|smells so good|
Have you looked at your server logs? Have you notified your host? If you are on a shared host, everyone could be compromied if the server has been hacked.
Check your DNS records to make sure you haven't been redirected. Make sure your domain registration is locked, by you.
I doubt that your ftp session is the culprit, unless you stepped away for a smoke and someone used your computer.
This would be a good time to change passwords.
Already changed passwords, and there is no way anyone grabbed my keyboard while I walked away...(I work from home)
I do see one strange IP in my server logs, but I still can't figure out how he replaced my index file.
I've had this done twice, once by some pro-Iranian thing and once by some "anti" hacking site.
On both occassions they hit they uploaded an 'htm' file and it made no difference to the site at all, as it runs with 'html' as the index page.
I don't even know what 'htm' is, seeing as how I use a WYSIWYG editor :o)
I noticed the first one while uploading something by FTP, just looked at it and thought "Eh?" I have index.html and index_nn4" or something, for netscape but I don't upload any 'htm'. Opened the file and it was along the lines of "This site hacked by" stuff but like I say I never even noticed nor did my members.
Second time I was just doing a "Who links to my site?" type search and noticed my domain name mentioned on some hacking site as a 'report' of a hack. Again an htm file and I didn't notice it before then.
Both occasions deleted it without problem.
So I'd be interested to know, is there some difference in security between html and htm?
This is always a very serious problem. It always needs the route of attack discovering.
First notify your host. Absolutely essential.
Second look at the log file (raw) and check the size of your index page requests.
An example of a line in the raw log file is:
18.104.22.168 - - [20/Aug/2006:09:24:35 +0000] "GET / HTTP/1.0" 200 5700 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
The index page request is just shown as GET / (the root), and the size is 5700 (the bit after the 200). If it's not a 200 then don't bother to look at it.
You need to find where the index page size changed. Then look for the log file lines immediately before that. They almost always tell you what happened and how.
Top culprits are software packages, particularly anything using PHP or ASP. Look for scripts which are quite common (i.e. major forum software) especially free scripts. Check if you have the latest version.
It will happen again. And probably with more damage next time.
This just happened to me on a shared account. The host acted like it was only my account. I looked up the other sites on the same IP - they were all hacked. All index.html and index.php files had been replaced. Luckily I rewrite most urls and never use the name 'index'. Only a couple of pages had the problem.
I couldn't find anything in my logs. It must come through someone else's site on the server or somewhere else.
I am changing hosts...again.
|I looked up the other sites on the same IP - they were all hacked. |
A clear sign that the attack was comming from the inside from one of the other users of that shared hosting, rather than from the outside. My advice is to move hosts. Your host probably uses a security setup where one user can write in the directory tree of other users and this will happen again.
I am definitely thinking about changing hosts. When I informed my host of the issue, they simply stated:
"We're sorry to hear about this issue. We've checked your site and it comes up fine for us. It appears that you have already replaced your index.asp file. If you have any more questions or need further...." (blah, blah, blah)
Not enough action, in my opinion.
But the hack also stated something similar to: "This site hacked by" (some Iranian name) I simply deleted the file he uploaded and reuploaded my index file.
This particular website is on a Windows Server (IIS), so raw log files are not as clean as Linux/Apache system files. I'll check other log files to see if I can pinpoint anything.
It's obviously serious but if it's any help for peace of mind, or at least to reduce panic, it only happened once from the Iranian thing and never happened again.
Nothing else occurred, just a black screen with 'this site hacked by' and that was it.
I did a search regarding that Iranian thing and apparantly they hit a large number of sites including major names, so if they could bypass their security I wouldn't slam your host for not being better than various huge budget mega-corporations.
Bottom line if the public can see your site it's vulnerable.