Forum Moderators: phranque
Our site was hacked. Someone was able to insert links for purchasing a variety of software (Mac and PC; games, professional apps, OS's) into index.html. Text-only. Product descriptions on odd lines (1, 3, 5...) link to a (bogus?) s/w vendor site. Even-numbered lines are similar descriptions but are not linked. I think the ordering of the links shifts over time. If we remove the links, they reappear within a day, maybe even sooner. The position of the links was also recently updated from below our content to above. I think a folder named "gamesradar" is also uploaded. I found a variety of other sites similarly defaced.
I recently changed all the site passwords and deleted all but the most essential people from access.
I'm busy with content-development and am not very expert in security issues. My questions:
Q1: What is the technical term for this kind of attack in general?
Q2: Does my description sound like a known attack? If so, what is it called?
Q3: What should I look for to remove the vulnerability? (Or, where should I should I look for fixes?)
TIA,
Henry
All your answeres cann't really be answered without more information and not being savy in this area I would do the below.
Bring in an expert to close the holes ASAP or you can forget the content and development of the site.
I found a variety of other sites similarly defaced.
If you can find a connection between theirs and yours, you will begin to see it . . . it could be a vulerability in a CMS, message board, guestbook, it can be performed by mySQL injection, if you're on shared hosting (and these other sites use the same host) it could be another site on the same box that is actually the doorway, or a plain old hole in the server's security that they drove through.
No one can tell without more info, but the place to look might be in the server logs, hound your host for some answers. They might be able to throw you a few.
Thanks for your reply.
It's shared hosting. The site architecture is a bit unusual: the base domain
www.example.org
contains essentially nothing: 3 very plain static html pages which give links to two subdomains:
language1.example.org
language2.example.org
(There's a very good reason for this scheme but it isn't relevant to this discussion.) The subdomains are parallel CMS implementations (using latest release s/w) in two languages. As far as we can detect, these are untouched.
My guess is that some automated process has been set loose to look for vulnerabilities in top-level domains. It found one in ours. I don't think it is sophisticated enough to dive down to the subdomains. I hope.
I also hope that there's no way a vulnerability in the subdomain implementations could affect the root site. The subdomains are in subdirectories of the root. I don't _think_ there's any way for anything running in one of those can reach up to a higher directory. Am I confused or naive?
As for similarities to other hacked sites: I briefly looked at the source of two, and it seemed to me the inserted source I saw was very different -- creating very similar results. AT first glance, it appears that the hacker detects the existing implementation and inserts code that fits. But it seems to me that a forensic examination of these sites will consume a lot of time and is unlikely to produce strong clues.
I checked the usual issues and found only one apparent deviation from what seem to be best practices: "display_error = off" was not set in php.ini. Otherwise, permissions looked good.
I've replaced the hacked index page with unhacked markup. I expect these folks to be back any time. I'm checking regularly. Once I have that I'll try my hosting service tech support, though I don't have much hope. I expect they'll say, "your fault, your responsibility".
Henry
