My Website was just hacked!

Forum Moderators: phranque

Message Too Old, No Replies

My Website was just hacked!

what should I do?

janny93

9:32 pm on Jul 29, 2004 (gmt 0)

My e-commerce website was just hacked. It was hacked asecond time. First time, there was only change at the index file, now there is a message in the index file and all other files are deleted! How is this posible? How come, that unauthorized person have access to my folder and they can it modify? Who is responsible for the failure? Me or my webhoster who let the hackers in?
What should I do now?

[edited by: oilman at 9:46 pm (utc) on July 29, 2004]
[edit reason] no specifics please [/edit]

jo1ene

9:41 pm on Jul 29, 2004 (gmt 0)

My guess is that it's the hosts fault. Unless you were running some script that could be exploited. What to do now? Get another host and start over. As long as your domain name is OK, you can switch everything to a new host in about 24 hours. Sometimes, cheap hosts are no bargain.

bhartzer

9:43 pm on Jul 29, 2004 (gmt 0)

What should I do now?

Go get another host. Unfortunately, you get what you pay for.

janny93

9:48 pm on Jul 29, 2004 (gmt 0)

It would be solution too, but Webhost is not that cheap host. I do pay there over 140 USD/year. Before I had "cheap" host and it was terrible.
Should they move my site to other server?

Bradley

9:53 pm on Jul 29, 2004 (gmt 0)

Less than $12/month for ecommerce hosting = cheap host.

AprilS

11:51 pm on Jul 29, 2004 (gmt 0)

Well, before looking into switching hosts - look at the code on your site.

Did you write any scripts on the site? If so, you probably overlooked something and left a security hole(s).

You mentioned it is an ecommerce site - are you using a ecommerce solution from another company (Miva Merchant , oscommerce, etc...)? If so, they are not hack-proof either. In fact, because they are so popular/well known - it is easier for security holes to be found in them!

It is possible for someone to write & delete files using port 80(http). I've seen it and experienced it - and is usually a security hole due to bad coding.

At $140/mo you probably are not behind a firewall. but even then, sites can still get hacked through common ports like 80, 443, etc.

In a nutshell - moving hosts may not be the issue. You should concentrate on finding out exactly how they did what they did. Look through your logs (web logs, messages logs, etc.) You need to find how they did it so you can fix the cause. If you move hosts and you didn't fix the problem, you may just get hacked again.

m_shroom

3:29 am on Jul 30, 2004 (gmt 0)

It may not be the hosts fault at all, your machine may have spyware on it. Restore your site then go to another machine and change your password and don't use new password on your machine.

janny93

5:10 am on Jul 31, 2004 (gmt 0)

Problem is hopefully solved now. We do have CC gateway installed and we had to disable some security attributes, because It did not work. I upload all files back and I will monitor all files, if there will be some changes.

Raymond

6:57 am on Jul 31, 2004 (gmt 0)

Are you hosted on IIS?

There is a method to take control over the filesystem of the server using the filesystem and ADSI object. The damage can be "somewhat" toned down if very strict permissions are set. You can view and change every single file on all drives that are mounted on the server. This exploit has been around for YEARS, from IIS4 to IIS6. Unfortunately Microsoft hasn't done anything about it yet.

I have been through many many host (shared environment), from cheap ones $12 bucks/mo to $49/mo, so far I have not seen 1 single host that has this problem resolved. Partially because setting the necessary permission to stop this exploit will also make many other software unuseable (most webcontrol panel) If you are serious in running a business online, get a dedicated and the problem will be solved.