-07-2010, 05:18 PM |
| that's only a 61bit password, checked it using keypass.
also no special characters makes it look weak.
why not ac+5u1m<]t+{FSu36[(4!?^8.9./x1}iKoz">DgC,IU+a(.-}Sd
when u are saving it on a file or a software it will not hurt to save a few extra characters.
most customers who's password is compromised will always say he doesn't have any virus on machine and his password was very secure.
|
Add to Favourites 
Print this Article
Also Read
