Two of my websites hacked on the same day

Forum Moderators: phranque

Message Too Old, No Replies

Two of my websites hacked on the same day

dunhill

7:45 am on Jul 11, 2009 (gmt 0)

2 of my websites were hacked on the same day, one is hosted by a very large hosting company and the other is my own server.

If it was just my server that got hacked I would have thought that I havent made my server secure enough.

On my own server I have root access, on the other server its just ftp access, passwords are different, one is Plesk the other is CPanel.

Most of the index.php and other php scripts were modified to include the following

I was first made aware when I got an email from Google advising me of the problem - "We recently discovered that some of your pages can cause users to be infected with malicious software."

The question is how did they hack me, when can I do to prevent it?

Thank you for your help

[edited by: encyclo at 11:40 am (utc) on July 11, 2009]
[edit reason] obfuscated link to hacker website [/edit]

janharders

8:09 am on Jul 11, 2009 (gmt 0)

Look through the error logs of your apache.
With the shared hosting it might have been a local attack, but on your own server (I guess you did have strong passwords?) that can be doubted. I was once asked to clean an infected site and I searched for the entry point and found the error log extremly helpful identifying the joomla module that was exploited. They need a way to load code from a remote machine and they'll usually try multiple times before it succeeds - and these tries can get logged.

Do you use some public cms on both sides? That's what you should look at first.
What you can do to prevent it: stay up to date with your non-inhouse scripts. Once an exploit is in the open, they'll use google to find exploitable sites and just run their bots to try it. Stay ahead. You might also want to look at mod_security, at least for your dedicated server.

dunhill

8:39 am on Jul 11, 2009 (gmt 0)

I don't use any CMS, there is no common software between the 2 sites.

I also have mod_security already running on my server

The passwords are secure, not based on names, it has both alpha and numeric characters

I will have a look at the apache logs.

encyclo

11:31 am on Jul 11, 2009 (gmt 0)

There are a few Windows virus variants around (such as "gumblar") which infect your local machine and steal FTP passwords from programs such as Filezilla. You should probably start by scanning your local machine for those viruses. Then you will need to change all your passwords.

Note that FTP is inherently insecure because the password is transmitted in plain-text - using ssh (secure FTP) is a much better option, most FTP clients support secure FTP out of the box, and your servers almost certainly will too.

janharders

1:10 pm on Jul 11, 2009 (gmt 0)

using ssh (secure FTP) is a much better option

just to add: ftp over ssl (ftps) is also much more secure than regular ftp and I've found it to be performing better than sftp in my setup.