Help, somebody hack my website...

jmverdugo · 01-24-2011, 04:07 AM

Here is the thing, I work for a small company and I am (among other things) in charge of our websites, I made them, really simple stuff as I am definitelly not an expert. The first week of January we got a warning that a huge amount of emails were sent from our domain. We were told by our host that there is a script causing problems, which is strange because - as far as I know - there are no scripts on our websites. Today I am checking all the files and see on the main folder a couple of PHP file that were not there before and I definitelly did not upload them, I do not even know what they are, the names are 1.php and css.include.php. Any idea if this could be the problem? How did they hack our website?

Thank you very much in advance for all the help you can provide.

JM.

jigar · 01-24-2011, 06:38 AM

first of all change all your web hosting password.
Reset passwords for FTP, database and email.
Call web hosting company and ask them to restart your virtual machine.
Delete all the accounts either you don't need or created including ftp, emails, database users and many other your have.

this forum might not be the best place to look for help.

JoelDali · 01-24-2011, 07:44 AM

I could send email "from your domain" all day.

Get the headers of one of the emails, look at the originating IP.

Is it your virtual IP that the emails were physically sent from?

If yes, is anonymous relaying enabled on the server?

Just because 1000 emails end in my box from troll-master-tennis.com doesn't mean that they really came from troll-master-tennis.com.

Post the code from these files.

Who is your web hosting provider?

If they are worth anything, they should be able to tell you more about the issue than yourself or a mastermind high paid hacking genius such as myself or Tina, or even Tina's pet rabbit.

SFrazeur · 01-24-2011, 07:48 AM

Tina's pet rabbit IS a mastermind! Turned an old washing machine I had into an iPhone.

-SF

Wakenslam · 01-24-2011, 10:00 AM

Next time don't use "password" as your password.

Eph · 01-26-2011, 12:00 AM

What applications are you running? Are you using a shared host (I assume so)? Linux or Windows?

More information, the better.

Don't use ftp. Use sftp.

Update any software that has security holes ASAP (don't forget backups).

Setup at least two backup methods (time interval depends on if your site is static or dynamic, if the latter, how often content changes). Rsync is good and I use Amazon Web Services to keep off-site backups (encrypted, of course), and a copy goes to my home server.

Use secure passwords (something different for each password). Keep passwords in a master file. Do not email passwords to one another in plaintext.

Don't postit passwords to your monitor.

Type 'pwgen -sny 18' in a shell to retrieve good security passwords. If you can't install pwgen, look around online for something that works on your OS.

Pay someone to scan your directories and remove malicious code.

Check logs (if you have access). /var/log in most *nix setups (check READMEs in window's setups).

Disable root login. Use sudo.

Setup proper ACLs.

Read this: http://library.linode.com/security/basics/

Hope that helps.

albino smurf · 01-26-2011, 03:37 AM

^^^nice link and good advice from eph.

Dave M · 01-26-2011, 04:09 AM

Quote:

Originally Posted by Wakenslam

Next time don't use "password" as your password.

i've always foud "letmein" to be much safer.
Oh no,now you know.................

jmverdugo · 01-26-2011, 04:53 AM

Thank you all for your help, it seems like we solve the problem. But yes we will follow most of the advice here to stop this to happen again. I funny thing happened yesterday though, I notice the site running slow and our email account not working so I panic thinking that everything was happening again and contacted the hosting provider, their answer was:

"The server is currently under a DDOS attack. Our admins are currently working to block the attackers and clean out the server. "

Boy I do not know what this is but for sure sounds like trouble, it sounds like a line of Tron or another movie, War in the IT room or something like it...

GetBetterer · 01-26-2011, 01:38 PM

A DDoS attack can be done from any computer.

It's basically when one computer sends out various ping signals to a website. Most websites and servers can efficient block DDoSing (your famous websites like Google, Microsoft.com, etc., or they can handle several signals at once).

Putting it in Tron form, imagine there are a bunch of programs going into Mastermind at once, and he's all like "ARRRRRRRGGGGGGGGGGGG TOO MANY PROGRAMS!" and then he shuts down. Some websites can't handle the traffic (YouTube obviously handle LOTS of traffic).

01-24-2011, 04:07 AM	#1
jmverdugo Hall Of Fame Join Date: Nov 2006 Location: Houston, TX Posts: 2,965	Help, somebody hack my website... Here is the thing, I work for a small company and I am (among other things) in charge of our websites, I made them, really simple stuff as I am definitelly not an expert. The first week of January we got a warning that a huge amount of emails were sent from our domain. We were told by our host that there is a script causing problems, which is strange because - as far as I know - there are no scripts on our websites. Today I am checking all the files and see on the main folder a couple of PHP file that were not there before and I definitelly did not upload them, I do not even know what they are, the names are 1.php and css.include.php. Any idea if this could be the problem? How did they hack our website? Thank you very much in advance for all the help you can provide. JM.

01-24-2011, 07:44 AM	#3
JoelDali Legend Join Date: Mar 2009 Posts: 9,013	I could send email "from your domain" all day. Get the headers of one of the emails, look at the originating IP. Is it your virtual IP that the emails were physically sent from? If yes, is anonymous relaying enabled on the server? Just because 1000 emails end in my box from troll-master-tennis.com doesn't mean that they really came from troll-master-tennis.com. Post the code from these files. Who is your web hosting provider? If they are worth anything, they should be able to tell you more about the issue than yourself or a mastermind high paid hacking genius such as myself or Tina, or even Tina's pet rabbit. __________________ There he goes. One of God's own prototypes. A mutant of some kind never even considered for mass production. Too weird to live and too rare to die.

01-24-2011, 07:48 AM	#4
SFrazeur Legend Join Date: Mar 2006 Location: 1164 Morning Glory Circle Posts: 5,703	Tina's pet rabbit IS a mastermind! Turned an old washing machine I had into an iPhone. -SF __________________ Babolat Pure Drive "Black" (1/4) w/ Skin Feel replacment grip. Solinco Tour Bite 16 @ 55 and Tourna Grip XL

01-26-2011, 12:00 AM	#6
Eph Professional Join Date: Oct 2007 Location: Cambridge, MA Posts: 850	What applications are you running? Are you using a shared host (I assume so)? Linux or Windows? More information, the better. Don't use ftp. Use sftp. Update any software that has security holes ASAP (don't forget backups). Setup at least two backup methods (time interval depends on if your site is static or dynamic, if the latter, how often content changes). Rsync is good and I use Amazon Web Services to keep off-site backups (encrypted, of course), and a copy goes to my home server. Use secure passwords (something different for each password). Keep passwords in a master file. Do not email passwords to one another in plaintext. Don't postit passwords to your monitor. Type 'pwgen -sny 18' in a shell to retrieve good security passwords. If you can't install pwgen, look around online for something that works on your OS. Pay someone to scan your directories and remove malicious code. Check logs (if you have access). /var/log in most *nix setups (check READMEs in window's setups). Disable root login. Use sudo. Setup proper ACLs. Read this: http://library.linode.com/security/basics/ Hope that helps. __________________ By all means marry. If you get a good wife, you'll be happy. If you get a bad one, you'll become a philosopher. - Socrates

01-26-2011, 03:37 AM	#7
albino smurf Professional Join Date: Mar 2008 Location: In a cloud of yellow fuzz Posts: 961	^^^nice link and good advice from eph. __________________ Dude, where's my post?