0

i was hacked by a guy who erased everything. I spent the day to put everything in order, and i would like to find a solution for this : he erased all the files, and also changed the title for "www" in the FTP in "www-xXX".

Is there a possibility to track the one who is trying to hack the website? (He just erased the content of the whole website, who would do that for no reason...) It is a small website, that just gives free content (some articles for free), so it took almost the whole day to upload everything back through the FTP. I am using FileZilla.

Also if i set the file permissions to 440 (in the FTP, it changes to 540), could he still access and modify the files in the FTP? There was a .htaccess and .htpassword to protect the back office interface, i don't know anything else i could try to protect the website.

It is such a silly thing to erase the whole content, as it took me a day of work to fix it, and for nothing, he was just amused to delete everything.

Thanks for your help

Paul
  • 159
  • 2
  • 7
  • 2
    He probably knew the password. Just change the passwords and reinstall it, as well you can secure the files that it's impossible to delete them via PHP or something. Not sure if you can change owner via FTP. Maybe he used the hosting company, they might help you with this. – Andrew Smith Jul 19 '12 at 21:58
  • He changed the folder files because he had locked files or something. – Andrew Smith Jul 19 '12 at 23:32
  • @Andrew Smith : Thanks Andrew, so should i ask the hosting company to change the login and passwords of both FTP and Database, then set each file in a read-only format, and he won't be able to have access to the files in the FTP ? Thanks – Paul Jul 19 '12 at 23:50
  • 1
    @Paul - Just change them yourself. They are your accounts, if you can't change them yourself, get yourself a better service provider. – Ramhound Jul 20 '12 at 12:16

1 Answers1

2

Is there a possibility to track the one who is trying to hack the website?

Assuming they only deleted your website content and not literally everything off your box, you may be able to find information in your log files. Inform your hosting company about the situation.

Change all your passwords yourself (also change your email password while at it). From reading your comment it sounds as like your hosting company provided you with these credentials to begin with; through email I assume? This is a big no no (Email is an insecure form of communication). Solution: change them yourself, and if you want to be really pedantic, set up two factor authentication (DuoSecurity would be my pick). Basically every time someone tries to SSH/SFTP into your server you will receive an SMS or Push Notification (if set up) asking to allow or deny access to user with IP x.x.x.x.

Also ensure you are using SFTP not FTP, and keep complete backups.

Fortunately in your situation it just sounds like someone peeked at your credentials and only gained access to your FTP stuff. If you have the time you could set up a honeypot but is it worth the time in your situation, probably not.

Goodluck.

P.S The attacker deleting all your content was probably a good thing. (1) it was blatantly obvious someone gained access; (2) for security reasons you probably would have to erase everything anyway; (3) there are much worse things they could of done; (4) it reflects their intelligence (subject to personal opinion)

Kurt
  • 616
  • 3
  • 12
  • +1 for "ensure you are using SFTP not FTP". Why the hell are hosting providers still running FTP? – Polynomial Jul 20 '12 at 09:08
  • @Prowla : Thanks Prowla, why is it a bad thing to receive the passwords via email? Can he hack my gmail account? FileZilla has an option "sftp", i will try. I guess i have to ask the hosting company to change the host name starting with "ftp.myname" ? (or maybe it is just a name and is compatible with a sftp connection?) For your PS : a "good thing" ? 3) i believe you, but what is worse? 4) Erasing the whole website is just silly. Same thing as when you get robbed or attacked in the street, you would not say the guy was "brave", you would think that the guy has to pay. – Paul Jul 20 '12 at 10:41
  • @Paul - Email is plaintext unless its encrypted, in this case its not encrypted, I can guarantee that. He can indeed hack your gmail account if you used the same password, he likely already has access, if thats the case. – Ramhound Jul 20 '12 at 12:18
  • @Ramhound Thanks Ramhound, no it is a different email and password. I managed to change the passwords in the FTP and the database, i am not sure how to use SFTP, if i need the hosting company to do it for me, or if i just can write myself "sftp.myname" instead of "ftp.myname" as the host name? – Paul Jul 20 '12 at 16:02
  • 1
    @Paul - Email is an insecure form of communication. Have a chat to your hosting provider about SFTP. The attacker could of loaded your website with explicit illegal images, malicious scripts or made modifications to files without your knowledge. By deleting everything they were just completing your next step for you. You can chase the attack up if you want to. I doubt much will be done but i guess that depends on how much time and effort you are willing to put into achieving justice. – Kurt Jul 21 '12 at 01:27
  • @Prowla : thanks Prowla, one thing though : some people upload files to the website, so i let the permissions to 770. Is it a bad thing? – Paul Jul 21 '12 at 18:47
  • @Paul - It could be. Who is in the files group? `755` is generally the ideal permission. – Kurt Jul 21 '12 at 23:44
  • @Prowla : thanks, ok i let 540 anyway, but we've been hacked again, although i changed all the passwords... Someone told me it could be a virus with filezilla, do you know any other free FTP that would not have this kind of problem? I'm on mac, maybe Cyberduck? i don't understand how he can get access to the FTP (we have a htaccess/htpasswd and a login/password on the admin page, and in the "search" field, htmlspecialchars with ENT_QUOTES. Then i have just changed all the passwords and logins (in the database and filezilla) ... – Paul Jul 27 '12 at 15:33