Welcome to WebmasterWorld Guest from 35.172.217.40

Forum Moderators: phranque

Message Too Old, No Replies

Site hacked with hidden links

     
12:09 am on Feb 28, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:May 23, 2003
posts:587
votes: 0


I think someone is constantly hacking my default.asp page which could be why it was thrown out of google for a few weeks a month or so ago (but is now back in). I was out of town for a few days and had not logged in my ftp when I noticed today that someone else has and re-uploaded my default.asp page. I looked all over the site and found nothing. Then I looked over the source file. The source file near the bottom of all the coding showed:

<div style="overflow:auto; visibility:hidden; height: 1px; "
which then showed <snip>adult</snip> links that pointed to a page at duke example.edu/images...

Zone H online says something about this being a "Defacer S4P0" but they say nothing about preventing it again...

I called my host and they are looking into it but it is a shared host so I am sure it is some security loophole on their side. This is also an .asp site so maybe it is my code. Does anyone have any ideas on what to do about this to prevent it from happening again?

[edited by: trillianjedi at 4:22 pm (utc) on Mar. 1, 2007]
[edit reason] We don't need specifics, thanks ;) [/edit]

12:53 am on Feb 28, 2007 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2004
posts:316
votes: 0


Hey tictoc:)

Well, my advice is find a ftp that provides more security. This means from what i've read that it should provide a pretty good level of encription. I think i read that some are only lightly encripted and passwords can be stolen easily. Also, it is a good idea to change your password to your site often. I personally change my password every time i finish using ftp.

Hope this helps:)
Good Luck tictoc:)

frenzy77

1:42 am on Feb 28, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:May 23, 2003
posts:587
votes: 0


I use WS FTP. I doubt that has anything to do with it though.
2:17 am on Feb 28, 2007 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15181
votes: 180


FTP isn't very secure at all. Supposedly it's not very difficult for the bad guys to sniff usernames and passwords from that protocol. It is recommended that you use something secure like SFTP (FTP over SSH) FTPS (FTP/SSL) or Secure Copy (SCP). WS_FTP will handle some of those protocols.

If your host's server can handle it I would suggest you begin connecting with a secure protocol. Then change all of your usernames and passwords for the account.

1:37 am on Mar 2, 2007 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts:650
votes: 0


I'm not sure if it would work in your case, but I've subscribed the home page of all my sites to one of the free change notification services. If the page changes, I get an email. If I know I changed it fine, if not, I take a closer look at the site.

I'm not sure if it would catch the type of hack you mentioned though.

Just a paranoid thought - I'd check the workstations you are using to make sure they aren't hacked or have some type of spyware/keystroke recorder.

cg

6:21 am on Mar 2, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 3, 2003
posts:785
votes: 0


move to PORT 22 FTP...(Secure)..
harder to hack...
8:41 pm on Mar 3, 2007 (gmt 0)

Full Member

10+ Year Member

joined:Mar 21, 2003
posts:245
votes: 0


Why is everyone jumping to ftp conclusions?

Sounds more like xss hack to me. Obviously change your passwords to be sure, are you using any kind of php/perl etc?

I've had certain forum software be defaced via the admin panel after someone gained access through xss.

DXL

3:01 pm on Mar 6, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 9, 2002
posts:724
votes: 1


I've had the exact same thing happen to a number of my sites before. In some cases, sites established years ago had an easy to crack, dictionary password. In other cases, iPowerweb servers were hacked and all of my sites on a particular server would have a snippet of code added to the homepage, which created an invisible frame that accessed a variety of trojans and pop ups. It actually cost me business once when a site like that was on my portfolio and a prospective client visited it and had to reformat his PC because of the damage the malware did.
6:50 pm on Mar 7, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:May 23, 2003
posts:587
votes: 0


Why is everyone jumping to ftp conclusions?

I agree. I do not think that is the problem but maybe so.

7:04 pm on Mar 7, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 14, 2004
posts:602
votes: 0



Agreed. Could also be a damn rootkit or some application vulnerabilities.
We had similar issues no so long ago, and it's been terrible for us.

Fact is:
1. download all your files and check the code in it
2. check for rootkits and other disgusting worms or trojans
3. apply maximum security settings on all your files, tightened PHP (if PHP) capabilities.

Last resort: hire a Bruce Lee type of server administrator that will trace back the hack and make sure the kid who did this doesn't come back.

12:36 am on Mar 8, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts:460
votes: 0


This sounds like something that there have been reports about since at least last November. It's widespread, competent, automated, and is not likely a kid.

If they installed a back door for themselves, even changing your password isn't going to help until you've cleaned up your site.

Examine your entire site for files you didn't put there or pages that show modified dates more recent than they should be. If that's too much trouble, delete the site and republish it.

Once the site is clean, change your password. Use a strong one. It MUST NOT be a single word that is in any human language dictionary.

If you use third party scripts for anything, including bulletin boards and image galleries, check the versions and make sure you are using the latest one(s). This is critically important. These types of hacks (if the same as reported elsewhere) are not done by a person browsing the web. An automated crawler seeks exploitable pages and automatically installs the exploit. Your page is downloaded, edited, and re-uploaded seconds later. The point is, there is no safety margin of time. If you have exploitable pages, exploit crawlers will find them just as surely as Googlebot will eventually find your pages.

