ansaurus

Question

My website got hacked... What should I do?

Answer 1

+3 A:

With a six word character password, he may have been brute forced. That is more likely than his ftp being intercepted, but it could be that too.

Start with a stronger password. (8 characters is still fairly weak)

See if this link to an internet security blog is helpful.

Justin Standard 2008-08-06 00:00:22

Answer 2

+13 A:

Try and gather as much information as you can. See if the host can give you a log showing all the FTP connections that were made to your account. You can use those to see if it was even an FTP connection that was used to make the change and possibly get an IP address.

If you're using a prepacked software like Wordpress, Drupal, or anything else that you didn't code there may be vulnerabilities in upload code that allows for this sort of modification. If it is custom built, double check any places where you allow users to upload files or modify existing files.

The second thing would be to take a dump of the site as-is and check everything for other modifications. It may just be one single modification they made, but if they got in via FTP who knows what else is up there.

Revert your site back to a known good status and, if need be, upgrade to the latest version.

There is a level of return you have to take into account too. Is the damage worth trying to track the person down or is this something where you just live and learn and use stronger passwords?

dragonmantank 2008-08-06 00:16:07

Answer 3

+2 A:

Is the site just plain static HTML? i.e. he hasn't managed to code himself an upload page that permits anyone driving by to upload compromised scripts/pages?

Why not ask webhost4life if they have any FTP logs available and report the issue to them. You never know, they may be quite receptive and find out for you exactly what happened?

I work for a shared hoster and we always welcome reports such as these and can usually pinpoint the exact vector of attack based and advise as to where the customer went wrong.

Kev 2008-08-06 00:24:23

Answer 4

+5 A:

You mention your Dad was using a website publishing tool.

If the publishing tool publishes from his computer to the server, it may be the case that his local files are clean, and that he just needs to republish to the server.

He should see if there's a different login method to his server than plain FTP, though... that's not very secure because it sends his password as clear-text over the internet.

Mark Harrison 2008-08-06 03:31:22

Answer 5

+14 A:

I know this is a little late in the game, but the URL mentioned for the JavaScript is mentioned in a list of sites known to have been part of the ASPRox bot resurgence that started up in June (at least that's when we were getting flagged with it). Some details about it are mentioned below:

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

The nasty thing about this is that effectively every varchar type field in the database is "infected" to spit out a reference to this URL, in which the the browser gets an tiny iframe that turns it into a bot. A basic SQL fix for this can be found here:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

The scary thing though is that the virus looks to the system tables for values to infect and a lot of shared hosting plans also share the database space for their clients. So most likely it wasn't even your dad's site that was infected, but somebody else's site within his hosting cluster that wrote some poor code and opened the door to SQL Injection attack.

If he hasn't done so yet, I'd send an URGENT e-mail to their host and give them a link to that SQL code to fix the entire system. You can fix your own affected database tables, but most likely the bots that are doing the infection are going to pass right through that hole again and infect the whole lot.

Hopefully this gives you some more info to work with.

EDIT: One more quick thought, if he's using one of the hosts online design tools for building his website, all of that content is probably sitting in a column and was infected that way.

Dillie-O 2008-08-07 22:49:55

Answer 6

A:

We had been hacked from same guys apparently! Or bots, in our case. They used SQL injection in URL on some old classic ASP sites that nobody maintain anymore. We found attacking IPs and blocked them in IIS. Now we must refactor all old ASP. So, my advice is to take a look at IIS logs first, to find if problem is in your site's code or server configuration.

Hrvoje 2008-08-16 16:35:18

Answer 7

A:

Unplug the webserver without shutting it down to avoid shutdown scripts. Analyze the hard disk through another computer as a data drive and see if you can determine the culprit through log files and things of that nature. Verify that the code is safe and then restore it from a backup.

Joe Philllips 2008-09-26 20:12:13

Answer 8

A:

This happened to a client of mine recently that was hosted on ipower. I'm not sure if your hosting environment was Apache based, but if it was be sure to double check for .htaccess files that you did not create, particularly above the webroot and inside of image directories, as they tend to inject some nastiness there as well (they were redirecting people depending on where they came from in the refer). Also check any that you did create for code that you did not write.

The Brawny Man 2008-09-26 20:21:14

Answer 9

A:

I have written a server side code removal tool in ASP.Net Here. Hope this will help you save your time to clean the hosted files :) This is much faster than cleaning the files via FTP or your control panel.

Faiz 2009-04-23 09:58:56

Answer 10

A:

Hi, My father in-law got his site hacked as well. He got in touch with a security company called Serios Networks. They fixed it up and there are no more problems with his site! Their site is seriosnetworks.com The guy that helped us out is named Adam. Is number is 269-202-4003 give them a try they worked for us.

2009-10-01 18:07:28

Answer 11

A:

We had these types of issues with our clients for years. It is a unavoidable issue every website is under treat

We use http://www.websafe.ie/ for all our clients before handing over site ownership. But little late for preventive measure now mate.

clear up the mess and start free with a little more security this time. good luck

James Snipes 2010-08-29 23:20:32

ansaurus

tags:

views:

answers:

My website got hacked... What should I do?

related questions