Jump to content

Recommended Posts

Mine was too hacked in probably the same way. But in that case it was just a index.html(attacker) page that had more priortiy then my index.php page. so my hosting service provider told me to disable .html as index page in control panel and delete attackers index.html file. might be you too have that option in control panel. better ask service provider.

Well this is epic

http://www.languageschoolsuk.com/

 

IM so blimin annoyed now, ive done everything i can to prevent this, and this is what happens.

 

Such as...?

 

Right now, at the very least, you need to change your ftp credentials.  Be sure to pick a strong password (16 characters long, with at least one lower case letter, one upper case letter, one number, one non-alphanumeric character, arranged in such a way as to not create a word found in a dictionary (e.g., not P1zZ@)).

Any account that leads to your website, like FTP, CPanel, Web-based Administration, make sure to use strong passwords (small caps, big caps, numbers, special characters) and never use words that would come up from a dictionary. Also, make it longer than 7 characters if possible.

 

Most of the case, with that kind of the attack, your credentials are compromised, either by placing weak security credentials or vulnerable servers.

And never "save this password" within your FTP client.  If you computer gets compromised, it does not matter how strong your FTP password is as the loser, I mean hacker/cracker, can locate the pass anyways.

 

Also, use SFTP/SSH2 to encrypt the connection and any file you upload.  You're probably connected via standard FTP port 21, correct?  It's like taking candy from a baby.

 

PS. I read your URL as LanguageSchoolSuk.com, but I'm guessing it supposed to be LanguageSchoolsUK?  Tricky.

changing the name? Well, am not sure if its just the two of us who read it that way but yeah, I didn't realized it was meant to be read that way. Well, if you can make one that could be easier to read and notice the words perfectly, that would be better. Just my opinion though, maybe am the one at fault too. ;)

So just to clarify, you believe my ftp is compromised, in away thats a relief.

 

I dont understand what you mean by the www.languageschoolsuk.com domain, are you saying its hard to read and i should change it ?

Could be several items that have been compromised.  Here are some items to check:

 

1. Check if your files have write permissions on them.  If so, you need to remove that.  This can happen through your FTP client, meaning, when you upload a file your FTP client can be set to set permissions to that file.  Make sure permissions are set to 644 (on a Unix server).

 

2. Change username and password for FTP access often.  Never automatically save password in client, always manually type in password.

 

3. Always use a secure connection in your FTP client.  You files can be intercepted and manipulated on upload without.  Contact your host to see how to connect via SFTP/SSH2 as secure connections use a specific port number; usually 22 or 2222.  Don't connect via unsecure port/connection ever again.

 

4. Take all precautions in your PHP in terms of securing/sanitizing form data.  Restrict database privileges, ie. Do not grant ALL privileges to a user in your production environment.  What I mean by that is, if your website does not use insert statements (where a user might register, etc.), then don't grant that privilege to the db user.  More importantly, do not allow for DROP/ALTER, etc.  Just a common practice that is never exercised by most.

 

5.  That's all for now.  Perhaps others can add some input.

And never "save this password" within your FTP client.  If you computer gets compromised, it does not matter how strong your FTP password is as the loser, I mean hacker/cracker, can locate the pass anyways.

 

I save all passwords within my FileZille, Dreamweaver, Chrome apps. However, I encrypt my hard drive with TrueCrypt bootloader (256 bit AES encryption). Therefore, if my comp was ever stolen it could never even be turned on past the bootloader without knowing the 16 char password. Increasing the length of time for each password attempt and rebooting after 3 failed attempts means the amount of time to crack such a system would be unrealistic.

 

Anyways, to the original poster -- what were you running on this site? Also, can you connect to the server and check the server logs? They will denote connection attempts (and successes), where they came from and will show a sort of paper trail which may lead you to the methods used.

 

Edit: Also, login to the FTP server and look for any files that aren't familiar. If he managed to get a php script in there somewhere it could be acting as his tunnel for modifying all files. Obviously, delete this.

So just to clarify, you believe my ftp is compromised, in away thats a relief.

 

I dont understand what you mean by the www.languageschoolsuk.com domain, are you saying its hard to read and i should change it ?

Could be several items that have been compromised.  Here are some items to check:

 

1. Check if your files have write permissions on them.  If so, you need to remove that.  This can happen through your FTP client, meaning, when you upload a file your FTP client can be set to set permissions to that file.  Make sure permissions are set to 644 (on a Unix server).

 

2. Change username and password for FTP access often.  Never automatically save password in client, always manually type in password.

 

3. Always use a secure connection in your FTP client.  You files can be intercepted and manipulated on upload without.  Contact your host to see how to connect via SFTP/SSH2 as secure connections use a specific port number; usually 22 or 2222.  Don't connect via unsecure port/connection ever again.

 

4. Take all precautions in your PHP in terms of securing/sanitizing form data.  Restrict database privileges, ie. Do not grant ALL privileges to a user in your production environment.  What I mean by that is, if your website does not use insert statements (where a user might register, etc.), then don't grant that privilege to the db user.  More importantly, do not allow for DROP/ALTER, etc.  Just a common practice that is never exercised by most.

 

5.  That's all for now.  Perhaps others can add some input.

 

If this site has a MySQL / MS SQL backend it could have been compremised with SQL injection.  If your scripts that have your db password are accessable they could have been clipped.

 

 

Also check for the presence of a file named c99.php you can see what it does here:  http://www.honeynet.org/node/42

Its a site hack script.  Code Injection etc.... Nasty bugger!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.