Forum Moderators: phranque
A few weeks ago an IRS phish kit appeared under a folder of my site, I was contacted by both the IRS and my Datacenter to remove it. I did remove it, wiped anything I thought may have been a security hole, tightened up my permissions and wiped my hands clean. The other day, the attack happened AGAIN, this time right in the root of my site, and again I was contacted by the IRS and my datacenter. I removed everything I could find and let everyone know it was resolved.
It also seems like my logs were wiped after the attack, and coming into work this morning my Datacenter has suspended my account locking me out of email, http and ftp after I already fixed the issue. I asked the for detailed logs which they are not providing, and are really giving me the "crap" end of the stick.
I have since asked them to restore my account as to fix the issue i need to get in. the only code on my site is straight HTML and the use of the php include() to make managing templates easier. I really don't know where to go from here and what my rights are.
If you are including script objects in your pages, be sure that you are using local file includes only, and that the paths are absolute from server root. This precludes loading remote code to install or implement the phishing attack; In other words, include script objects by fully-specified server filepaths, and do not include objects by using URLs or allow URLs to be included.
Since the phish kit was re-installed after you removed it, it's obvious that there is still a security hole in your server. You need to plug all the holes. If you're not confident that you can do so, then it may be time to hire a security expert (or pay your hosting company if this is a completely self-managed server) to do so.
Change all of your passwords, disable all unused scripting, configuration, control panel, upload/download, and command line functions, install all of the latest security patches, secure all your scripts and your database(s). That's a good start.
One more point: Many programmers code their security-related functions based on what they want to reject. This is a very common error, and leads to playing never-ending "whack-a-mole" games -- That is, always being reactive instead of pro-active. It is a far better method to code based on what you are willing to accept. So in general, you want to block any and all "methods of doing anything on your server" by default, and then allow overrides only for those methods that you actually use on your site.
These comments are general -- I'm not any kind of security expert myself, and I find your situation to be quite scary.
Best,
Jim
The account is hosted with [an ISP] under one of their shared hosting packages. My includes are structured like this:
<?php include('assets/includes/navigation.php'); ?>
If I'm understanding you right this is incorrect? For reference "assets" is a folder in the root of my site. The only other script on my site is a php file used to manage downloads of my resume. If you google "Smart File Download" its the first result. Other than that I can't think of anything.
I'm not so worried about the IRS since they seem to understand it's not me who is posting this thing, but it's my hosting company. I have 4 sites hosted with them and their support has been ignoring me about allowing me access to my account again.
As far as hiring a professional, I am not in any financial situation to do so (20, college student). If anything is going to be done, it has to be done by myself.
[edited by: phranque at 9:09 pm (utc) on Feb. 9, 2009]
[edit reason] hosting specifics [/edit]
By the sound of it, you could dump php and move to html with server-side includes. Alternatively, if the sites are not huge and you use an html editor that supports templates (e.g. Dreamweaver) you could use static html - but you would have to upload the whole site (all the html pages) each time a change is made to the navigation. On the plus side, it should run faster. However, if pages use the .php file extension, that's a problem with respect in inbound links.
Kaled.
I'm hoping it doesn't crop up again, but if it does, what can I do? My host said they will boot me and If i move hosts will it happen again?
I'm hoping it doesn't crop up again, but if it does, what can I do?
I had a similar experience. They were getting in after we added a php module. Just like Kaled suggested now, we dropped the php and changed hosting companies to one of the more established hosting companies and have not had the problem return.
These days I stick with the major hosting companies that are more likely to have dedicated security experts on staff and have not had any more issues.
