Post by theone » Mon Mar 13, 2017 7:05 pm

hello,
today i found my site has been hacked by DeadlyCrew.İNFO/Deadly-Warrior.
just front end has been hacked i guess. so what should i do now, should i just restore my backup or any way to find out where is the weak point?

my site www.unlocksolution.com

waiting for your advice.

thank you


Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 7:20 pm

im hosting with a2hosting.com with their shared hosting. i already asked them about his hack and waiting for their reply.


Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 8:59 pm

from a2hosting i got this reply -
"Hello,
Thank you for contacting A2 Hosting!

It was not due to the server. There are any number of ways a site can be hacked. A2 hosting cannot provide forensic details on every site that is hacked unfortunately. We can provide you with methods to clean the hack however. "


Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 10:04 pm

i think it was done through google analytic module . i found this code in google analytic module

Code: Select all

<html>
<head>
<link rel=”icon” type=”image/png” href=”http://img.webme.com/pic/i/iconvar/turk-b-2.png” />
<title>DeadlyCrew.İNFO/Deadly-Warrior</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<body bgcolor="black">
<center><img src="http://i.hizliresim.com/W09o88.png" width="700" height="400" alt="Hacked!" /></center>
<h2><center><font face="arial" size="5" color="white">Biz Ancak<font color="red"> rükuda eğiliriz</font></center></h2>
<br>
<center><font face="arial" size="3" color="white">DeadlyCrew dont forget 18 March!<br>We dont forget anyone!<br> We are Turk!
<br>We are celebrating 18th March Canakkale Victory
<br>Canakkale is impassable<font color="red"></font></center><br><center><font face="arial" size="3" color="white">DeadlyCrew.İNFO | <font face="arial" size="3" color="RED">  DELİLER TİM</FONT></center>
<embed src="https://www.youtube.com/v/eltPkGySVYQ&autoplay=1" type="application/x-shockwave-flash" height="0" width="0"></embed>
</body>
</html>


Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by ADD Creative » Fri Mar 17, 2017 10:56 pm

I would check your server logs for access to anything under /admin/. Look for IP addresses that aren't yours.

Also check your FTP logs.

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters



Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by theone » Mon Mar 20, 2017 9:53 pm

well if i search "DeadlyCrew dont forget 18 March" on google i can see many other web sites powered by opencart were hacked including mine. and i already confirmed with my hosting which is a2hosting they confirmed it was not due to shared hosting..

however i have disabled google analytic module for now just to be in safe side.


Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by ADD Creative » Tue Mar 21, 2017 11:23 pm

I can't see that disabling the Google Analytics extension will prevent further attacks. If they could modify its contents then they can re-enable it.

If you want to check for any weak points look for access to admin/index.php?route=extension/analytics/google_analytics (or any other suspicious activity) in your server logs. If you look at the IP address and then see what was the first entry point from that IP address.

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters



Posts

Joined
Sat Jan 14, 2012 1:02 am
Who is online

Users browsing this forum: No registered users and 10 guests