Member Avatar for Captain119

Hello everyone!

Webdesign isn't my thing but i know enough to help maintain a website for a church, it is a small scale and all i do is post events and upload pictures. a few days ago the site's ftp account got hacked and all the files been modified. i reset all the passwords and regained access but now i can't even download the files to my computer.

I finally was able to zip the index.html using the filebrowser on the host control panel and downloaded it that way then i used a virtual machine to open the file in notepad and found a script i didnt add in there with a lot of numbers.

my question is if i remove the script from the code and saved it is that good enough to make it safe for use or what should i do?

another question, is there anything i can do on my end to prevent things like that from happening?
(my password was 12 chars long had capital, lower, numbers and special characters)

i can provide more details if needed such as the log i got from the host company if that helps
thanks in advance.

  • 3 Contributors
  • 10 Replies
  • 244 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by Captain119
Member Avatar for JorgeM

it is that good enough to make it safe for use or what should i do?

Web security is layered. Its important to have the proper security in place not only at the web site level, but also web server, network, etc... You can have a bullet-proof web application, but if the web server is comprimised, the hacker will have access to the source files.

If your password was comprimised, how did that happen? Do you think it was a brute force attack against the name and password, or did someone pick up a piece of paper that had this information? Was it in a spreadsheet saved on a USB stick? No matter how many characters there are in this password, as you can see, if someone gets the info, there's no stopping it in this case.

Member Avatar for Anima Templi

I'm going to need some more information if you want a more precise answer on this one. I will do my best to answer your question though. There can be found several reasons behind this attack on the website. One of the main things I always check when I check websites/servers for security is the standard access points like XSS and SQL injection. They are fairly easy to found and even the most retarded idiot can do a SQL injection if he has a tutorial by his side. After I have checked for the abovious security holes you can take it a little further. If your site for example is running on some kind of CMS system you can check that system for known vulnerabilities and see if other people have experienced something like this. I normally also check the software on the server, which version of SQL is it using and which verison of PHP is it using.

There are a lof of things that could have happended to your site and I can only guess since I havne't seen more details on this attack. There are some general recommendations I will give you though.

  1. Be sure to update every updatable software related to your website. This is one of the biggest reasons for websites/server to get hacked.
  2. Weak passwords or use of standard passwords.
    etc.

About the brech of your own password, it seems like your password should be fairly strong to crack. Though remember after a security breach you should change ALL passwords and check ALL files for backdores. The hacker has probably left some kind of backdore on your server and I would therefore recommend you to either reset your server or replace all the files. I surely hope you have a backup of the site from before it got attacked it is in times like now that backups are nice to have.

If you could provide me with some more information about the attack it would be easier for me to help you.

Member Avatar for Captain119

Thanks for the info guys Jorge i never write any of my passwords tho so not sure howd they got it.