If you write your own scripts, it can be a serious security hole unless you know how to write with security in mind. Guard against injection attacks. All input that comes from users (or from anywhere outside your site's internal code), especially if it is to be used in a database query, must be cleaned and checked for potential exploit code before being used.

Someone intercepting your password while you publish with FTP or otherwise is one of the least likely scenarios. Sure it's possible; it's just unlikely.

If you're on a shared server, it's possible that someone got server-wide access by exploiting someone else's vulnerable site. There's not much you can do about that, except...

If your host has a user-to-user forum, report the hack there to find out if others have been hit. Compare details.

If it is widespread, maybe your hosting company can block the hacker IP address(es) using their firewall.

Even if they can't do that, enable your site access logs and review them. If you can identify accesses that look suspicious around the time of the hack (if you've been archiving your logs), you can ban their IP address(es) in your .htaccess file (if on Apache).

Anyway, hope some of this helps. It is important to find the security hole, wherever it is, and close it. Else they'll be back.

[edited by: SteveWh at 12:45 am (utc) on Mar. 8, 2007]

10:59 pm on Mar 8, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 14, 2004
posts:602
votes: 0



Steve,

you seem to have a good understanding of this situation.
When I said a kid...it was a joke of course.

I faced the issue not so long ago and I admit that it drove me nuts, I could not find where the security hole was, neither did my hosting nor a security consultant.

The weirdest thing is that it attacks also static pages.

I am not sure how this hwole thing works but if someone has more info about:

- which commonware is vulnerable to such things particularly
- how to detect these exploits
- how to detect the spam crawler

...would be great to spread the info and conter measures.

...

2:33 am on Mar 9, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts:460
votes: 0


When I said a kid...it was a joke of course.

I wanted to emphasize that although "script kiddies" get the blame for making themselves a nuisance by defacing sites, site hacking is also a business. Especially in cases like this, where the goal was specifically not to deface the site but to remain undetected, the goal is to use vulnerable sites to make money. It takes brainpower and a significant investment of programming time and money to create the "machine" that finds vulnerable sites and exploits them.

I faced the issue not so long ago and I admit that it drove me nuts, I could not find where the security hole was, neither did my hosting nor a security consultant.

On a shared server, one possibility is that someone got server-wide access through someone else's vulnerable site. Another possibility I've speculated about, but don't know if it really happens, is that someone rents space on a shared server with the explicit goal of using that foothold to corrupt the server and infiltrate other accounts on it, or to create an intentionally weak site that outside parties can use to attack the server.

It could also be a disgruntled employee at the host, probably the least likely scenario. No, there is at least one more less likely!: an employee who went to work for the hosting company with the goal of stealing passwords and corrupting servers.

Another avenue into a site that is apparently very common is that people use incredibly bad passwords and their sites get hacked by dictionary attacks. So use strong passwords. If you don't know what one looks like, go here: [grc.com...]

The weirdest thing is that it attacks also static pages.

Once they have established cpanel access (or its equivalent) or ftp access, they can alter any pages they want. The "real" part of the attack is the part that grants them the initial access. Static pages aren't vulnerable to attack, but someone who uses other means to get access to the site files can then alter static pages.

- which commonware is vulnerable to such things particularly

Vulnerabilities are routinely found in virtually all scripts commonly used, including photo galleries, bulletin boards, blogs, and smaller utility scripts. The ones that hackers will find most attractive to attack are the ones that are hugely popular, so when a vulnerability in one of those is found, it is likely to be exploited soon by a lot of hackers.

Most developers of such scripts (at least the larger ones) promptly release updated versions to address security vulnerabilities that have been found. Anyone who uses popular third party scripts like Coppermine, Wordpress, SMF, vBulletin, phpBB, etc., should make sure that they're on a mailing list (if available) where updated versions are announced, or make frequent visits to forums where updates are announced and discussed. When a new version comes out, install it without delay.

There are also automated crawlers that probe sites for vulnerabilities to injection attacks via php, cgi, etc. if you develop your own scripts, it is important that you avoid using potentially insecure features of your chosen language until you have studied and understand how to code as securely as possible.

- how to detect these exploits

1. If you suddenly drop out of Google, an exploit that put porn links on your pages is one possible cause. Google has also recently been notifying webmasters when they think a site has been exploited.

2. You could use an automated procedure to check the time and date stamps on your site files once a month or so. Bit of a hassle, though, especially since you are unlikely ever to find any problem.

- how to detect the spam crawler

Go to cpanel and enable log archiving to make sure your logs accumulate. This will ensure that you have a record of your site accesses. The only downside is that every once in a while you will have to go delete the logs so they don't consume all your hard drive space.

I know of at least one case where the actual ftp attack was logged to the site FTP log(!), complete with the IP address of the party that did it.

[edited by: SteveWh at 2:37 am (utc) on Mar. 9, 2007]

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members