server hack?
 

My friend just had a bunch of his index pages replaced with
"SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "


Anybody know who's behind this stuff and how they tend to get in?

They get in via an exploit of some sort. You need to harden and keep your box patched and updated.

good advice :1orglaugh

Why not ask the people on the irc channel #spykids on the server irc.chatplus.com.br.

server spec's?

And you've got better?

how do you know this to be the case?

Just a wild guess but maybe these guys:

SPYKIDS .. irc.chatplus.com.br

I did some research.

How else would they get in? Did they login via ftp with his u/p? I hight doubt it. And its showing an IRC page and IRC is know for its carding, hacking kiddies.

If they have the ftp u/p it's not an exploit.

On the other hand, if their local workstation is owned by a trojan/keylogger that would be an exploit.

Only point Im trying to make is that having this guy jump to conclusions isn't going to give him the info he needs.

It looks like someone got root access to the server.

There are many exploits to get root access.

Here are some tools to check for and fix rootkits

http://www.chkrootkit.org


My advice: :2 cents:
Eliminate any backdoors (rootkit)
Restore the domains
Change all user and root passwords
Verify linux and apache are up to date.

Yes, but the chances are greater that they got in via an exploit.

It sounds like a run of the mill defacement, your friend probably didn't patch something they should have.

The hackers likely went to a database like Packetstorm and found something to break into the server.

Have your friend drop these guys, http://www.ibouncer.com a line, to lock things down :thumbsup

What domains were effected?