# Marksman Pens site Hacked



## Ulises Victoria (Nov 3, 2013)

Hello. Has anyone tried to log into marksmanpens.com lately?

It's been hacked. I'm not sure if the owner of that site lurks here, but if someone can get in touch with them, it would be nice.

What actions can be taken to prevent this, or once it's happened, against this scum?


----------



## healeydays (Nov 3, 2013)

Wow, that's scary.  Folks, if you go there like I did, don't press anything as it could be boobytrapped and could send a virus down to your machine effecting your pc and if you have a websit possibly that.  I'm not saying it will, but I have seen hackers that are that talented...

Mike B
IT Professional as a day job


----------



## Justturnin (Nov 3, 2013)

well at least they gave a nice warning before destroying it........


----------



## Dan Hintz (Nov 3, 2013)

Script kiddies... low man on the totem pole of the hacking world :-/


----------



## healeydays (Nov 3, 2013)

Agreed, not that exciting a hack, but...

Folks,

          If you do have a website, change all access passwords on a regular basis and make sure you don't leave default passwords on the site.  Also, make your passwords something nonstandard.  Did you know there are hacker programs that will run thru your site/email using every word out of the dictionary to figure out what you use?  I always use a misspelled word for that very reason.

  I know that that I sound a little paranoid, but I have been in Information Technology for along time.  One company that I was the Direction of Information Technology at was a specialist software company that wrote software for computer communication and we'd have hackers trying to break in all the time.  One time we found an outfit using one of our test machines (which shouldn't have been connected to the Internet) that someone was running a porn site on and had collected from what we saw over 1/2 million dollars in fees from "clients".  To them, they used it till they got caught and went somewhere else.


----------



## brownsfn2 (Nov 3, 2013)

Its things like this that make it difficult and expensive to do business on the web.  If the guy was being nice he could have sent an email to the website owner to let him know his site has weak security.  Instead he wanted to show his friends that he could do it.

There are so many more valuable places where this hacker's talents could be used.  They just do not think of that. 

Also remember that if you include a non-standard character like an "@" sign or something similar that it greatly increases the length of time for a password cracker.  Also it is best practice not to use a real word found in the dictionary or a phrase.


----------



## edstreet (Nov 3, 2013)

This is not a script kiddie by no stretch.

https://twitter.com/Lckn48 this is the referencing account for the hacker.

Shows hack was done 11 hours ago.


https://twitter.com/Lckn48/status/396856723534663680


----------



## edstreet (Nov 3, 2013)

Ironic enough for a trace back check 












So far I noted sql injects, ssh exploits, admin attacks against control panels, gmail hacking.  I found 6x hacked sites in the past few days by this group.

Question is, does anyone have a phone number for Mark?


----------



## marksman (Nov 3, 2013)

edstreet said:


> Question is, does anyone have a phone number for Mark?



Ed,

I got your email. Thanks! Had no idea the site was hacked. This really sucks! Clean up of something like this is very difficult and time consuming. Working on it now.

Mark


----------



## marksman (Nov 3, 2013)

Thankfully the shopping site didn't get hacked which is where customer info is located. The main site is just a front end on the shopping site.


----------



## edstreet (Nov 3, 2013)

There is a tool called geodns. You can set it up to block/deny all traffic from select countries.  This will limit select foreign commerce but allow some protection.  The only workaround to this is chain vpn/proxy.  This is not a replacement for security.

I am not sure what logging you have enabled but from what I gathered so far sql injection, control panel and email hacks is common place with this group.  Stored email containing username/passwords to sites is a cardinal sin and a big no-no.

Log files dating back for several days to a month or 2 should be checked. Error reports especially is helpful as they will often nail your attacker in stage 1.  SQL logging, at least on failures and connects is another good area.


As for the shopping cart goes. PCI standards FTW!  Having dealt with to many hacked carts, hacked credit reporting stations and financial pc's I can tell you some horror stories.


----------



## OKLAHOMAN (Nov 3, 2013)

Glad to see Mark was informed, I was going to call him. These A holes do it simply because they can when with their knowledge they could be doing so much good, kinda like congress.


