PDA

View Full Version : Help, somebody hack my website...


jmverdugo
01-24-2011, 04:07 AM
Here is the thing, I work for a small company and I am (among other things) in charge of our websites, I made them, really simple stuff as I am definitelly not an expert. The first week of January we got a warning that a huge amount of emails were sent from our domain. We were told by our host that there is a script causing problems, which is strange because - as far as I know - there are no scripts on our websites. Today I am checking all the files and see on the main folder a couple of PHP file that were not there before and I definitelly did not upload them, I do not even know what they are, the names are 1.php and css.include.php. Any idea if this could be the problem? How did they hack our website?

Thank you very much in advance for all the help you can provide.

JM.

jigar
01-24-2011, 06:38 AM
first of all change all your web hosting password.
Reset passwords for FTP, database and email.
Call web hosting company and ask them to restart your virtual machine.
Delete all the accounts either you don't need or created including ftp, emails, database users and many other your have.

this forum might not be the best place to look for help.

JoelDali
01-24-2011, 07:44 AM
I could send email "from your domain" all day.

Get the headers of one of the emails, look at the originating IP.

Is it your virtual IP that the emails were physically sent from?

If yes, is anonymous relaying enabled on the server?

Just because 1000 emails end in my box from troll-master-tennis.com doesn't mean that they really came from troll-master-tennis.com.

Post the code from these files.

Who is your web hosting provider?

If they are worth anything, they should be able to tell you more about the issue than yourself or a mastermind high paid hacking genius such as myself or Tina, or even Tina's pet rabbit.

SFrazeur
01-24-2011, 07:48 AM
Tina's pet rabbit IS a mastermind! Turned an old washing machine I had into an iPhone.

-SF

Wakenslam
01-24-2011, 10:00 AM
Next time don't use "password" as your password.

Eph
01-26-2011, 12:00 AM
What applications are you running? Are you using a shared host (I assume so)? Linux or Windows?

More information, the better.

Don't use ftp. Use sftp.

Update any software that has security holes ASAP (don't forget backups).

Setup at least two backup methods (time interval depends on if your site is static or dynamic, if the latter, how often content changes). Rsync is good and I use Amazon Web Services to keep off-site backups (encrypted, of course), and a copy goes to my home server.

Use secure passwords (something different for each password). Keep passwords in a master file. Do not email passwords to one another in plaintext.

Don't postit passwords to your monitor.

Type 'pwgen -sny 18' in a shell to retrieve good security passwords. If you can't install pwgen, look around online for something that works on your OS.

Pay someone to scan your directories and remove malicious code.

Check logs (if you have access). /var/log in most *nix setups (check READMEs in window's setups).

Disable root login. Use sudo.

Setup proper ACLs.


Read this: http://library.linode.com/security/basics/


Hope that helps.

albino smurf
01-26-2011, 03:37 AM
^^^nice link and good advice from eph.

Dave M
01-26-2011, 04:09 AM
Next time don't use "password" as your password.

i've always foud "letmein" to be much safer.
Oh no,now you know.................:oops:

jmverdugo
01-26-2011, 04:53 AM
Thank you all for your help, it seems like we solve the problem. But yes we will follow most of the advice here to stop this to happen again. I funny thing happened yesterday though, I notice the site running slow and our email account not working so I panic thinking that everything was happening again and contacted the hosting provider, their answer was:

"The server is currently under a DDOS attack. Our admins are currently working to block the attackers and clean out the server. "

Boy I do not know what this is but for sure sounds like trouble, it sounds like a line of Tron or another movie, War in the IT room or something like it...

GetBetterer
01-26-2011, 01:38 PM
A DDoS attack can be done from any computer.

It's basically when one computer sends out various ping signals to a website. Most websites and servers can efficient block DDoSing (your famous websites like Google, Microsoft.com, etc., or they can handle several signals at once).

Putting it in Tron form, imagine there are a bunch of programs going into Mastermind at once, and he's all like "ARRRRRRRGGGGGGGGGGGG TOO MANY PROGRAMS!" and then he shuts down. Some websites can't handle the traffic (YouTube obviously handle LOTS of traffic).