UnderGround Forums
 

ITGround >> Website Hack: Who/what is/are RBH-CREW?


6/1/10 11:56 AM
Ignore | Quote | Vote Down | Vote Up
Johnny Ringo
21 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 3743
 
My website has recently been hacked and I sent an email to my website management company but I really want to know what this group is and what this means for my website and myself?

Does anyone have any information on this. I did a google search and admittedly I am in over my head on this one.

Any help would be greatly appreciated!

Thank you

webpage: http//www.nextgenerationmma.com
hacked page:http://www.nextgenerationmma.com/ssp/gym_information

The hacked page had information on it but it is all gone now and just black, at least blank in appearance.

Thanks again

Zack Brennan
6/1/10 1:19 PM
Ignore | Quote | Vote Down | Vote Up
gsx_r
Send Private Message Add Comment To Profile

Member Since: 9/17/09
Posts: 422
Means you'll need to figure out what hole was used to deface your site and FIX IT. If you're running a CMS or some other sort of pre-made website software you'll need to upgrade it.

You'll also need to reinstall your OS and apps.

RBH crew are a group of people that probably wrote the script/bot that hacked your site. Other work they've done: http://www.zone-h.org/archive/notifier=RBH-Crew

It wasn't personal, just some bored kids doing what they do.
6/1/10 5:06 PM
Ignore | Quote | Vote Down | Vote Up
Johnny Ringo
21 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 3744
But other than the one page being deleted the rest of the site looks and is functioning fine. Is there something hidden I should be looking for? Like could my site be sending out viruses or other malicious programs or something?\

And it was a custom made website. And when you say I may need to reinstall my OS and APPS are you talking about my computer or the site?

Sorry for me lack of knowledge :-/
6/2/10 9:30 AM
Ignore | Quote | Vote Down | Vote Up
gsx_r
Send Private Message Add Comment To Profile

Member Since: 9/17/09
Posts: 425
It may look like everything is fine, but you don't know what is hidden. And without reinstalling you can't be sure. It may be sending out a virus now, or could be back doored so whom ever hacked it can come along in the future and do whatever.

Reinstall the site and server from known good media, no need to worry about your pc.

If you know the day you got hacked you should be able to look threw your access.log and error.log. Look for unusual requests that contain things like "%20%20%20%20" or "\x72\x28". That should tell you want script on your site is vuln.

Not sure you have your logging configured(you're running IIS 6 I see), if they're in w3c format it's easier to deal with.
6/2/10 2:00 PM
Ignore | Quote | Vote Down | Vote Up
Johnny Ringo
21 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 3752
Thank you so much, I really appreciate your help! Hopefully all is well and I will be able to recover and reinstall with no problems :-)
6/2/10 4:22 PM
Ignore | Quote | Vote Down | Vote Up
bartos
7 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 5821
Do you have a screen shot of the hack? i find it funny that it is some page buried in the submenus, rather than the front page or something more visible.

Did the hacker leave a message for anyone specific?

Also, who are you hosted with, godaddy? Do you just have a basic hosting account?
6/3/10 4:54 AM
Ignore | Quote | Vote Down | Vote Up
Johnny Ringo
21 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 3753
I was originally hosted with Go Daddy but then I transferred everything over to my current design and management company called Athlete Web Services. Past that I'm not sure who has what on where etc etc.

Here are three screen shots that may answer some or all of your questions.

FRONT PAGE: Notice Dynamic Menu drop down under ABOUT Tab- Second Tab from left side


ABOUT US: Title used to be "GYM INFORMATION"


ADMIN PAGE:

6/3/10 2:36 PM
Ignore | Quote | Vote Down | Vote Up
gsx_r
Send Private Message Add Comment To Profile

Member Since: 9/17/09
Posts: 436
Call your hosting company. They have access to the logs and can help you out with what happened.

Reply Post

You must log in to post a reply. Click here to login.