----------



## edstreet (Nov 3, 2013)

OKLAHOMAN said:


> Glad to see Mark was informed, I was going to call him. These A holes do it simply because they can when with their knowledge they could be doing so much good, kinda like congress.



knowledge and congress is a contradiction in terms 

Websites which are hosted and you do not have shell access means you will have to put in a support ticket for the hosting company to fix. 

If you have shell access then you need to find out if that was accessed and what type of attack it was.  Many attacks will compromise the system and can install software which has a great potential to do serious damage.  Fortunately those type attacks are few and far between and I have only seen a select few of them.  One site was hacked and all equipment was locked out and that AM the client got a call from Romania demanding $150,000 to release control back to them and tell them how he was able to get in.

Some key rules to live by.  

*) Always do updates from the OS and apps used. i.e. windows updates, java updates, browser updates, plugin's, adobe updates and the like.  This grants you less problems with hacks of this nature as most of the updates deals with security problems.

*) Never store username/passwords where they can be easily obtained.  This particular hacker has a file on his desktop called passwords.txt which he harvests from all over.  Iphone has apps like msecure which keeps those things under protection and can shred the data after x failed attempts.

*) watch log files.  This is your first and best line of defense.  Log files telling you failed connections, access denied, wrong account names and the like is major red flags.  Some of the best setups is like fail2ban on *nix systems, they monitor logfiles and after x failed attempts that site is blocked for a set time limit.

*) sensitive data i.e. social security numbers, payment information, passwords and the like should not be used unless possible.  When they are used the data should be session limited meaning only good for a very short period of time. i.e. 5 minutes.  Never stored and kept out in the open.  There are a ton of websites still using non-ssl payment processing which is a big cardinal sin.  One site I worked with had some extreme debug level logging turned on and that was adding credit card numbers to the log files.  After about 8 months or so the server was broken into and all those numbers were stolen.  Often times cart setups will allow some degree of customizing from very insecure to painfully secure to appears to be secure but very insecure.

*) check the services frequently and often.  Never know what you will find.  I had one client that was putting a tape into the drive for over 2 years (before I was working with them) and the backup was running but nothing was being put on the tape, thus going thru the motions of backing up.

*) Clean, sanitized archived copies of websites.  Essentially backup copies that are non-molested which can be restored.  Several people I have known had hacked boxes (pc's) where a root kit was installed. (hidden software that monitors everything and allows full access to someone else) These incidents need to be destroyed, reformatted and everything reinstalled to guarantee 100% recovery.  Even the bios need to be looked at. (use to be able to install hooks into the bios that activate root kits before the OS loads, even survive formatting.)


----------



## Adillo303 (Nov 3, 2013)

Just my two cents on passwords, 

Upper and lower case charcters numbers and a few special characters are a must.

Also use a pass phrase instead of a pass word. 

IE: iLik3sunn&dAz3 ( I like sunny days).

Easy to remembrr hard tocrack.


----------



## terryf (Nov 3, 2013)

if the site was running vbulletin or similar then the install directory must be removed as it is a known exploit.


----------



## edstreet (Nov 3, 2013)

terryf said:


> if the site was running vbulletin or similar then the install directory must be removed as it is a known exploit.



I pulled up the cached copy from 10/31/13 and looking at the source I see joomla 1.7.

I also saw several screenshots of a joomla admin login on the hackers site.


----------



## PR_Princess (Nov 3, 2013)

Joomla 1.++ is no longer supported by Joomla. Hasn't been for over a year. That could be one of the reasons that contributed to the hack. It was one of the major reasons why we chose to migrate. FWIW..Joomla is now on 3.++


----------



## Akula (Nov 3, 2013)

Joomla enough said.  I guess you could do the mod_secure with custom rules.  Anytime there are the plugins/templates, it's just a matter of time (the time being for them to find you, not to ever think you're safe)

do the checklist
Security Checklist/You have been hacked or defaced - Joomla! Documentation

#1 rule online, always always get the patches and updates for whatever you decide to use

Hope you get it offline, repaired/restored and back up soon.


----------



## Yorkie UK (Nov 3, 2013)

I feel for you Mark, i know just how annoying this is ... Good luck with it!!

