What happened with KApuT!!

[jodieorourke]

This morning I browsed to my site to find all requests redirecting to a modified version of my 404 page. The title had been changed to include KApuT!!, suggesting someone was leaving their mark. I checked the files and DB and all seemed to be fine, so it pointed to a hack of either the htaccess file or the system config.

After speaking with an agent, who resolved the immediate issue, I was told it was was a problem with memory allocation on the server, and it was now fixed.

I'm not so sure.

Can someone please shed some light on why a out of memory exception would result in a hacker-esque message to be added to my 404 page? I'm also noticing that some functionality on the the site is still not 100% normal, slashes on new posts seem to be getting treated differently. Has someone changed the security or PHP config?

Irrespective, I think I need a little more info than the agent gave me earlier.

[Ben Stones]

Hi,

I apologise our technician didn't provide you with enough information regarding what it appears to be a very serious issue that may have occurred earlier.

That said, I will forward this thread onto our senior management to ensure a senior technician is delegated to handle this as shortly as possible. As I definitely think an explanation at the very least is required to ensure you are fully aware of what exactly happened and ensure everything is fine from a security perspective.

Regards,
Ben.

[Rock]

This morning I browsed to my site to find all requests redirecting to a modified version of my 404 page. The title had been changed to include KApuT!!, suggesting someone was leaving their mark. I checked the files and DB and all seemed to be fine, so it pointed to a hack of either the htaccess file or the system config.

After speaking with an agent, who resolved the immediate issue, I was told it was was a problem with memory allocation on the server, and it was now fixed.

I'm not so sure.

Can someone please shed some light on why a out of memory exception would result in a hacker-esque message to be added to my 404 page? I'm also noticing that some functionality on the the site is still not 100% normal, slashes on new posts seem to be getting treated differently. Has someone changed the security or PHP config?

Irrespective, I think I need a little more info than the agent gave me earlier.

Hi Jodie, I'm investigating this issue, which primarily appears to be a hacking incident. We'll provide you with the complete details soon..

[eUKhost.com]

Hi Jodie,

The error page you were getting on your website between "01-27 08:00" to "01-27 09:00" was due to Max limit of RAM crossed by your website.

I have attached a snapshot with this thread which shows the sudden spike in the stats. Your website was showing the 500.shtml error page, which was there in your public_html directory and this page was last modified on 6th Jan 2012.

[jodieorourke]

It looks as though CPU and MEM spiked over the same period, so are you suggesting this is a DoS?

Can you help me understand where the KApuT!! string that appeared in the title of this error page came from?

Many thanks,

[jodieorourke]

Further, I need some help understanding the PHP config settings you've changed on this account as a result of Friday's changes. Quote marks are being escaped, even though I'm handling this myself... the result is they're being double-escaped. I may have to go in now and write code to undo this... even though that's bad practice on my part. Before I do this, I'd like to know what was changed and the extent of the change.

Thanks.

[jodieorourke]

Site's down again...

[NickJ]

Dear Jodi,

There was a sudden spike in traffic on your website and looking at the request received on that particular day I don't think it a DDOS.

The memory limit of 1.5GB is assigned to your account and as your website is hitting this limit, its resulting in "Internal Server Error".
You can verify it from your Cpanel --> Resource Usage section.

The custom error document page i.e 500.shtml was modified on 6th Jan 2012 and now its moved to 500.shtml1 in which you will find the reference of world "KApuT" which is added in title section of the page.
Unfortunately, we do not have ftp logs for 6th Jan. The oldest logs available with us are of last 7 days.

[DPS Computing]

The last time I had something similar to this happen to me (a few years ago) was an sql injection attack - they redirected all my pages to a new page that had been created on my server gloating about it. My site is actually still listed on a "victory" list for this particular hacker.

He was called "Turk123" or something. I'll have to dig out the original page to confirm....

Have you got a recent backup that you could restore Jodie? Or have things changed since your last backup? If you have a recent backup it may be easier to restore that than search for a needle in a haystack if they've just changed things here and there .