Website Hacking Problems

[TheOtherGuy]

Our team (1726) has had a website for some time now, and just recently (sunday) I woke up, checked the website, and it had been hacked. At first it looked like just the index file had been hacked, but after looking around, I realized that several other files had been added or changed in different directories. I've tried deleting all the files I could find that were changed, but every time I reload our index file, it is only several hours before it is changed back. You can see what the hacked page looks like here:

http://www.project1726.org

But PLEASE don't click on any links that may be on there.

I wanted to know if anyone had experience in isolating and removing problems like this? We have continually contacted our hosting service, http://www.globat.com, but even though they delete the changed folders and files, the problem persists.

Any help right now would be extremely appreciated!

Thanks!
-1726 webmaster

[Mike]

Change your password?

EDIT: Appears like its just some guy looking to throw his name here and there. Nothing serious really, just some e-graffiti. Change your password and he'll take the path of least resistance (some other site).

[yodameister]

Changing the password was the first thing we did. We are also going to look into another hosting site.

[Randy]

Check your raw access logs to see if a scripted page is being exploited.

[sanddrag]

did you change ALL the paswords related to the account? Are you running any sort of a script or CMS or forum or something with a sercurity hole? But yeah, most likely this would be your host's problem. And if they can't prevent it, you should change hosts.

[Mike]

Quote:

Originally Posted by Randy

Check your raw access logs to see if a scripted page is being exploited.

Hey, I know you.

OP:
Are there any scripts that use ftp? The host should also have a log of who logged into the ftp server and at what time.

[yodameister]

For now we are disabling all forums, blogs, picture uploading capacity, etc. We hope that this will clear up the problem (for now).

[sanddrag]

Quote:

Originally Posted by yodameister

For now we are disabling all forums, blogs, picture uploading capacity, etc. We hope that this will clear up the problem (for now).

Oh well there you go. I bet you it was one of those scripts that had a security hole. Were they all current/updated?

[yodameister]

Quote:

Originally Posted by sanddrag

Oh well there you go. I bet you it was one of those scripts that had a security hole. Were they all current/updated?

As far as I know they were, but then I'm not the webmaster.

[artdutra04]

Quote:

Originally Posted by yodameister

For now we are disabling all forums, blogs, picture uploading capacity, etc. We hope that this will clear up the problem (for now).

That won't totally solve the problem, as disabling the photo galleries and forums will only continue to hide the underlying security loophole.

Check your access logs, and see if you can find anything there.

Check the file/folder permissions of the root directory. If it's are listed as 777, this is a security problem. Change (chmod) them to 770 or 755. You can create subfolders with a chmod setting of 777, but only do so where your scripts actually need file creation/deletion/alteration permissions. If all you have in a directory is static HTML files that you alter via FTP, lock down the file permissions for that directory.

If users can upload files through a script, make sure the script is doing proper checks of the file to verify the contents. Check PHPbb or your photo gallery websites for any plug-ins that provide extra security in this department.

Check to make sure there aren't any additional user accounts with administrator privileges. If the hacker found his way into your website, he could have also gained access to your Control Panel, where he could have created a back-door FTP user account with a separate username and password.

I'd suspect that there is some sort of backdoor entrance somewhere (perhaps one exploited by a security loophole in your scripts), especially since you said changing passwords didn't solve the problem. Check everything. FTP. Forums. etc.

And last, but not least, make sure your passwords are secure. Don't pick obvious things. Use lots of 'weird' things like l0w3rcaS3 & uPpeRca5e letters, along with 5pEC!aL cHaR|\CT3r5. Make long passwords. Don't ever store your password anywhere except your head.

[AustinSchuh]

Quote:

Originally Posted by artdutra04

Don't ever store your password anywhere except your head.

Or in an encrypted file.

Since I make such long and random passwords as you are recomending myself, I can't ever remember all of them. I just remember the one password to an encrypted file where I store all my other passwords, and then copy and paste the other passwords from the file. If you go this route, make sure that you are using a good pasphrase for the encrypted file, and you trust the software that is encrypting your data. If anyone gets ahold of the file, your passwords would only be as secure as the password to the file and the encryption scheme.

In case anyone is interested, I use gpg to encrypt my stuff.

[artdutra04]

Quote:

Originally Posted by AustinSchuh

Since I make such long and random passwords as you are recomending myself, I can't ever remember all of them.

Maybe I'm just weird in the sense that I can remember many long, obscure passwords, just like how I can remember pi is 3.1415626535897932384626433832795028841...

[Pat Fairbank]

Quote:

Originally Posted by artdutra04

Maybe I'm just weird in the sense that I can remember many long, obscure passwords, just like how I can remember pi is 3.1415626535897932384626433832795028841...

[offtopic] Except that there's an error in your pi. [/offtopic]

[Gabe]

Quote:

Originally Posted by artdutra04

Maybe I'm just weird in the sense that I can remember many long, obscure passwords, just like how I can remember pi is 3.1415626535897932384626433832795028841...

3.14159265...

[artdutra04]

Quote:

Originally Posted by Pat Fairbank

[offtopic] Except that there's an error in your pi. [/offtopic]

Oops. 6 and 9 are right next to each other on the numeric keypad, and Firefox doesn't spell check pi.