And what do you do NOW.

[Ian Grant]

After about 16++ years on the Internet and having a website, I've been hacked.

The Index page has been hijacked and malicious code is inserted, that doesn't sound too bad until you find your site has more than 840 index pages !!!!

Every Index page on the site has been hacked, and there are new ones too in non Public accessible directories, and other directories that never had them before.

Ian

 

[jwil6969]

Hacked isn't bad, try stolen. About the mid 90's I had a website for my consulting practice. After a while I started getting strange phone calls, a good many of them threatening in nature. I started keeping a log of the calls for the next 18 months. After a while they stopped. One day I came home parked in the driveway and went to get the mail from the postal box. On my way back to my front door two woman approached me and produced their ID's they were FBI agents!!! They were following up on a Federal Warrant wherein my company was cited as possibly being involved in criminal activity. We talked for awhile and they waited for my wife to come from work to verify her ID. I found out that an escaped and wanted felon from Central America was using my website to travel about the USA doing drug and weapons deals with all sorts of unsavory characters.She was using my website and phone/fax numbers to lend an air of legitimacy to herself. I asked the two agents what should I do if the bad guys showed up at front door. They said call the local police. Took down my website and never put it back up. You simply would not believe some of the calls I got!!

 

[domaz]

Hope you have a backup copy of your web site. If you do close your account with your current provider, they obviously don't know how to secure there servers. Find a new provider and copy your files back up. Web hosting is such a fluid and sometimes unsavory business it's possible the people currently hosting your site hacked your pages to put malware there. Who knows anymore.

 

[Bruce Watson]

After about 16++ years on the Internet and having a website, I've been hacked.

What you or your hosting provider should do to is unplug from the 'net immediately. Then wipe the disks clean and reinstall everything. OS, applications, all of it. This is what you make (and test) backups for. If it's your box, it's yours to cleanup. If it's hosted, it's normally the hosting provider's responsibility.

So why the wipe and rebuild? Because your machine has almost certainly been rooted. As in root kit. Do a search, you'll find a ton of stuff on what a root kit is and what you can do about it.

The only real way out is to start over. Don't waste your time trying to get the malware off your machine; you'll never be 100% sure your machine is OK using tools to scrape the crap off it (malicious software removal indeed). Root kits are (really) good these days. Ingenious at hiding and reinstalling themselves the second you reestablish a 'net connection.

Last time I had this happen I took the precaution of just installing new hard drives so I knew it was a squeaky clean install. The FBI said they wanted the old ones, but they never actually came and got them. Turned out the culprit was a 14 year old boy in Atlanta. Daddy was rich and the feds didn't think it worth it to prosecute. They just confiscated all the kid's computers and his parents' too (cleaned out the house, the kid had five or six himself as I recall). Anyway, if you start with fresh hard drives you can be reasonably sure that your boot sector is clean, etc.

But install and update your OS (use a known safe machine to download the updates to CDROM), lock it down tight, do everything to secure it, ***before you reconnect to the 'net.*** Do *not* go back on the 'net for any reason, not even for a second, until that box is as fully secure as you can make it. Because your box is a target now; they want it back. Trust me on this.

If you don't have and use a hardware firewall, get one and use it to lock down access to the box -- so tight that you have to physically be at the keyboard to make any changes (can't do it over the 'net, not even a VPN). It won't be 100%, but the idea is to make it difficult enough that they'll go try an easier box. Security in layers and all that.

Good luck with it.

 

[Photo Engineer]

So sorry to hear of your problems Ian. I hope you can solve them. I don't have a web site for just that reason. Even so, when I announced the first workshop I began getting harassing calls, threatening calls and also had someone try to hack into my credit card account and use it.

Good luck.

Ron

 

[Christopher Walrath]

Wow, Ian. I hope that everything is OK. Take your time with the article. You have bigger things to take care of. I'll stay off your back for a while.

 

[Tom Kershaw]

Ron,

I wouldn't have thought photographic emulsion making workshops would prove an attractive target or be that controversial.

Tom.

 

[Bob F.]

Not really my area of expertise but I'd first find out which attack actually hit you. A search on google using the text in the hacked pages should tell you and will give ideas on how to proceed.

Most such attacks to replace web pages are performed by script-kiddies simply firing hundreds of common passwords at the server to try and get into the web administrator's account. A look on any web server's log will show several such attacks daily - as long as you have a strong password they will always fail.

If the host provider has not kept up to date with patches to the server OS and web server software then there is often a route of attack through bugs in the software.

In any event, try to find out which of the many attacks it was and proceed from there. If the server itself was compromised then a low-level reformat may be the only safe option as suggested. Hope you have backups...

 

[Photo Engineer]

Ron,

I wouldn't have thought photographic emulsion making workshops would prove an attractive target or be that controversial.

Tom.

You would be surprised! One of the people claimed that I was ruining his life by doing this. IDK what is going on in people's minds today. I just wish Ian straightens things out.

PE

 

[Ian Grant]

If the host provider has not kept up to date with patches to the server OS and web server software then there is often a route of attack through bugs in the software.

In any event, try to find out which of the many attacks it was and proceed from there. If the server itself was compromised then a low-level reformat may be the only safe option as suggested. Hope you have backups...

The site's back up and running clean, far more files had been corrupted than first appeared, there appear to have been at least 3 separate attacks. The first 3 days ago I hadn't noticed before, this added scripting to a number of html files but this seems to have been a slow process going on the date/time stamps, the second attack must have been a script as that added a script to every index file .shtml, .htm & .php 840 of them with the same time stamp. The third attack undid the restoration work I did last night

The host doesn't admit the problem was theirs, but the email reply from support seems to indicate that there had been a security breach:

We suggest checking a timestamp on affected files. If they weren't modified by you at time shown, site has been probably hacked. We have already rolled out latest security fixes on all servers, but there are steps you will need to take:

Change all your passwords (FTP accounts passwords)
Remove any .htaccess files not uploaded by you.
Delete affected files and reupload them from the backup.

When I made a call to the UK support and told them the problem they knew what type of server package I was on without me telling them any details !!! I was also told other people had similar problems. I should add that hosting is with a highly reputable company, changing hosting I wouldn't be an option at the moment.

Now I just have 3 PHP modules to check & reload, they are more problematic but not live to the world ay the moment anyway, luckily

Thanks for all the advice.

Ian

 

[Sean]

I keep a local rsync in NZ of the entire APUG site. So not only do I have Raid1 on the server + a spare disk on the server running nightly backups but I also keep the entire site sync'd here in NZ completely outside of my host. Where I work has a fast uplink so I could use them to re-upload the 8gigs to a new host if the datacenter APUG is housed in were destroyed. I could probably have us back up and running within 24hrs if the worst happened. We would probably lose around 5days of data though but not bad considering.

 

[Sirius Glass]

Sean,

Sounds like a good back up procedure that you have in place.

Steve