Website Hacked

[KenCo]

Hi guy's, first post here.....let me start by saying I know nothing about website stuff but today Friday 13th I find my website has been hacked. I can't log in to cpanel or email.
My website is:
www.takingthepic.com
I'd really appreciate any help or advice please.
I did a search for hacked sites in this forum but being honest I don't understand any of the terminoligy.
I have emailed and sent support request to Darken host (my provider) but as yet have had no response.
Please help.
TIA.
Ken.

[Spiral]

Contact me by private message and I will give you a hand with this issue ...

The DNS server for your domain does resolve but is very poorly configured
http://www.dnsreport.com/tools/dnsre...kingthepic.com

If I direct connect to the assigned IP of your shared hosting account,
http://69.72.144.50/, I get the default Cpanel page which tells me
the Apache server where your account is located is in fact working.

The following is the raw connection info for your web site ...

Code:

Trying 69.72.144.50...
Connected to takingthepic.com (69.72.144.50).
Escape character is '^]'.
GET http://www.takingthepic.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://server227.server-center.net/suspended.page/">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at www.takingthepic.com Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.

As you can see, it's attempting to redirect you to some suspended page that doesn't exist
whenever you connect to your website which explains why your cpanel login doesn't work ...

YOUR ACCOUNT HAS BEEN SUSPENDED

The question is whether the suspension was for you or for your provider. If your provider
is just a reseller, their provider above them may have suspended their entire reseller
account including all account beneath them (including yours).

[nyjimbo]

Hi guy's, first post here.....let me start by saying I know nothing about website stuff but today Friday 13th I find my website has been hacked. I can't log in to cpanel or email.
My website is:
www.takingthepic.com
I'd really appreciate any help or advice please.
I did a search for hacked sites in this forum but being honest I don't understand any of the terminoligy.
I have emailed and sent support request to Darken host (my provider) but as yet have had no response.
Please help.
TIA.
Ken.

The most important thing here is to determine if your account was hacked OR the whole server was hacked. If its just you then it would likely be an exploitable script like a forum or php code, but if its the whole server then it could be the host had an exploitable kernel or some server task. I would keep trying to reach your host first so they can determine what level this attack took place.

[KenCo]

The most important thing here is to determine if your account was hacked OR the whole server was hacked. If its just you then it would likely be an exploitable script like a forum or php code, but if its the whole server then it could be the host had an exploitable kernel or some server task. I would keep trying to reach your host first so they can determine what level this attack took place.

Thank mate.....I still have had no response from support slips or emails as yet. I do know someone else who uses them and his website is working fine. Sorry if that doesn't mean anything, like I say I know nothing.
Ken.

[Spiral]

I have done some digging and have confirmed that your host is actually a reseller
and not a real hosting provider and it would appear that their own reseller
account has also been suspended as well.

That said, it also looks like they have multiple reseller accounts with different
providers and probably split their hosted accounts between those accounts.

While some of their sites are up, the one located where you are hosted
is down just the same as your own account which tells me their provider
at that location has shut them down either for abuse or non-payment.

[KenCo]

I have done some digging and have confirmed that your host is actually a reseller
and not a real hosting provider and it would appear that their own reseller
account has also been suspended as well.

Well that would account for no response from them as yet BUT not for the porn stuff on my site now.

[Spiral]

Well that would account for no response from them as yet BUT not for the porn stuff on my site now.

What do you mean "porn stuff"?

I have not been able to duplicate any of that and all I get is just
the attempt to redirect to the non-existent suspended page
from their upstream provider

Do you have a full backup of your site?

[nyjimbo]

Thank mate.....I still have had no response from support slips or emails as yet. I do know someone else who uses them and his website is working fine. Sorry if that doesn't mean anything, like I say I know nothing.
Ken.

Seems an old thread on webhostingtalk.com got revived and there is some bad press about this host as recent as last week:

http://www.webhostingtalk.com/showthread.php?t=582651

[KenCo]

What do you mean "porn stuff"?

I have not been able to duplicate any of that and all I get is just
the attempt to redirect to the non-existent suspended page
from their upstream provider

Do you have a full backup of your site?

I have all the stuff needed to replace my site but can't get into my site....If you force refresh (CTRL and F5) it sometimes takes you to some porn promotion thing.....

[Spiral]

I have all the stuff needed to replace my site but can't get into my site....If you force refresh (CTRL and F5) it sometimes takes you to some porn promotion thing.....

I think that one is actually coming from your own computer
and is a separate unrelated item ...

You might want to do a complete spyware / trojan scan.

[KenCo]

I think that one is actually coming from your own computer
and is a separate unrelated item ...

You might want to do a complete spyware / trojan scan.

I have already took those steps just incase using avg and trend micro on-line scan.....I don't get any reports of infection.

[KenCo]

Another photographer is also using Darken host www.dreederuk.com/ and his website is still working. Does that make any sense.

[Spiral]

Another photographer is also using Darken host www.dreederuk.com/ and his website is still working. Does that make any sense.

He's off of a different reseller account.

It looks like for each reseller account, Darken Host setup
corresponding DNS server addresses with the same base
name but a different TLD.

You are hosted out of their reseller account associated
with the .ORG domain extension

Dreederuk.com is host out the reseller account associated
with the .NET domain extension

(Traces to 2 different sources)

I have already took those steps just incase using avg and trend micro on-line scan.....I don't get any reports of infection.

That is virus scanning. I said trojan and spyware!

The best scanner for that is "PC Doctor" which catches many that others
won't come close to detecting but is a commercial product.

The next best choice is "SpyBot:Search and Destroy" which runs circles
around all the spyware scanners out there except "PC Doctor" and
is conveniently a free downloadable program.

[koolcards]

https://takingthepic.com:2083/ shows a proper cPanel login page but it won't allow you to login? Any error message or is it attempting to send you to that "server227.server-center.net" suspended page?

http://server227.server-center.net/suspended.page is there because the dopes never changed or set up the server name "server227.server-center.net" (in the fortressitx.com data center in New Jersey) with proper DNS records. cPanel is attempting to send you to a 'suspended' page for which there's no DNS so you end up at a search engine landing page somewhere, which is where your occasional porn page is probably coming from.


btw, the correct name of your server is "ns1.darkenhosting.org" but they didn't set that up correctly

[KenCo]

https://takingthepic.com:2083/ shows a proper cPanel login page but it won't allow you to login? Any error message or is it attempting to send you to that "server227.server-center.net" suspended page?

http://server227.server-center.net/suspended.page is there because the dopes never changed or set up the server name "server227.server-center.net" (in the fortressitx.com data center in New Jersey) with proper DNS records. cPanel is attempting to send you to a 'suspended' page for which there's no DNS so you end up at a search engine landing page somewhere, which is where your occasional porn page is probably coming from.


btw, the correct name of your server is "ns1.darkenhosting.org" but they didn't set that up correctly

When I try to login it just gives me the login pop up again...which is why I thought it had been hacked and someone had changed the password. I did try clicking the change password and it tells me that the new password has been sent to the email address on file but I don't recieve anything.
I really appreciate your help here guy's Many thanks.

I'm not all that happy with the service from darken host but they are cheap.....I'm a photographer and just spent a fortune on promoting my website at local events etc. I have also emailed a load of clients with samples of there portrait work and now this happens. Does anyone know of a place equally as cheap to host my site?
Thanks again.
Ken.