Jump to content

Recommended Posts

Posted

My website has been hacked. Only defaced, as far as I can tell — contents of home directory deleted, index.html replaced with their's. Subdomains keep working, subfolders seem to retain their contents. Happened within last 12 hours.

 

1) I'm about to write support, any specifics they need to know?

2) What are first things I must do?

 

So far I changed my pwd to my account, replaced index file with "back soon", backing up everything now to compare with previous backup, which was quite a while back :lol:

 

The main site was mostly static html and some perl scripts, I also have php-based forum on subdomain that is still running.

Posted

Contacting the helpdesk is the way to go.

 

As for what else to do, check with the helpdesk if they have a more current backup that they can restore the site with. Then make sure that every script you use are as current and secure as possible to minimize new hacking attempts also be sure that all passwords are strong.

Posted
Contacting the helpdesk is the way to go.

 

As for what else to do, check with the helpdesk if they have a more current backup that they can restore the site with. Then make sure that every script you use are as current and secure as possible to minimize new hacking attempts also be sure that all passwords are strong.

My site also was hacked early this morning. Same as with flamey (and I bet it was the same Algerian hacker). They replaced the contents of my root folder with their own index.html

 

I easily restored my files, but I'm worried that if I report the incident, you'll blame me for the security breach. I mean, you previously threatened to shut down my account just because you found some files with 777 permissions.

 

What steps does TCH take to prevent malicious intruders from invading its servers?

 

Thank you.

Posted

If you are not using secure passwords and set folders to 777 permissions there isn't much TCH can do to protect you. Also, if you are running any scripts on your site it is your responsibility to make sure those scripts are secure and current (up-to-date).

Posted (edited)
If you are not using secure passwords and set folders to 777 permissions there isn't much TCH can do to protect you. Also, if you are running any scripts on your site it is your responsibility to make sure those scripts are secure and current (up-to-date).

I'm not providing 777 permissions, Bruce. I believe I'm doing everything possible to protect my site.

 

Flamey and I were hit by the same attacker. I believe that suggests a security problem on your end.

 

Furthermore, and slightly off topic, I'm sure you have thousands of bloggers hosting their sites with TCH, with many of them setting 777 permissions on their sites. Are they all to blame when their sites get hacked, too?

Edited by slobjones
Posted
Flamey and I were hit by the same attacker. I believe that suggests a security problem on your end.

 

No, that means you both used the same scripts with the same security problem and its both of your responsibilities to either secure those scripts or not use them.

Posted

The sites in question that were compromised today shared certain software characteristics that allowed attackers to take advantage of vulnerabilities in the software hosted on the domains. This is not an issue with the totalchoice servers or the back end software that powers the servers but rather boils down to a far simpler issue, the presence of outdated content within user domains.

 

When you fail to update the software you have installed on a domain or do not adequately monitor for security updates in said software it results in open vulnerabilities on domains which attackers frequently scan for in mass methods and compromise in a similar mass fashion.

 

We make every effort to protect our servers from attackers on both a server and domain level but that also requires vigilance from every web site maintainer to ensure they are properly maintaining the content they upload. We have in place multiple lines of defense to protect all TCH customers such as perimeter network intrusion detection to local security software on a server-to-server basis however none of this goes as far as to prevent the most common exploit scenario - outdated software being compromised due to inadequate maintenance of a domain.

Posted

I am somewhat confused (as usual) when I read through this thread.

 

If you are not using secure passwords and set folders to 777 permissions there isn't much TCH can do to protect you. Also, if you are running any scripts on your site it is your responsibility to make sure those scripts are secure and current (up-to-date).

 

I do run some php scripts that I have manually installed and I do keep them current - a big thanks to TCH Thomas for keeping us posted on available updates. I am also aware of the importance of not setting permissions to 777 unless absolutely necessary.

 

I use WordPress as my blogging software and I have played around with WordPress also as a CMS. Very recently, I decided to have a look at both Drupal and Joomla. Rather than do manual installs, I decided to go the Fantastico route. I have never used Fantastico before because I know the scripts are seldom current and it can take some time before they become current. One of the reasons I used Fantastico this time is the ease (hopefully) of upgrading the scripts when they become available and the fact that supposedly the appropriate permissions are set by the installer for the various folders/files.

 

After reading this thread last evening, I decided to look through my folders today - I discovered there are about 8 folders in the Joomla directory with the permission set to 777. Should I be changing these permissions to 755? There was also one file in Drupal if I remember correctly that had the permission set to 777 - I did change it to 755.

 

I guess I am confused about this entire issue of keeping scripts current and don't set permissions to 777 when I gather a lot of folks use Fantastico to install various php scripts. I don't recall being told by the Joomla installer to check the various folders and change any permissions. If memory serves me correctly, it just said the script was successfully installed. It never crossed my mind to check folder/file permissions. Maybe I should have thought of this but I didn't. Am I missing something here? Would the average person think to check permissions after installing any script when using Fantastico?

 

Just call me the confused old girl!

Posted

Hi Gail,

 

As with all things, it's generally when multiple issues are wrong that you have problems.

 

If a script is insecure ( for example you have an 'include $variable' in a php script) then that means someone can include in their own script to run. This may be that they just want to use the server to try and send emails ( spam ) or it may be that they want to try and upload files ( say for phishing ) onto your server.

 

If your script is insecure, and your files are set to 777 ( in any directory ) then they can upload their own files to that folder. They can then use that for phishing etc.

 

If your script is insecure, but your folders and files were all 755, then whilst they could look at your files, and they could send spam from your account, they couldn't easily hack it. A lot of people use their same password for mySQL database users though - which are in files they could read - as their cpanel password. This is insecure, and could give someone easy access to your account.

 

If you have folders which are 777, but your scripts are all totally 100% secure, then you should be OK - but is it worth the risk.

 

Overall, I would recommend that you place the permissions as tight as possible ( if you don't need permissions as 777, then don't set them to that) and maintain the scripts as uptodate as possible. In addition, don't use your cpanel password for any other issues in your site.

 

One of the other problems with fantastico, is that people install things to test it .... then never remove it. A year later or so, someone finds it and hacks it.

Posted

Hi Andy,

 

Thanks for your quick response - your response helped me to understand a little more about security issues. That is interesting about the 'include $variable'. I am still struggling to learn php.

 

I shall change the folders in Joomla that have 777 permissions to 755. I still have to check my other directories to see if there are any more folders with permissions set at 777 - I know I sometimes set a folder or file to a higher permission (then what it is currently set at) as required when I am editing. I usually remember to change the permission back when I am finished but occasionally I do forget. It is good to have a thread like this periodically (not that I want to see others' sites being hacked) - it does remind us to remain security conscious.

 

Gail

Posted

Speaking of joomla, I believe folders should be 755 and files 644.

When I need to edit a file I first try not to set it to 777, instead I set it to 666 which makes it writeable but not executable, then when done, the files is set back to 644.

Posted

Whoa! Now you got me worried.

My site uses PHP, although I’m not that good at it. I don’t mess with the permissions, I don’t even know about the 777 or 666 or what ever.

I don’t have a blog or anything like that. Just html and php for viewing and purchasing.

 

Am I at risk also??

 

 

thanks

Posted

If you use a standard script ( cart etc ) written by someone else - then just makesure you keep it uptodate. As soon as a new version comes out, I'd suggest upgrading.

 

If it's script you have developed yourself, then I'd suggest a quick bit of research on php injection scripts, and how that works.

 

If you maintain things uptodate - you should generally be fine. We do monitor our network all the time, and get to know very quickly when people are trying things on accounts.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...