-1

Possible Duplicate:
My server's been hacked EMERGENCY

My site has been hacked, but when I am looking at source files in ftp everything looks fine. My website address: zecel.com can anybody please guide me how can i fix it and avoid it in future.

Thank You.

Community
  • 1
Shishant
  • 683
  • 2
  • 8
  • 13
  • 5
    Virtual domain, VM or actual host? Operating System (Windows/Linux/Solaris?) Web Server (Apache, IIS... ?) If ALL the files are OK, has your site really been hacked or just the DNS redirected? You have given us almost nothing to work with. – kmarsh Dec 15 '09 at 13:56
  • Define "everything looks fine". If you don't see anything wrong, that doesn't mean everything looks fine. If you monitor file changes by using something like tripwire/aide and keep file hashes offline - that's a different story. – Anonymous Dec 15 '09 at 17:27
  • -1 for extreme lack of information 5 hours ago. No updates since – GregD Dec 15 '09 at 18:42
  • how do you know that it was hacked? – bastianneu Dec 15 '09 at 12:48
  • all the contents have been changed – Shishant Dec 15 '09 at 12:49
  • 1
    So, maybe someone just knows your username and password. Maybe a bad Friday out? –  Dec 15 '09 at 12:50
  • no friday out :(( and my password is same as that i got when i registered the hosting account and its not used anywhere else – Shishant Dec 15 '09 at 12:53
  • It's not subjective (there is some reason why the OP's site was hacked), and please don't use not-programming-related as a tag. – Dominic Rodger Dec 15 '09 at 12:55
  • There isn't nearly enough information in the question to do anything with, but a lot of recent site compromises have been due to client-side trojans stealing FTP passwords. You need to check all client machines that have logged on to the FTP (use multiple AV checkers, because today's anti-virus software is unreliable rubbish; if you find infections reinstall the OS, because they're probably not going to remove it reliably). And stop using non-encrypted FTP. It's 2009 you know. – bobince Dec 15 '09 at 14:25
  • Abandon all hope ye who would enter into such areas without understanding the technologies. Do you really think someone can teach you such a broad subject in a simple Q&A format? – John Gardeniers Dec 15 '09 at 21:58

3 Answers3

5

First...wipe the system. Really. You can't trust system binaries anymore. It's like asking your brain to analyze itself. You can't objectively do it. Your system binaries could easily be compromised to hide what is actually going on.

By the time you sort everything out you could easily have rebuilt the thing three times.

Wipe the computer. Restore from backup. (what backup? If you're asking yourself that, you're in deeper trouble...you should probably rebuild the site from scratch and start making a really good backup...OFFLINE backup...plan).

Did you have all updates installed?

You didn't mention your platform/OS/etc. You also didn't mention what your website was (apache? What SQL version? PHP? virtual server, hosted, self-hosted, dedicated server, what kind of hack, how did you know it was hacked, what was in the logs...)

If you're really into trying to secure it, you should probably look at decent backups, checking every day for security updates, and install chkrootkit and rkhunter (if a Linux like platform) and something with a checksum for the files like tripwire.

You can also run audits on your system using Nessus or other vulnerability scanners.

Check your logfiles and audit log files for unusual activity.

Were you able to log in remotely to it? Strong passwords? SSH? Install denyhosts and configure it for locking out unusual attempts to the system.

Check into what method you could use for detecting that you're getting slammed by particular IP's or port scan attempts and firewall them.

Overall...need more info, and you need to wipe the system and reinstall from backups or scratch and get all updates installed. Monitor for file changes. Monitor your logs. Websites really can be run as just a set up and forget thing, but if you're a sysadmin, it takes actual work to run a website "correctly," and it takes maintenance. Even a simple website can be a PITA to keep running and updated.

You can also subscribe to some security lists specializing in your platform of choice (your web server, OS, if you're running SQL or PHP or a specific BBS platform) so you can comb the mailings for vulnerabilities specific to your platform.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • I am on a shared host, linux server. I can login in my cpanel, I have backup not recent but its good enough to be restored still any idea what should be done to check how it was hacked – Shishant Dec 15 '09 at 13:24
  • If it's not a full backup, i.e., of the whole system, you can't trust the system binaries. For example, replace ls with a version that hides the executable named hack*. If you have control of the system you can reinstall. If it's hosted, part of the issue will have to be a coordinated fix with your hosting provider, depending on your terms of service and such. – Bart Silverstrim Dec 15 '09 at 13:33
  • Checking *how* it was hacked depends on more variables...logfiles? If they're on the same system as the hacked system they can't even be trusted, as the hacker can easily script something to wipe footprints. If you had out of date PHP or scripts that allowed unsanitized SQL statements, those could do it...only audits would really show that up. You didn't mention if it was a hack into the database, file replacement, OS found doing something it shouldn't be...nature of hack? – Bart Silverstrim Dec 15 '09 at 13:35
2

Having your website defaced and having your server hacked are a bit different. But you have to understand the attack. For instance if it was just an SQL injection then the only thing really affected by the attack was the database. Restoring the database from a known good backup or manually removing the malicious code that was inserted into the database is normally sufficient. And patching the program that allowed the injection to begin with. This would normally be an out of date version of WordPress or similar database driven framework.

Now if someone managed to brute force a password or log in and manually edit your pages then as Bart indicated you should talk to your provider as they will be in the best position to determine what the risks involved and take appropriate action. But I agree with the system can't be trusted point that Bart makes in general it's a good idea. With shared hosting though that's going to be up to the provider.

3dinfluence
  • 12,409
  • 2
  • 27
  • 41
0

There are a lot of problems with this question that make it difficult to help you. In particular, we don't know exactly what you mean by "all the contents have been changed". Since by your own question we know that the contents on disk appear to be unmodified, this suggests that your website was not actually hacked and that something else is going on.

The first question to ask is, "am I really looking at the website I think I am?" That is, does the URL you are entering in your browser really correspond to the system that hosts your website? If there has recently been a change in DNS this may not be the case.

One way to verify this would be to watch your Apache access log whilst making a request (that is, loading a page). If you see the request in your access log then it is at least not a DNS problem. If you do not see the request, then you need to figure out what system you're actually talking to.

Without more information we can't really help you.

larsks
  • 41,276
  • 13
  • 117
  • 170