Jim


----------



## Ulises Victoria (Nov 3, 2013)

I am happy to know Mark knows about this.


----------



## marksman (Nov 4, 2013)

Thanks to all for your comments and advice. I am switching to WordPress. Since my site basically consists of a front page that links to the shopping site, it will be easier to wipe in clean and start over.


----------



## hard hat (Nov 4, 2013)

I'm glad that the members of IAP were able to help with this before it got really bad.


----------



## healeydays (Nov 4, 2013)

marksman said:


> Thanks to all for your comments and advice. I am switching to WordPress. Since my site basically consists of a front page that links to the shopping site, it will be easier to wipe in clean and start over.




Definitely your easiest and safest way to go.  Can't wait to see you back up.


----------



## Ulises Victoria (Nov 4, 2013)

The address marksmanpens.com does not show now the hacked page, but sends this message:
_Forbidden

You don't have permission to access / on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request._

Is there a new address we should use?


----------



## edstreet (Nov 4, 2013)

Ulises Victoria said:


> The address marksmanpens.com does not show now the hacked page, but sends this message: Forbidden  You don't have permission to access / on this server.  Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.  Is there a new address we should use?


  That message means they are working on the site currently. So ignore it now  Sent from my iPhone using Forum Runner


----------



## Katsin (Nov 4, 2013)

Some of the very common cgi based scripts that folks use to generate a web form that lets customers e-mail them are very insecure. Hosting companies even offer them frequently despite their vulnerable nature. If you are running a cgi e-mail form look at that carefully.

Most importantly, back up your web site regularly. It is the Wild West out there. Corporations who hire staff to monitor and secure their sites get hacked so our sites are likely to get hacked too even when you take many steps to reduce risk.


----------



## marksman (Nov 4, 2013)

I turned on forwarding so that the www.marksmanpens.com address forwards to the Marksman Pens site. I will post when we get the new front page up and running. Thanks again for all of the help!


----------



## Ulises Victoria (Nov 5, 2013)

Alright! Seems to be working and back in business again. 
I feel good for you, Mark.


----------



## Dan Hintz (Nov 5, 2013)

Katsin said:


> Some of the very common cgi based scripts that folks use to generate a web form that lets customers e-mail them are very insecure. Hosting companies even offer them frequently despite their vulnerable nature. If you are running a cgi e-mail form look at that carefully.


The known hacks are bundled into nice packages that take no understanding of what's involved, just press a button and you're in.  I don't expect people to be using Metasploit on all of their pages, but if you're going to run it yourself, understanding the possible attack vectors would go a long way to help keeping it secure (if by way of nothing more than keeping patches up to date, or moving to a package that's currently supported).

Bugs are good for someone in my line of work, but man, running a business is a bear and a half when nitwits like this kid start screwing around for nothing other than notoriety with their friends.


----------



## LagniappeRob (Nov 5, 2013)

I just got one of the Kim Komando emails and saw this: 



> When Adobe was attacked last month, more than 38 million users had private data stolen, including credit cards and Social Security numbers. *Adobe has since revealed that out of those 38 million people, 1.9 million used the password "123456" to protect their account.*



Really?   5% of people use something as simple as that when CC and SSN are involved?  What the hell is wrong with you people?! - YouTube

Edit:  here's the source for the story: http://www.bbc.co.uk/news/technology-2482152

And I love this: 



> Top 20 passwords
> 
> 123456
> 123456789
> ...


----------



## walshjp17 (Nov 5, 2013)

marksman said:


> I am switching to WordPress.



Mark,

Make sure you keep WordPress updated and at the current patch level.  WP has become pretty much the Microsoft of blogging platforms and as such is hacked more than any others.  It is still a good platform but it is only as secure as the last patch/revision.


----------



## Dan Hintz (Nov 6, 2013)

walshjp17 said:


> Make sure you keep WordPress updated and at the current patch level.  WP has become pretty much the Microsoft of blogging platforms and as such is hacked more than any others.  It is still a good platform but it is only as secure as the last patch/revision.




^^^ All of this ^^^


----------

