0

My FTP was hacked, a file has been uploaded and the host suspended the website temporarily. I'm only using an admin page that points to an .xml file (to load and modify the text of my website). I don't have any databases.

I'm going to add a htaccess/htpasswd, but will it be enough?

How can I protect my FTP so I don't have the same problem in the future?

angussidney
  • 230
  • 2
  • 9
Paul
  • 159
  • 2
  • 7
  • Ask your hosting company what you should do. I would also disable the FTP account until you need it. What I mean by this is that, you were given a FTP username by the hosting company ( DO NOT USE THIS ACCOUNT EVER ), create a "child" account and enable/disable that account each time you have to upload something. – Ramhound Mar 07 '12 at 12:59

3 Answers3

6

I wonder how you know that FTP was the method by which the unwanted file was uploaded. FTP is definitely problematic in that it defines no countermeasures against eavesdropping. You can find out about using a different protocol. You could consider the discussion of alternatives at SFTP, FTPS and SecureFTP differences and security implications. You will also want to ensure that you use a strong password (or passphrase). Roughly, a strong password is not in the first billion guesses. That way, if an attacker can find a way to try 100 guesses per second, your password can still resist attack for a month.

Community
  • 1
minopret
  • 434
  • 3
  • 9
  • hi, yes i don't know, can he send a file to the FTP using the input field in the admin page, even if i set `htmlspecialchars` on my login/password? will it change something to add a "htaccess" file? the password is 12 letters length, with numbers etc. – Paul Mar 08 '12 at 11:25
  • 1
    OK, I think we misunderstood that you might be uploading via FTP protocol. Because you are in fact uploading via the mechanism called "HTTP upload", yes, htaccess/htpasswd is advisable. There is a risk that you should be aware of. If you have to use "AuthType Basic" you will be at risk of further problems. Please see about using "AuthType Digest". "Require" directives, if available, might be a workable alternative or supplement. I haven't explained all the details, but you can get them starting with the tutorial: http://httpd.apache.org/docs/current/howto/htaccess.html – minopret Mar 08 '12 at 15:19
3

i'm going to add a htaccess / htpasswd

These files are usually used by webservers - not ftp servers. Some ftp servers will look for such files but you didn't say what ftp server you are using.

However since the FTP protocol sends passwords in clear text, and there's the additional complications around the secondary data channel, really you should use something else if you're really concerned about security (scp or sftp).

Since your "host suspended the website temporarily" your not hosting the site yourself - so what level of control over the server do you have? Even if you don't have root access, the hosting company may already provide ssh access (which usually implies scp or sftp).

Do make sure you pick a strong password.

symcbean
  • 18,278
  • 39
  • 73
  • thanks symcbean, the password is strong, with numbers etc. i set `htmlspecialchars` on my input (just one in the admin page), will it change something to add a htaccess file? (i just have a xml file, no database, but i don't know if it changes anything) – Paul Mar 08 '12 at 11:27
-3

You never know what a person who hacked your computer is doing. Sometimes they not only hack a password but are continuously spying on your actions on your computer.

According to https://www.britannica.com/technology/zombie-computer, sometimes a computer has malware on it and then a hacker uses that malware to control what that computer is sending out in which case the computer is called a zombie computer. For most zombie computers, the user doesn't notice anything unusual happen after their computer becomes a zombie computer and the malware was made in a way that will not cause them to notice anything unusual so that they would be less likely to notice the problem and do something about it.

I think that giving up internet entirely will stop hackers from hacking any more information from your computer or your actions or from making your computer be a zombie computer. Maybe you could get a professional to repair your computer to get rid of any malware, but there's a chance that hackers will keep on infecting it more badly before you get it repaired making it harder to repair if you don't give up internet right away and do without it until after it's repaired.

I don't know if there are any computers you can buy that have internet and are more secure by not enabling as many programs to be downloaded. If there are, maybe you could give up internet entirely and then buy such a computer and then use internet that requires a cord to make sure your old computer isn't receiving an internet connection and hackers can't continue hacking information from it or making it be a zombie computer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Timothy
  • 95
  • The server is hosting a website. It is unlikely that the computer is in his home or his personal computer. From the descriptions in the comments, it turns out the the computer was not hacked, but the mechanism to upload (which was the admin page). Also, the question was about protecting the upload mechanism, not how to deal with a hacked computer. – schroeder Dec 18 '16 at 08:25