Anima this is the log from the host company

################################################################################
Abuse Department Information on Malware Attack
################################################################################
List of Infected Files
################################################################################
/kunden/homepages/33/htdocs/index.html
/kunden/homepages/33/htdocs/gallery/index.php
################################################################################
List of Probably Infected Files                                            
################################################################################
/kunden/homepages/33/htdocs/gallery.html
/kunden/homepages/33/htdocs/jquery/jquery-1.5.2.min.js
/kunden/homepages/33/htdocs/wpscripts/jspngfix.js
/kunden/homepages/33/htdocs/history.html
/kunden/homepages/33/htdocs/wpscripts/jquery.textshadow.js
/kunden/homepages/33/htdocs/gallery/jquery.easing.1.3.js
/kunden/homepages/33/htdocs/ministers.html
/kunden/homepages/33/htdocs/wpscripts/DD_roundies_0.0.2a-min.js
/kunden/homepages/33/htdocs/events.html
/kunden/homepages/33/htdocs/wpscripts/jsRollover.js
/kunden/homepages/33/htdocs/wpscripts/buttons.js
/kunden/homepages/33/htdocs/changable.html
/kunden/homepages/33/htdocs/fullcalendar/fullcalendar.js
/kunden/homepages/33/htdocs/jquery/jquery-ui-1.8.11.custom.min.js
/kunden/homepages/33/htdocs/gallery/images/christmas.swf
/kunden/homepages/33/htdocs/gallery/._index.php
/kunden/homepages/33/htdocs/fullcalendar/fullcalendar.min.js
/kunden/homepages/33/htdocs/fullcalendar/gcal.js
/kunden/homepages/33/htdocs/wsc/default.aspx
/kunden/homepages/33/htdocs/contact.html
/kunden/homepages/33/htdocs/backup.html
/kunden/homepages/33/htdocs/gallery/images/slideshow/malihu-jquery-image-gallery.html
/kunden/homepages/33/htdocs/wpscripts/._buttons.js
/kunden/homepages/33/htdocs/wpscripts/._jsRollover.js
################################################################################
List of Possible Intrusion Points                                         
################################################################################
/kunden/homepages/33/htdocs/gallery/images/md12/010.jpg
################################################################################
List of Compromised FTP-Users
################################################################################
k00000000
################################################################################
 Excerpt from the logfiles from the time of the intrusion
################################################################################
66.249.73.221 - - [13/Jun/2013:02:24:59 -0400] "GET /gallery/images/md12/010.jpg
HTTP/1.1" 200 53408 jshchurch.com "-" "Googlebot-Image/1.0" "-"
################################################################################

i mean to me it seems like they used a picture to hack the website? not sure...

at the moment its using mysql5 but i dont have a database or use any sql in there.
the php version is 4 but there is options to go to php 5.2, php 5.4 or php dev which i'm guessing i should do

there was three connections made in three days in a row each from a different IP and each using a different port not sure if that helps but the ports connected to are 52919, 35448, 56377

Member Avatar for Anima Templi

I hope you have a backup from before you got infected, if that's the case it should be a no time job to replace the files on the server with those, but before you do that, check the site for potentially security vulnerabilities, so you don't leave an open door for the attaker again.

For me it seems like the attacker has used a shell to gain access to your website. Almost any shells that gets uploaded to sites are disguised as pictures as a way to hide the shell. Do you have any feature for uploading in the site?

A couple of things to support my feeling.

  1. The index.hmtl and the /gallery/index.php is infected.
  2. The possible intrusion point is a image which typically indicates that it's a shell
  3. The index.php file in the gallery folder makes me believe that there's somekind of uploading feature?

If I were you I would:
1. Update the PHP version (there's a reason they publish new updates).
2. I would go through all the php files and check for vulnerabilities.
3. Remove the infected files.
4. Change all passwords and make them stronger than before.

Member Avatar for Captain119

Thanks Anima.. yea the index on both folders were infected i got the script they installed on there which is very wierd lol....i will follow your advice and do that but how do i check for potential security vulnerabilities? my site is on 1and1.com.

also what is PHP Dev its an option i have after php 5.4 but i tried googling it and got nothing on it.

Member Avatar for Anima Templi

If you haven't worked with website/server security before it would be very hard to do that on your own. One thing you could do is to use a vulnerability scanner, those checks for most vulnerabilities and they point out where the vulnerabilities are, if there are any. Such a scanner could be Acunetix.

I'm programming in PHP myself and I have never heard of that before. Can you please tell me where you read/saw it? I visited 1and1.com and for me it seems like they also make websites for you? Who made the website for you?

Member Avatar for Captain119

i made the site my self i'm not an expert at it but i have tanggled with sites before and know enough to get one and running combined with scripts i got from various sources i will try to post a screen shot of their settings.

Member Avatar for Captain119

3f20d3e17d812e7c3a61485b0ce363ea

This post has no text-based content.
Member Avatar for Anima Templi

Oh afaik it's just a dev version for PHP dev's. Not something you should care about.

Member Avatar for Captain119

oh ok well thanks a lot for your help i'm going to start learning PHP and hopefully get a handle on more website security... regardless of me having backups this really annoyed me lol so maybe it will serve as a push forward

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.