ilbuconero
Guppy
My sites have been hacked. It looks like the hacker replaced all the index and default pages with his own. I've noticed that a few JodoHost customers have experienced the same type of security breach. Though I can't say for sure how it happened, I have some information that might be helpful.
One of the sites that I have hosted was just recently created before the attack. I didn't have time to add any of my own files to the site, so there was nothing in the site folders except the initial set-up files from JodoHost. I did enable the web statistics on the site and after I noticed the hacking, I checked the stat logs. Even though I didn't have anything on the site, I noticed that it was visited many time in a short period on one day. I also noticed that some of the pages that were visited were not the typical pages you would expect to see. For instance - /cp/scripts/Perl/scripts.html and /cp/scripts/PHP. Essentially, someone had been fishing through the Jodo provided scripts pages. I did a little checking on Google and found that some of the scripts that Jodo provides have known exploits.
As I said, I can't say for sure how the hacker got in, but the scripts folder might be a possibility. Since I don't use any of the provided scripts, I plan on removing them from my sites.
I also plan on removing any of the Jodo provided index.html/login.html files. This is another possibility for hackers which would provide access to the control panel.
One final note - I have one MS Access database on one of my sites. The database is used to store user input and is not used as a security device, so there is no username/password control.
One of the sites that I have hosted was just recently created before the attack. I didn't have time to add any of my own files to the site, so there was nothing in the site folders except the initial set-up files from JodoHost. I did enable the web statistics on the site and after I noticed the hacking, I checked the stat logs. Even though I didn't have anything on the site, I noticed that it was visited many time in a short period on one day. I also noticed that some of the pages that were visited were not the typical pages you would expect to see. For instance - /cp/scripts/Perl/scripts.html and /cp/scripts/PHP. Essentially, someone had been fishing through the Jodo provided scripts pages. I did a little checking on Google and found that some of the scripts that Jodo provides have known exploits.
As I said, I can't say for sure how the hacker got in, but the scripts folder might be a possibility. Since I don't use any of the provided scripts, I plan on removing them from my sites.
I also plan on removing any of the Jodo provided index.html/login.html files. This is another possibility for hackers which would provide access to the control panel.
One final note - I have one MS Access database on one of my sites. The database is used to store user input and is not used as a security device, so there is no username/password control.