Forum Moderators: phranque
The hacker replaced my index file with one of his own.
Is it possible that he was able to get to my file directory while I was connected via FTP?
Any other ideas how this may have happened?
Check your DNS records to make sure you haven't been redirected. Make sure your domain registration is locked, by you.
I doubt that your ftp session is the culprit, unless you stepped away for a smoke and someone used your computer.
This would be a good time to change passwords.
I do see one strange IP in my server logs, but I still can't figure out how he replaced my index file.
On both occassions they hit they uploaded an 'htm' file and it made no difference to the site at all, as it runs with 'html' as the index page.
I don't even know what 'htm' is, seeing as how I use a WYSIWYG editor :o)
I noticed the first one while uploading something by FTP, just looked at it and thought "Eh?" I have index.html and index_nn4" or something, for netscape but I don't upload any 'htm'. Opened the file and it was along the lines of "This site hacked by" stuff but like I say I never even noticed nor did my members.
Second time I was just doing a "Who links to my site?" type search and noticed my domain name mentioned on some hacking site as a 'report' of a hack. Again an htm file and I didn't notice it before then.
Both occasions deleted it without problem.
So I'd be interested to know, is there some difference in security between html and htm?
P.
First notify your host. Absolutely essential.
Second look at the log file (raw) and check the size of your index page requests.
An example of a line in the raw log file is:
72.30.177.16 - - [20/Aug/2006:09:24:35 +0000] "GET / HTTP/1.0" 200 5700 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"The index page request is just shown as GET / (the root), and the size is 5700 (the bit after the 200). If it's not a 200 then don't bother to look at it.
You need to find where the index page size changed. Then look for the log file lines immediately before that. They almost always tell you what happened and how.
Top culprits are software packages, particularly anything using PHP or ASP. Look for scripts which are quite common (i.e. major forum software) especially free scripts. Check if you have the latest version.
It will happen again. And probably with more damage next time.
I couldn't find anything in my logs. It must come through someone else's site on the server or somewhere else.
I am changing hosts...again.
I looked up the other sites on the same IP - they were all hacked.
A clear sign that the attack was comming from the inside from one of the other users of that shared hosting, rather than from the outside. My advice is to move hosts. Your host probably uses a security setup where one user can write in the directory tree of other users and this will happen again.
"We're sorry to hear about this issue. We've checked your site and it comes up fine for us. It appears that you have already replaced your index.asp file. If you have any more questions or need further...." (blah, blah, blah)
Not enough action, in my opinion.
But the hack also stated something similar to: "This site hacked by" (some Iranian name) I simply deleted the file he uploaded and reuploaded my index file.
This particular website is on a Windows Server (IIS), so raw log files are not as clean as Linux/Apache system files. I'll check other log files to see if I can pinpoint anything.
Nothing else occurred, just a black screen with 'this site hacked by' and that was it.
I did a search regarding that Iranian thing and apparantly they hit a large number of sites including major names, so if they could bypass their security I wouldn't slam your host for not being better than various huge budget mega-corporations.
Bottom line if the public can see your site it's vulnerable.
P
