1

My website was taken down a day back - got a message form the host saying that they recieved a complaint from the Bank of America that my website was being used for phishing customers. I managed to bring my site online and found a number of weird code snippets and files on the site that I didn't put there. They were definitely put by a hacker but now I'm scared with regards to how did the hacker get into my site and put his files there.

What can I do to prevent something like this happening again!?!?!?

Ali
  • 279
  • 1
  • 3
  • 14
  • 1
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – tripleee Jan 05 '22 at 06:06

2 Answers2

6

If the hacker has managed to upload code to run, he probably has comprimised the server rather than the app. (this is just an initial hunch - he could have comprimised your server because of your app...)

Some basic pointers and things to do:

First off, change your passwords - All of them - Control panel, ftp users etc. Pick strong passwords that will be less vulnerable to dictionary / rainbow attacks. (use non alpha numeric characters, upper & lower case etc)

Check that no other users have been set up on the domain - if they have remove them immediately.

Pull all your code from the site and restore it from a fresh backup that you know is safe. Redeploy from your private source control if possible.

Ask your host to check that all security patches and updates have been deployed to your server.

Finally - time for a code review - need to check for SQL injections, XSS attacks, XSRF Attacks.

Paul
  • 176
  • 1
  • Additionally, don't use FTP on public, or unsecured wireless networks. Credentials sent via FTP are sent in plain text. If you can, use SFTP (ftp over ssh). – Cypher Sep 20 '10 at 05:27
1

If you use phpBB or Joomla or something like that, you always must have the latest version installed.

Natrium
  • 111
  • 2