My website keeps getting hacked

Forum Moderators: phranque

Message Too Old, No Replies

My website keeps getting hacked

Please help

anon123

6:12 pm on Jan 17, 2008 (gmt 0)

For the 2nd time now, people have messed up my homepage.

The first time, they deleted my index file and replaced it with a "hacked by..." blank page.

Now this time, about 2 months from the last time, they replaced my logo with a different image. (Seems to be a different "hacker")

I've done a little research and I think I must be running some script that is exploitable, and they are doing "remote file injection". I don't think it's a case of bad passwords because I changed my password to something very difficult the last time around, and I'm virus free.

I find files they've uploaded to my server that shows my entire root directory and all its files and folders and allows for people to delete/upload/overwrite any file on my server that they want.

I've now backed up all pertinent and important files to my local hard drive until I can find out how they are doing this.

How can I find out how to fix this? Please help!

[edited by: anon123 at 6:20 pm (utc) on Jan. 17, 2008]

eelixduppy

6:16 pm on Jan 17, 2008 (gmt 0)

Welcome to WebmasterWorld!

>> How can I find out how to fix this?

What kind of scripts are you running that are exploitable? Do you have any upload scripts on your server at all? It doesn't necessarily have to be an exploited script, but my guess is that's what it is.

anon123

6:19 pm on Jan 17, 2008 (gmt 0)

The only scripts I'm running are cutenews (content management for changing news) and mybb (forum software).

(Not sure if I should post that ^?)

Everything else is html and images.

eelixduppy

7:37 pm on Jan 17, 2008 (gmt 0)

A quick google search shows that both of those CMSs have security exploits for one thing or another. I would take a more indepth look at these exploits and learn how to fix them. They may offer patches for them, who knows. Might want to consider changing passwords, too, just in case they were compromised somehow.

anon123

8:18 pm on Jan 17, 2008 (gmt 0)

Good advice, thanks.

stajer

11:45 pm on Jan 17, 2008 (gmt 0)

check your logs - go over the invidividual url entries looking for anything suspicious. Unless you are a high profile site, these exploits are usually done automatically by the "hacker" using a script that attempts to execute any number of exploits on your site. Your logs will have records of each url used - look for the unusual ones.

phranque

2:15 am on Jan 18, 2008 (gmt 0)

welcome to WebmasterWorld [webmasterworld.com], anon123!

what type of web server are you running?

CrustyAdmin

2:34 am on Jan 18, 2008 (gmt 0)

As stajer said, this probably isn't high level people. Simply getting the latest and greatest versions of your scripts and then changing their footprint a bit may help. Change the default directories, etc of the installation. For instance wordpress has a widget that will help you change the table prefixes to something other than the standard wp_ this helps in that the automated attack tools don't work. It at least ups the skill level required to do you harm. Why kick in your door when the house down the street has the garage door open.

Rosalind

2:05 pm on Jan 18, 2008 (gmt 0)

Probably the most likely method is one of those scripts, especially if you're running an old version and crackers are aware of an exploit. Often all it takes is a simple search for the name and version of the software, and they will have access to thousands of exploitable websites.

Always keep your software updated to the latest version, and where possible invest in a version that allows you to remove the "powered by" footer, and any other typical footprints.

But also, be aware that there are many, many ways to compromise your website's security. Your host, your own computer, your ftp method, or your passwords could be at fault. It could even be social engineering.