Site got hacked...

[shonofear]

hey,
me site was hijacked last week.
I use a free website creator from www.lightneasy.org
some of the .php files got hacked. the index.php was edited to say bad words.
all files are 0644 permissions and folders 0755

Any reason how they can hack in?
Any tips for this to NOT happen again?

my site is at www.shonovfx.com
my blog that branches off it still works though www.shonovfx.com/blog

I'm pretty useless when it comes to .php and html/ftp etc,

Thanks for an help.

Cheers

Shono

[shonofear]

well, got me site back online, had a backup file.

but still wondering what other steps I could take to add greater security.

Thanks

[Sergey S.]

Very often the main reason of sites based on 3rd party scripts being hacked lies in the script vulnerabilities. Even though everything is fine with the permissions and your passwords seem to be secure the hackers find "holes" inside of the script you used to get into your account to change data and steal information.

The first thing you should do in this situation is change all your passwords to new and more secure ones. The passwords for everything on your account should be changed including mail, ftp, cpanel etc. The best practice is to create long passwords using all kind of symbols, here is an example of a good password: 5CiM$vO*eunVd9B

After you have changed all the passwords you should go on-line and search for all known vulnerabilities of the software you are using (in your case it is the website creator from www.lightneasy.org as far as I understood). After you find the vulnerabilities take all necessary steps to fix them and patch up the holes in the scripts.

After all of this is performed the security of your account will go up significantly.

[Tony]

Hackers are also starting to pick at the 'low hanging fruit'. As Sergey said, I keep really strong passwords for my FTP, and I use Roboform to remember them.

But I have a co-admin, and he's one of the 80% of people that tend to use the same password for ALL his websites, and it's just a plain word that's easy for him to remember {shudder!}.

[shonofear]

well thanks for the tips,
I'm back online again, but found that they even deleted my /media folder with all my work showreels and resumes.... so made new folder called /_stuff hopefully won't go for that 1 if gets attacked again.
But ive made good solid passwords now,
and yes i also have a bad habit of having the same password for a lot of sites, but its ok for forum sites etc i think, just not banking/emails etc.

Cheers

[cdonner]

I have been hacked several times over the years at WHB, and it always turned out to be due to a vulnerability in one of the apps I was using (Joomla in one case, Coppermine in another, Help Center Live in yet another). Hackers don't need your password. There was a bug in a Joomla version that allowed a hacker to reset the admin password. There was a bug in Gallery that allowed a hacker to upload a backdoor script and take over the server, without ever typing in a password. In all these cases, patches and updates were available and I would have been fine had I installed them in time.

The Joomla vulnerability was detectable by a simple Google search. I still get hits on my site from people scouring the web for unpatched sites, mostly from Turkey, interestingly. I mention this because hackers don't target a single site and then spend a lot of effort hacking into it - they find vulnerabilities that let them get into lots of sites with little effort. The strength of the passwords is secondary.

You will most likely have a backdoor. Go through the filesystem and find scripts in locations where there should not be any, with odd names, or with recent file dates ("find ~ -mtime -7" will give you all files there were modified in the past seven days, for instance).

The problem with these types of incidents is that, once a spammer gets access to your server, since we all share the same mail servers, my emails get blacklisted by Godaddy, AT&T, etc no matter how well I guard myself against attacks. WHB is doing more now to do damage control, but as we can see, the intrusions still happen.

My 5 tips for you:
- make sure you don't overlook a backdoor script while cleaning up - restoring a backup is not sufficient
- stay on top of your updates and patches (always get the latest Wordpress, Joomla, Drupal, etc as soon as they become available)
- remove write access from all directories where it is not needed, and only turn it on for maintenance
- run "find ~ -mtime -1" in a daily cron job and have the results emailed to you. This is what I am doing now, and I will notice anything suspicious right away
- Don't worry too much about strong passwords - no hacker will go through the pain of cracking a password, just to get on your website and delete some files.

[Matt R.]

cdonner, some excellentt tips. We at WHB are actually in the process of writing some optimization/security whitepapers and guides for common scripts and we'll be publishing these to our site, forums and blog when we're done.

http://www.securityfocus.org is well worth a regular visit to stay up to date on the latest vulnerabilities.

[JasonD]

Notes about backups...

If you don't remember making one... You didn't make one, he did!

Why would he do that? Because he couldn't access parts of your system, but he could modify a fake backup, that you have access to activate. (Expect that the backup has holes also. "If you don't remember making a backup.")

EG, if I can't replace your running "WinSys.exe" file, due to it running, and not actually having access to that folder... I would have created a fake backup, that replaces WinSys.exe with my hacked version. (If this were a windows computer.)

The web works the same way. Injected scripts can write files, but can't usually edit existing files. They can also hide or delete files, if they know the URL's. They might not have your password, but if they injected a back-door using your "Backup" system... Now they may have one.

Sorry, but I just got done recovering from a nasty Dropper/Trojan/Backdoor/Virus. I got blind-sided, and the virus retaliated once I started poking around, closing holes. It was almost comical, but in the end, I won. All due to a stupid creation carried over from windows NT, called "Junction points". They are not files, not folders, not short-cuts, not links... but they act like all of those at once.
http://en.wikipedia.org/wiki/NTFS_junction_point

They basically mirrored my entire computer across the internet, onto the hackers computer. (Even just clicking on the file, caused that program to die and lock-out. It stripped all permissions. From scanners, command, start, explorer, etc...)

LOL, I killed it with note-pad! Good old BAT programming saved the day.

Translation... when you think you have finished your search, search again, and monitor all access for a few days. (Look at the logs. Make a non-linked file that no URL's point to, and see if it gets accessed. Something interesting like... "passwords.txt". Something only the hacker would see and look at.)

Oh, turn off "DIR LISTING INDEXES"...
In your .htaccess put this line...
Options All -Indexes

That is just my 2-cents...

[carlobee]

it's good to have a backup!