Forum Moderators: phranque
How can I stop this happening again? On this particular site, there are no scripts running at all - it's totally flat html, with a reasonably strong password on the admin FTP and the control panel - but no doubt there are loopholes somewhere.
This must be a huge issue now, but since it didn't happen to me before, I never researched solutions. What's the answer?
1. Does someone have access to your logins? Do you use public computers? Do you login to your site over unsecured wifi connections? Did you lose a laptop or cell phone with the information? In any case - change your passwords.
2. Even though you site in only flat html, did your webhost setup your account with default installed scripts? Those scripts may have been compromised or exploited? Do you have a /cgi-bin folder? Why? This is more likely than the ones that follow because hackers can exploit these scripts in mass - they don't target your site in particular, they look for any sites with these scripts running.
3. Google the text that the hacker put on your homepage - sometimes that will reveal the exploit.
4. Check your logs - especially your ftp logs. Looks for unusual activity from an IP - especially large amounts of traffic from one ip.
5. Are you sure all they did was change your homepage? Did they setup their own login? Did they install any scripts or pages in your directory? If you are running a dedicated server - did they install any software on your machine? Did they use the access on one machine to compromise another that is networked (ie. db or file servers).
6. Depending on the sensitivity of the information, you should consider the machine permantly compromised and move your site to another machine.
7. Good time to consider your backup - what would you have done if the hacker had deleted all your files? Do you have a full recent copy? How long would it take to recover?
Hate to state the obvious here: get a new host. Fast.
That's the major reason I don't run my own servers. The security aspect alone is a full-time job. That's what you pay them for.
Stajer: I don't think the login is compromised, but it's easy to change the password, so I've done that. There are none of my scripts running, but there are 4 in the cgi-bin - don't know what they are: cgiecho, cgiemail, entropybanner.cgi, and randhtml.cgi. I deleted the hacker's page, so I can't remember any text on it - it was a Moroccan hacker who put up an anti-George Bush page. My webhosting on this site is a cheap package and the logs don't have origin IP's, except for the first part of the octet to identify main referral countries etc. I don't know if any other changes were made, but I can't see any. My site is only a simple marine data source for trade and DIY boat engineering, so it's not financially important; I've got a full recent backup always ready, that only takes a couple of minutes to FTP up.
However, I look after several other people's sites, including an ecommerce site with 8,000 pages - so I'd really like to know more about the security aspect, and how people with major sites prevent hacking. On the other hand, this important site is hosted with people who do look after their customers.
Thanks for your help.
I moved the site to my reseller account with a different provider and changed nameservers at the registrar within 15 minutes of finding it.
I was chatting with the manager at my hosting company the site is now moved to, and he says it's most often a case of finding holes, and scripts that are running are often the weak spot - even just using PHP includes.
He suggests *never* running scripts with their usual name, but changing them to some unique name of your own invention. Also, protecting directories if there's no index page so they can't be accessed in a browser (like the includes, image and cgi-bin folders) - which can be done easily through cpanel, which is what I use.
Even if you logs don't show you the full IP, they will show you what pages/actions were taken on your site. Look at the logs for the 24 hours before you discovered the hack - look for any abnormal activity. You won't discover who did it, but you will see how it was done.
I've got a feeling the response would be the same from many - if not most - hosting companies.
Absolutely not!
You sound like you're hosting with some clowns that don't even know how to check a server for vulnerable scripts.
Who in their right might would risk losing hundreds of customers hosting on a server over one customer making the server vulnerable?
A decent host would immediately examine all the scripts customers have installed and see where the vulnerability was and suspend the account until the customer corrected the error.
As someone else mentioned, another reason to have your own dedicated server.
the logs don't have origin IP's
That's not cheap hosting, that's stupid hosting.
This was either a vulnerability in windows IIS (according to the host) or an .asp mail script exploit (which seems more likely). Windows servers are not known for their security...
I do have a cgi form-mail script running on one site, but I use a more secure version than Matt Wright's original script.
Googling the Moroccan's exploit, I was quite amused to see a bank's site was down for 7 hours while they checked their site out. Mine was down 2 minutes while I put the front page back.
You can find mega sites with info on firewalls (like Bluetack), and more than you ever wanted to know about securing your own PC; now I'm looking for the same kind of info on securing a website. I don't think it's a great idea to leave it all to the host - inevitably they won't cover everything. Many people seem to be using custom security solutions on their sites - you can see this on some BBs, which are no doubt more vulnerable to the script kiddies.
More research is needed here...
[edited by: tedster at 3:15 am (utc) on Sep. 17, 2006]
