1

one of my site hacked few times :( first I lost all databases, some tables were cleared and some of table's data had changed! than at the second hack, all tables were cleared and some php files' codes had been changed :/

it is hosted in Bluehost, and now they advise me some fixing;

  1. Fix any loose file permissions (this may be the most common exploit vulnerability)
  2. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
  3. Remove any Access Hosts by clicking the “Remote Mysql” icon and clicking the Remove Red X by each entry if there are any entries.
  4. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings.
  5. If your scripts are infected, you may want to rollback to the last good snapshot backup of your account. If your backups are also infected, then you may want to consider having us reset your account to start afresh.

I tried to do all these as much as I could, especially about "Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings". I'm kind of beginner at this work, so I dont have fully control on thiese things...

my question is; is there any way to find out how I was hacked? What was the weak point?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
art.mania
  • 121
  • 1
  • 1
  • 3

2 Answers2

1

Check the logs in /var/logs/* - depending on how good the attacker was they may have left traces. If you are new to running your own server and securing yourself - take at http://www.freesoftwaremagazine.com/articles/hardening_linux and get yourself the O Reilly book "Linux Server Security". Then start slowly and small. Read as much as you can about ports, rootkits, how to enable secure uploads and downloads. Google is your friend here - search for "securing php" or "securing linux" on Google and you're in a world of information!

Khushil
  • 553
  • 3
  • 11
  • I found log files, it has pretty complicated content which doesnt mean anything to me :/ I will keep researching to understand more about log files content. Thanks!! – art.mania Feb 23 '10 at 11:25
1

Just FYI, once your server has been hacked, the only sure way to remove the hack is to completely reinstall the OS from scratch. If you don't, there's a good chance you will miss some backdoor the attacker has hidden somewhere.

davr
  • 1,729
  • 3
  • 14
  • 24