SteveK2003
asked on
Anybody heard of websites hacked with random url's embedded in HTML?
I maintain a small website for 2 friends & relatives' home businesses. Yesterday, I received a call saying that the website "looked strange". So I checked and sure enough, each page on the website had embedded into it a seemingly random url to websites with dubious content (password hacks, gay chat rooms, yada-yada).
I checked the files on the website through the site's control panel (directadmin) and it is obvious that every HTML page has been changed. The timestamps are all pretty much the same.
I've contact the webhost's tech support about this and their response is "your site seems to have been compromised....you should change your password". That is all they offered by way of trying to find out what happened and how to correct the problem. It seems to me that this is a poor response. If someone has discovered the password for the site, what is to stop that person, or anyone else from again finding out the password?
I'd be shocked if this was an isolated incident and didn't affect other sites hosted on the same server or on other sites at other locations.
An anyone offer help on how to track down how this may have happened, how to protect against it in the future, and what, if anything, should the webhost do to lock down these kinds of situations? BTW, the web server runs the FreeBSD OS, if that helps.
I checked the files on the website through the site's control panel (directadmin) and it is obvious that every HTML page has been changed. The timestamps are all pretty much the same.
I've contact the webhost's tech support about this and their response is "your site seems to have been compromised....you should change your password". That is all they offered by way of trying to find out what happened and how to correct the problem. It seems to me that this is a poor response. If someone has discovered the password for the site, what is to stop that person, or anyone else from again finding out the password?
I'd be shocked if this was an isolated incident and didn't affect other sites hosted on the same server or on other sites at other locations.
An anyone offer help on how to track down how this may have happened, how to protect against it in the future, and what, if anything, should the webhost do to lock down these kinds of situations? BTW, the web server runs the FreeBSD OS, if that helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to those of you who've responded so far. The webhost doesn't think it was from a bruteforce attempt at guessing passwords. FWIW, the password was 8 characters long and a combo of alpha and numerics. Tech support at the webhost thinks the damage was done via exploitation of other software (the domain does have Gallery installed for displaying photo albums). So that might be the likely avenue.
At any rate, I am trying to look thru the logs, although the webhost's tech support hasn't been much help in un-compressing them. There is no user forum for the webhost, so I can't check with others using their service. The webhost tells me that they occassionally get inquiries about this kind of activity, but do not see any patterns, nor do they have other current reports.
I still find it hard to believe that one small obscure website was hit in this fashion.
If anyone what further suggestions, I'm all ears. I'll leave this thread open for a few more days, then award points to the responders.
At any rate, I am trying to look thru the logs, although the webhost's tech support hasn't been much help in un-compressing them. There is no user forum for the webhost, so I can't check with others using their service. The webhost tells me that they occassionally get inquiries about this kind of activity, but do not see any patterns, nor do they have other current reports.
I still find it hard to believe that one small obscure website was hit in this fashion.
If anyone what further suggestions, I'm all ears. I'll leave this thread open for a few more days, then award points to the responders.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that security focus link. I see that the vulnerability was published on Feb 7, and the actual attack occurred on Feb 5, so its a good fit. I had been searching Gallery's user forums to see if anyone had reported any security issues, but nothing definitive came up. Not surprising, since this in very new.
Will have to see if there is a non-vulnerable version available to install on the site.
Will have to see if there is a non-vulnerable version available to install on the site.
If your hosting company does not provide the latest version 1.5.2-pl2 you need to contact them and request to have it installed. Also check the other software they provide (content management, blogging, etc) that you are currently using for vulnerabilities.
Cosmin
Cosmin
ASKER
Agreed.....already contacted them about this a few hours ago and I'm waiting for their response.
If you are using PHP, you should make sure that all input fields are stripped of html tags..
You can do this by adding strip_tags($stringFromInpu
Doing this will minimize the hackers availability to perform XSS and SQL injection attacks.
You can do this by adding strip_tags($stringFromInpu
Doing this will minimize the hackers availability to perform XSS and SQL injection attacks.
Also, if you wish to preserve the tags, so they can be viewed, but not run, you can use the function htmlspecialchars($stringFr
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No need to argue about what the client on the webhost's server should do to protect
himself, if the ISP itself has been hacked..
himself, if the ISP itself has been hacked..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tolomir,
I apologize for not following-up and closing the topic. I've been on the road for 4 weeks straight.
At any rate, I agree with your allocation. Can you please apply and close the topic?
Thanks,
SteveK2003
I apologize for not following-up and closing the topic. I've been on the road for 4 weeks straight.
At any rate, I agree with your allocation. Can you please apply and close the topic?
Thanks,
SteveK2003
If your password does not look contain lower case, upper case, numbers, special symbols and is at least 12 characters long then your password is not strong. If you think that's too hard to remember,
take a sentence such as "fishing is fun" and do some modifications to get "F!$h1ng#is#Fun!". The problem is that not all providers support decent passwords and what is worse some only offer FTP and do not provide SSH (FTP is evil and should be avoided at all costs, use SSH instead).
Regards,
Cosmin Stejerean