|My website was hacked|
| 8:58 am on Jan 17, 2011 (gmt 0)|
Hi there, I am completely new to this forum so not sure if I am posting this in the correct place.
One of my websites got hacked on Friday 14th Jan 2011 by a group based in Latvia. On Saturday morning I was notified by a customer that he had visited a url connected with me and his PC had been compromised. Subsequently I have found dozens of url's with my name listed that are pointing to malware/badware sites. Obviously I have removed the content from the site and I am taking steps to prevent further damage etc.
Just wondered if anyone had any info on hackers who are based in Lattelekom, Riga, Latvia. I have more details on them (IP addresses, Names, telephone numbers, postal addresses) if I am allowed to post in this manner.
| 2:50 pm on Jan 17, 2011 (gmt 0)|
I don't think knowing who they are is as important as how they got in and fixing that security hole.
Make sure this can't happen again, then if you want to go after them do it. Though depending on the damage I might recommend not wasting your time b
| 3:29 pm on Jan 17, 2011 (gmt 0)|
Thanks for your reply.
Problem now is that I have come across 1000's of sites that have been hacked in a similar manner and many of those carry "Stan Redman" in the search results. Given that the hack would normally go un-noticed and just produce additional url's (that lead to a ransomware attack) I wonder just how big this problem is.
| 9:39 am on Jan 20, 2011 (gmt 0)|
|I wonder just how big this problem is. |
I have client sites hacked every so often. If the problem doesn't lie with vulnerabilities by the hosting company, there are really three things that you can do.
1. Change passwords frequently, and come up with passwords that are difficult to crack.
2. If anything on your site uses a database (message board, photo gallery), visit the site of whomever developed the software, and make sure that you have all the latest patches updated.
3. Keep frequent backups of the site, especially databases.
A number of script kiddies simply hear about an easy exploit, and will often Google that version of the software. Once they find it, they attempt to exploit it (MySQL injection, etc).
Otherwise, I just try to keep a close eye on client sites, or check the files in the root folder of their server to see if anything has been modified recently.
| 11:06 am on Jan 20, 2011 (gmt 0)|
Script sites, opposed to static, are more prone to these attacks. Seal down all scripts (CMS, Database, Code) and run daily comparisons of file/date against known intent. Can be automated with an alert to let you know when injections occur. Static sites suffer fewer hacks (significantly) but can be hacked if the server/host has not done due diligence.
If you allow any user interaction, make sure all input is sanitized for what is ALLOWED and reject everything else. This is the most common point of attack.
| 5:25 pm on Jan 20, 2011 (gmt 0)|
<bit of a rant, as this just came up yesterday, and is not directed at the OP>
Ever single CMS, blog software, ecommerce site, or other open source software will have a statement similar to this in the install instructions:
"The default login name for your first login is 'admin.' Please change this name on your first login to avoid attempted attacks."
I used to think they were insecure by nature, but the more I work with these things, the more I realize one of the weakest points of open source software is the user. PEBCAC. How many have I encountered that did not adhere to this recommendation?
100%. Not 99, not "most," - ALL. Accompanied with a weak password (at least 50%, things like "sitename123") it's got "hack me" written all over it. And I'm only looking at the tip of the iceberg.
Last week I encountered a client using a third party interface that holds thousands of customer records with personal information. This is a company involved in the medical field (NOT medical data, skirting HIPPA requirements.) What was their password?
password123. I nearly fainted.
There are always security recommendations for every install, they are rarely followed.
75-80% of the Wordpress installs I have encountered still have the install directory and wp-config.php is still mode 777; 100% of the modX installs still have the setup directory and config.php is also writable. I find phpinfo.php at the root of at least 50% of all sites I work on. I don't even bother expressing my concerns, the reaction is always "me no computer geeK lyke U, doo whatchu hafta doo and goe awaaaay." I just fix it, one less hacked site to deal with.
The more I learn the more I grow defensive of these open source softwares. They give us the tools, most of them just aren't used.
| 12:09 pm on Jan 22, 2011 (gmt 0)|
Thanks to everyone who has posted so far. Obviously I have a lot to learn.
My site was static code, four pages of html, nothing else. Now I'm not a webmaster/guru like a lot of you people but I'm willing to learn and to take the good advice you are giving. I'm not young in years but I regularly suffer from bouts of common sense and can see what you are getting at here.
I had built this little site up to see if there was any mileage in developing a skill set that might fill up my time and earn me a bit of dinero. The site eventually had a google page rank of four. Now my page rank has dropped to 2, and is attracting attention for all the wrong reasons. Looking at webmaster tools I have noticed that between 14th Jan and 17th Jan site impressions went up from 100 to 86,500 and clicks went up from 14 to 2,700. Worrying thing is that there must be a lot of people out there who have caught a bad dose of something through clicking on the links. I cleaned the site out and locked it down on the 17th. I noticed that at first the links appeared to be harmless but they then changed and became malicious, directing to a Russian site (vrotpyluem.ru). I have not enterd this as a url because it is not a really good idea visiting this site (but i guess you guys know that so apologies).
I know that this hack was pretty damn big as I have found dozens and dozens of sites throughout my local area that have been kippered. This then led to me finding hundreds more sites accross the world (well France, Australia and the USA actually). So far I have contacted over 100 site owners. All the people who have replied so far ( and I include IT security companies!, newsapapers, church groups etc) all confirmed that after a check, they too had been hacked at around the same time. So far, all have confirmed their hosting comapny to be the same as mine. Now I may have been swimming in the shallow end of the gene pool for too long but I think that this could possibly be an attack on a webserver rather than an isolated problem down to me.
I would be grateful for an opinion.
| 7:13 pm on Jan 25, 2011 (gmt 0)|
Your FTP methods are a possible entry point, but with a strong password you change often, it's a lot less likely. The thing with regular FTP (not SFTP) is that with every file you transfer, the user name and password is transferred in clear text. If someone is sniffing the data in transit, it's a possibility.
Given the conditions you describe, I'd be more inclined to think it's some condition out of your control (strictly, 100%, unverified *conjecture.*) I'd close shop and move your site to a different hosting service. A new start always help give benchmarks against security issues.