Help, somebody hack my website...

Discussion in 'Odds & Ends' started by jmverdugo, Jan 24, 2011.

  1. jmverdugo

    jmverdugo Hall of Fame

    Nov 22, 2006
    Houston, TX
    Here is the thing, I work for a small company and I am (among other things) in charge of our websites, I made them, really simple stuff as I am definitelly not an expert. The first week of January we got a warning that a huge amount of emails were sent from our domain. We were told by our host that there is a script causing problems, which is strange because - as far as I know - there are no scripts on our websites. Today I am checking all the files and see on the main folder a couple of PHP file that were not there before and I definitelly did not upload them, I do not even know what they are, the names are 1.php and css.include.php. Any idea if this could be the problem? How did they hack our website?

    Thank you very much in advance for all the help you can provide.

  2. jigar

    jigar Professional

    Sep 29, 2006
    NV, USA
    first of all change all your web hosting password.
    Reset passwords for FTP, database and email.
    Call web hosting company and ask them to restart your virtual machine.
    Delete all the accounts either you don't need or created including ftp, emails, database users and many other your have.

    this forum might not be the best place to look for help.
  3. JoelDali

    JoelDali G.O.A.T.

    Mar 30, 2009
    I could send email "from your domain" all day.

    Get the headers of one of the emails, look at the originating IP.

    Is it your virtual IP that the emails were physically sent from?

    If yes, is anonymous relaying enabled on the server?

    Just because 1000 emails end in my box from doesn't mean that they really came from

    Post the code from these files.

    Who is your web hosting provider?

    If they are worth anything, they should be able to tell you more about the issue than yourself or a mastermind high paid hacking genius such as myself or Tina, or even Tina's pet rabbit.
  4. SFrazeur

    SFrazeur Legend

    Mar 26, 2006
    Tina's pet rabbit IS a mastermind! Turned an old washing machine I had into an iPhone.

  5. Wakenslam

    Wakenslam Rookie

    Jul 25, 2009
    Next time don't use "password" as your password.
  6. Eph

    Eph Professional

    Oct 7, 2007
    Cambridge, MA
    What applications are you running? Are you using a shared host (I assume so)? Linux or Windows?

    More information, the better.

    Don't use ftp. Use sftp.

    Update any software that has security holes ASAP (don't forget backups).

    Setup at least two backup methods (time interval depends on if your site is static or dynamic, if the latter, how often content changes). Rsync is good and I use Amazon Web Services to keep off-site backups (encrypted, of course), and a copy goes to my home server.

    Use secure passwords (something different for each password). Keep passwords in a master file. Do not email passwords to one another in plaintext.

    Don't postit passwords to your monitor.

    Type 'pwgen -sny 18' in a shell to retrieve good security passwords. If you can't install pwgen, look around online for something that works on your OS.

    Pay someone to scan your directories and remove malicious code.

    Check logs (if you have access). /var/log in most *nix setups (check READMEs in window's setups).

    Disable root login. Use sudo.

    Setup proper ACLs.

    Read this:

    Hope that helps.
  7. albino smurf

    albino smurf Professional

    Mar 7, 2008
    In a cloud of yellow fuzz
    ^^^nice link and good advice from eph.
  8. Dave M

    Dave M Hall of Fame

    Mar 23, 2007
    i've always foud "letmein" to be much safer.
    Oh no,now you know.................:oops:
  9. jmverdugo

    jmverdugo Hall of Fame

    Nov 22, 2006
    Houston, TX
    Thank you all for your help, it seems like we solve the problem. But yes we will follow most of the advice here to stop this to happen again. I funny thing happened yesterday though, I notice the site running slow and our email account not working so I panic thinking that everything was happening again and contacted the hosting provider, their answer was:

    "The server is currently under a DDOS attack. Our admins are currently working to block the attackers and clean out the server. "

    Boy I do not know what this is but for sure sounds like trouble, it sounds like a line of Tron or another movie, War in the IT room or something like it...
  10. GetBetterer

    GetBetterer Hall of Fame

    Apr 19, 2010
    Mesa, AZ
    A DDoS attack can be done from any computer.

    It's basically when one computer sends out various ping signals to a website. Most websites and servers can efficient block DDoSing (your famous websites like Google,, etc., or they can handle several signals at once).

    Putting it in Tron form, imagine there are a bunch of programs going into Mastermind at once, and he's all like "ARRRRRRRGGGGGGGGGGGG TOO MANY PROGRAMS!" and then he shuts down. Some websites can't handle the traffic (YouTube obviously handle LOTS of traffic).

Share This Page