Sec Bulletin -- Website Hacked, What to Do ?

[eUK - Chris]

Well the reason I posted this thread is because I noticed numerous websites and servers getting compromised these days. A thing getting hacked these days are all too common.

The most common attack we saw in our security screening are via

1) Cracking weak FTP password or stolen FTP credentials. (Control panel’s and RDP as well)
2) Stolen/brute forced, administration areas (e.g. domain.com/admin)
3) Weak permissions on the Website.
4) Injection Attacks ( Sql , XSS, RFI )
5) Compromised and Infected user’s Local Machine (User’s Carelessness)

1) Cracking weak FTP password or stolen FTP credentials. (Control panel’s and RDP as well)

The Basic and widely observed issue was user using weak passwords, well I have nothing to say more as If your FTP password is know, no one can stop your site getting messed and hacked.

2) Stolen/brute forced, administration areas (e.g. domain.com/admin)

The second is attacking the Admin portals of your website, like some websites have CMS app’s like DNN , Wordpress, Joomla, and the Worst part, very few of the folks care to secure them.
Well, default installation and not implementing basic security measures , make your site vulnerable.
Below are the few links that can help you to secure your cms,

http://www.eukhost.com/forums/f42/ho...ss-blog-11966/
Joomla! • View topic - Has your site been compromised? READ THIS
Category:Security Checklist - Joomla! Documentation

you can find more on google


3) Weak permissions on the Website

Here by Weak permissions I mean, Write / Execute / Modify permissions.
Many users have these permissions on there website. Whats wrong to have these permission on my domain ?
Well, this give the users to execute scripts on your domain, let me link points to make you understand better, In the first point I mentioned “malicious users” obtaining your FTP password, now once do obtain password, they can upload files / scripts and Boom!
These permissions give a change to carry out injection attacks.

4) Injection Attacks ( Sql , XSS, RFI )

Much has already been written about SQL injection, so I'll keep this simple - SQL injection works because sites do not properly sanitize GET or POST data. For example;

domain.com/page.php?id=33+select+fldpass,fldusers+from+tbluse rs+where+fldid='1'

Sanitizing user input, whether from querystrings, or post data, would have helped mitigate this. The most obvious method of sanitization, is to remove ANYTHING that is not expected, from the data, prior to posting it.

XSS (cross site scripting )and RFI (Remote file inclusion ) are attacks can be executed when domains have weak permissions, and vulnerable coding.
In simple terms such attacks can lead to website defacement’s
Many Older version of CMS like Joomla ,Wordpress and DNN are vulnerable to RFI, hence a recent version or updating the existing version is recommended.

5) Compromised and Infected user’s Local Machine (User’s Carelessness)

This is the ROOT CAUSE for all, many users even do not know their system has been compromised, and continue working on those system.
If the machine from which you are managing / working is compromised, I bet nothing can stop your site and Servers getting compromised. Users install many un-trusted / freely available apps and download Apps from torrents and unsafe websites, they do get a many things along with their desired contents, yes, many virus/Trojans get transferred and installed along those contents making your system infected.

So what can I do to prevent these?

Prevention is always better than a cure after the fact, and though there are no 100% effective methods of prevention, there are a few things you can do.

First and foremost, if your server support sFTP (Secure FTP), USE IT, this helps protect against sniffers/keyloggers by encrypting the login information.

Second, be VERY careful about where you surf to online, and what you download/open (and this is especially the case for those of you randomly opening attachments in e-mails, or using HTML e-mail instead of plain text).

The vast majority of infections occur because of an infection arriving in e-mail and you're opening it (NEVER a good idea), or via other compromised websites or via "fake" websites (i.e. those offering videos, that actually lead to infections). Disabling ActiveX and scripting, for ALL websites is always a good idea. If there are websites you require these for, put them into the Trusted Zone.

As far as SQL injection, first and foremost, check, check again, then check again. Your sites codes are very important, and if you're processing data without checking it, this will lead to your sites being compromised. Sanitize user input, NEVER send query data directly to the SQL string you're using to query the database. Again, there are many resources out there that will help you lock down your site.

How can I clean my site if it's been compromised?

If your site has already been compromised, the first things you need to do are;

1. TAKE THE SITE OFFLINE!

2. Change ALL passwords (FTP, HTTP and any others you have)

3. Check the files on your FTP, for any files that should not be there (shells are commonly uploaded by the attacker, to allow them to get back in, even after the FTP etc passwords have been changed)

4. Most importantly, CHECK THE MACHINE YOU NORMALLY USE TO CONNECT TO THE WEBSITE. Compromised machines were the major cause of the Gumblar infection being successful, as this is how the FTP credentials were obtained. You MUST ensure you check the machine is clean.

Passwords should be changed from a second machine, and NOT from the machine you normally use to connect to the sites FTP etc account.

If you aren't regularly backing up your sites files, you are making the job of restoring it, virtually impossible without taking forever to manual check everything. You should

ALWAYS backup your files either weekly, or in the case of those of you manually updating the sites (i.e. not using a database or whatnot), EVERY time you make a change to the site.
Backups should NEVER be stored on the same machine you use to connect to it, but should be placed in a passworded zip, on either a flash drive, second machine, or CD/DVD.

You can also get in touch with our Live Chat or raise a support ticket for further investigation or if you have any queries.

Any comments on post are most welcomed

[gillfl]

My sites have all been hacked. I'd really appreciate more concrete information and help to ensure this doesn't happen again. I've been told "weak permissions on the DOMAIN" - with no meaningful explanation as to how or why this happened and only vague responses to my queries on this. The website backups on the server have also been hacked.

I was told to download all the hacked files to my local pc and virus-check them - surely that's not very prudent? I have deleted all of the sites with a view to replacing with clean backups from my local pc but the only option I have for doing this is via FTP - which could well be the weak link? But told sFTP is not supported.

What would be the best (ie most secure) way to upload files back onto the website? Are Frontpage extensions as hackable as FTP. Should I go to the pain of re-installing FP, uploading and uninstalling FP again each time I want to update the sites?

In the meantime my business websites are all down and am losing ranking and customers

[eUK - Chris]

Hi,

I have replied to your thread below :

http://www.eukhost.com/forums/f41/we...-hacked-13854/

[Caleb55]

Thank you for posting this about ways people can hack onto your website and how to avoid these undesirable attacks. This has happened to me several times and now I know what not to do.