Website Hacking Problems

Our team (1726) has had a website for some time now, and just recently (sunday) I woke up, checked the website, and it had been hacked. At first it looked like just the index file had been hacked, but after looking around, I realized that several other files had been added or changed in different directories. I’ve tried deleting all the files I could find that were changed, but every time I reload our index file, it is only several hours before it is changed back. You can see what the hacked page looks like here:

http://www.project1726.org

But PLEASE don’t click on any links that may be on there.

I wanted to know if anyone had experience in isolating and removing problems like this? We have continually contacted our hosting service, http://www.globat.com, but even though they delete the changed folders and files, the problem persists.

Any help right now would be extremely appreciated!

Thanks!
-1726 webmaster

Change your password?

EDIT: Appears like its just some guy looking to throw his name here and there. Nothing serious really, just some e-graffiti. Change your password and he’ll take the path of least resistance (some other site).

Changing the password was the first thing we did. We are also going to look into another hosting site.

Check your raw access logs to see if a scripted page is being exploited.

did you change ALL the paswords related to the account? Are you running any sort of a script or CMS or forum or something with a sercurity hole? But yeah, most likely this would be your host’s problem. And if they can’t prevent it, you should change hosts.

Hey, I know you. :slight_smile:

OP:
Are there any scripts that use ftp? The host should also have a log of who logged into the ftp server and at what time.

For now we are disabling all forums, blogs, picture uploading capacity, etc. We hope that this will clear up the problem (for now).

Oh well there you go. I bet you it was one of those scripts that had a security hole. Were they all current/updated?

As far as I know they were, but then I’m not the webmaster.:ahh:

That won’t totally solve the problem, as disabling the photo galleries and forums will only continue to hide the underlying security loophole.

Check your access logs, and see if you can find anything there.

Check the file/folder permissions of the root directory. If it’s are listed as 777, this is a security problem. Change (chmod) them to 770 or 755. You can create subfolders with a chmod setting of 777, but only do so where your scripts actually need file creation/deletion/alteration permissions. If all you have in a directory is static HTML files that you alter via FTP, lock down the file permissions for that directory.

If users can upload files through a script, make sure the script is doing proper checks of the file to verify the contents. Check PHPbb or your photo gallery websites for any plug-ins that provide extra security in this department.

Check to make sure there aren’t any additional user accounts with administrator privileges. If the hacker found his way into your website, he could have also gained access to your Control Panel, where he could have created a back-door FTP user account with a separate username and password.

I’d suspect that there is some sort of backdoor entrance somewhere (perhaps one exploited by a security loophole in your scripts), especially since you said changing passwords didn’t solve the problem. Check everything. FTP. Forums. etc.

And last, but not least, make sure your passwords are secure. Don’t pick obvious things. Use lots of ‘weird’ things like l0w3rcaS3 & uPpeRca5e letters, along with 5pEC!aL cHaR|\CT3r5. Make long passwords. Don’t ever store your password anywhere except your head.

Or in an encrypted file.

Since I make such long and random passwords as you are recomending myself, I can’t ever remember all of them. I just remember the one password to an encrypted file where I store all my other passwords, and then copy and paste the other passwords from the file. If you go this route, make sure that you are using a good pasphrase for the encrypted file, and you trust the software that is encrypting your data. If anyone gets ahold of the file, your passwords would only be as secure as the password to the file and the encryption scheme.

In case anyone is interested, I use gpg to encrypt my stuff.

Maybe I’m just weird in the sense that I can remember many long, obscure passwords, just like how I can remember pi is 3.1415626535897932384626433832795028841… :rolleyes:

[offtopic] Except that there’s an error in your pi. :smiley: [/offtopic]

3.14159265…

Oops. 6 and 9 are right next to each other on the numeric keypad, and Firefox doesn’t spell check pi. :o

[Offtopic]Jimi Hendrix said “If a six truned into nine, I won’t mind”, but it appears the nine turned into a six. Wonder what he’s say about that…

Anyway, the PI-O-Neers just love it…[/Offtopic]

I just uploaded a white paperon Password Security, this will help people create (and remember!) very strong passwords for multiple sites. Enjoy.

Don

I take it you mean it is very bad if our httpdocs folder is set to 777? I’m sorry I don’t know more about this kinda stuff, so thanks for any help you can give us!

[EDIT] I chmod(ed) it to 755

hacked.bmp (63.5 KB)


hacked.bmp (63.5 KB)

If the root directory of your website is chmod’d to 777, and you are hosting your website on a shared server, it’s possible that you could be compromising the security of your website. This could allow changes to be made to the root directory of your website, which is bad. So changing the permissions to 755 for the root directory is a good idea.

Basically, when a folder is chmod’d to 777, it means anyone can read, execute, or write files to that directory. The order of the numbers means [Owner] [Group] [User], each with a value from 0-7. Since we certainly don’t want anonymous users being able to write files to the directory, we change the Group and User values to a lower value, which allow them to read and execute, but not write to that directory. Hence, we get a more secure file permissions value of 755.

I didn’t actually see what your problem was, but our site was recently hacked as well. It’s been running on a CMS for ease of transfer to the next webmaster, so at first I assumed that either that or the forum was the loophole and that I would go about trying to find that. I later discovered, after talking with our private host, that it was a root access hack, and that all sites on the server had been hacked through the server’s root user. We got hit pretty hard, as ALL web-based files (PHP, HTML, HTM…) were overwritten by copies that contained a meta refresh, redirecting our site to some foreign forum. I still can’t delete some of them because of ownership and permission changes that were also made, but if that’s what you’re dealing with, you’ll have to go through your host if you actually want to correct it.

Ok, thanks! I’m pretty sure the folder was set to 755 before the hacking started, so they probably got in through a security loophole in one of the older forums (I made several because I was new to this stuff)

Now we just have to wait and see if it gets hacked again…