Site hacked!

Status
Not open for further replies.
A

adrian5750

New Member
HI Folks

I've been asked to take a look at a community website - it's one of those that 'simply growed and growed'.....

Whilst grabbing a local copy of the site - my ftp program threw up a bunch of error messages - along the lines of

550 CUCAN XBASERX GECSEVER!.desc : No such file or directory
550 Debbetul Arz Was Here! : No such file or directory
550 Seni Seviyorum Cücan Hacked Baserx.desc: No such file or directory

These files actually do exist - they have downloaded, but are shown with zero length locally - dates are way back in 2007 (all files the same date).

Anybody seen this before - presumably it's sufficient simply to delete them locally & on the server?

Thanks in advance
Adrian
 
php.allstar

php.allstar

New Member
Hiya,

It depends on what kind of server you are running. On Unix based systems rootkits can be installed into a directory called dot dot space (.. ) which looks like the notation for the parent directory.

I seriously doubt that deleting files and folders will do anything to elay your fears. Rootkits can embed themselves deep onto your machine and sometimes can load into the kernel which means that the only way to get back to full health is to perform a complete wipe and reinstall on the box.

Rootkits are notoriously difficult to get rid of. It might look like you've cleaned it all up, only for the rootkit to lie dormant for a few weeks, only to respawn at a later date.

On most linux distros you can install "chkrootkit" and run this on regular intervals. You can set this up automatically and get it to flag what it finds and email you a report. There's tons of these security scanners available.
 
A

adrian5750

New Member
HI Allstar

php.allstar said:
Hiya,

It depends on what kind of server you are running. On Unix based systems rootkits can be installed into a directory called dot dot space (.. ) which looks like the notation for the parent directory.

I seriously doubt that deleting files and folders will do anything to elay your fears. Rootkits can embed themselves deep onto your machine and sometimes can load into the kernel which means that the only way to get back to full health is to perform a complete wipe and reinstall on the box.

Rootkits are notoriously difficult to get rid of. It might look like you've cleaned it all up, only for the rootkit to lie dormant for a few weeks, only to respawn at a later date.

On most linux distros you can install "chkrootkit" and run this on regular intervals. You can set this up automatically and get it to flag what it finds and email you a report. There's tons of these security scanners available.
Click to expand...

OK - thanks for that. It's a Unix box, by the way, on a business hosting package from Reg365.

As I say - the site's long overdue for a redesign - and I suspect that we may well want to move the hosting at the same time....

It's one of those 'how far do you go?' questions at the moment -
a quick peek at the site index page shows that it's actually got two '<head>' sections - which seems like one more than it really needs....

...so changes in the sort-term will be limited to sorting out some duff links, changed phone numbers and out-of-date events - without trying to re-engineer the thing any more than is absolutely necessary.

..can of worms, anybody ?? <g>

The things we get involved with <g>
- I must learn to say 'No - don't know nuffin' about that, Guv' when asked!

Thanks
Adrian
 
mneylon

mneylon

Administrator
Staff member
Is it a CMS powered site?

If it's an old install of Joomla (for example) it's probably been exploited ..
 
A

adrian5750

New Member
HI Michele

blacknight said:
Is it a CMS powered site?

If it's an old install of Joomla (for example) it's probably been exploited ..
Click to expand...

Apparently not... thought it was at first but it seems to be an unholy mix of html, javascript, toe of bat and eye of newt (as far as I can see).

You know the sort of thing - loads of super-fading-into-each-other BIG photos on the front page - more animated gifs than you could shake a stick at - and a nice scrolling 'thingy' on the right hand side... yuk!

Car crash web design ! <g>

Supposing we dump the existing hosting contract and move the site - then it's the hosting company's job to sanitise the directory structure.... would I be right ?

Thanks
Adrian
 
mneylon

mneylon

Administrator
Staff member
adrian5750 said:
Supposing we dump the existing hosting contract and move the site - then it's the hosting company's job to sanitise the directory structure.... would I be right ?
Click to expand...
I'm not sure I follow you ...

If you dump the current host and move .. and then upload a new site ie. none of the old stuff .. then the problems will go away (I presume..)
 
A

adrian5750

New Member
HI Michele

blacknight said:
I'm not sure I follow you ...

If you dump the current host and move .. and then upload a new site ie. none of the old stuff .. then the problems will go away (I presume..)
Click to expand...

Yes - sorry - I didn't make myself clear...

Plan A would be to move hosts <g>
Ideally, I'd want to have the new site running on the new host -
but, if that wasn't possible (time constraints) then carry across only the necessary stuff from the old site to the new host - taking particular note of any scripts/php-type files...

I've not had the pleasure of dealing with a hacked site before - I suppose if there is an infestation then it could be 'anywhere' in the sitefiles.....

Would that be a correct assumption ? - or would you expect anything nasty to bury itself somewhere else on the server ?

Thanks
Adrian
 
mneylon

mneylon

Administrator
Staff member
TBH it depends on how bad the "problem" is. It could simply be one or two files or there could be something nasty buried deep on the server .. though on a shared server it's doubtful it would be able to "hide" for very long.

Unless you're 100% sure that the files you're uploading to the new server are 100% clean you could still have issues, though that's more likely to happen with a CMS powered site anyway...
 
A

achieve

New Member
I've recently taken on the job of updating an old Joomla site, only to find out subsequently that the site has been hacked. Seeing that the original site is a a fairly straight forward brochure type site, it will be easier for me to create new site in html, rather than try and fix/update old Joomla site.
Declan.
 
php.allstar

php.allstar

New Member
Going back on my previous post about a possible rootkit, this theory now seems less likely, now that you have mentioned that the site is on a shared host.

Generally speaking, hosting companies (who know what they are doing!) pull all the right strings to prevent the risk of rootkits.

However, I would check to see if there are any directories with full write permissions 0777 which is a big no no unless you have user and group permissions firmly locked down. This is an area that opens the door for defacers to get in and do their worst.

I learned that the hard way when I first started out, had a site defaced, then being a curious cat, I decided to research the whole area and see if I could do it myself. When I found our there were readily available scripts that provided this ability I gave up on the whole subject as it's only script kiddies who use these.
 
A

adrian5750

New Member
HI All

Following on from the original post....
...and with the 'benefit' of having tramped around in the offending website fro a couple of fascinating days <g>

What the site's trying to do is to act as a directory for a little holiday village - with 'where to eat', business listings, bars etc.

It's done at the moment by hand-coding everything - so a particular entry has an html page showing an image & the various details. Links then go from (at least!) 3 hand-generated pages to this target page - and there's a bolt-on web-based search engine that is used to do a sort-of search on the site - all very messy - and going to be a total pain to maintain...

Thinking ahead to the Mark II site - seems to me that all this data should be stored in a database / csv file, whatever - and searched dynamically to build the pages. Probably a total of a couple of hundred different businesses....

Any suggestions as to the best course of action from here - pre-built scripts, databases, cms, whatever ?

I'm using NetObjectsFusion for producing code - which (allegedly) speaks Ajax... databases available in the hosting - just looking for a fairly quick n' easy implementation that's going to make updating / displaying the data less painful in future...

Thanks
Adrian
 
php.allstar

php.allstar

New Member
Hiya,

I'd suggest setting up wordpress as a CMS and installing a directory type plugin.

You should then build a scraper to crawl through your static pages to populate the database, simple!
 
Status
Not open for further replies.
Top