website Being hacked every few days

FatRakoon

FatRakoon

FatRakoon

Soldato
Joined
18 Oct 2002
Posts
10,448
Location
Behind you... Naked!
I have a bit of an issue with my site.

Some sod is hacking into it all the time and to be honest, I dont really know what I can do about it... Not really.

Ok, first of all, they seem to be putting a .htaccess file in each folder

I cannot have one, not eve na dummy one otherwise the pages just wont load at all and I dont know why.

I have to go in and remove them from each folder and a few minutes later the site is back up.

Unfortunately its happened a number of times and so I am looking at the FTP logs now and sure enough, the IP shows up ( as youd expect it to ) and its showing up as 173.236.69.60 and on checking that with whois, it turns out to be a company based in London ( and others apparently ) and its a network & Security firm called Inferno Solutions ( Probably some git in his bedroom more like )

Anyway, what can I do to stop this from happening again?
 
FatRakoon said:
Anyway, what can I do to stop this from happening again?
Click to expand...

You can find out how they're getting in and close the hole.

Firstly do you have SSH/SFTP access to the server? If so, use that rather than FTP.

Secondly, change the FTP passwords and all other server passwords.

Any web apps you're running? Make sure they are all patched up. If it's custom apps then you have a bigger job on your hands.

Do you have any other suspicions how they might be getting in?

The problem is that given the access the attacker has, you can no longer trust any of your code, it could now be full of additional backdoors for example - so restore from a known safe backup.
 
Last edited:
Give up on FTP, use a secure alternative like tntcoder said. Might be worth disabling FTP accounts for a while and see if they get enabled, in which case they may have access to your admin page.

What are you running on the server? Just a static website or something more advanced?

I've done a whois on that IP and it comes up belonging to www.singlehop.com.
 
Semple said:
Most hosting sites have a block IP option, might be the quickest way to resolve the problem.
Click to expand...

I want to try blocking the IP from the htaccess file however, no matter what I do, even if I have a dummy / empty htaccess file, the site does not show up at all? - I have to have no htaccess file at all for some strange reason?

This is what I had in mind

----
order allow,deny
deny from 173.236.69.60
deny from 173.236.69.
allow from all
----

I dont really have a clue to be honest, but I have plopped it in to give it a shot anyway.

iDroid84 said:
Is there no phone number for this 'company'? Mind providing a link to the site?
Click to expand...

Thats just it no...

I have simply gone by WHOIS with the IP and it gave me that info

It did however give an address

I have a sneaky that it could be a fake address and / or IP but then when I do a search I find the company is a network hacking company, and so it certainly feels like they are hacking into me for sure.
 
Don't even attempt to block the IP or find out who's doing it as they'll just switch to another VPS.

What is being hacked? Shared hosting? VPS? Dedicated server? You need to give much more info.
 
Well, thats just it... They dont seem to have changed a thing, except for the .htaccess file.

You cannot access the site when the file is there, and as soon as I delete it, I get access to the site again.


---

The site is really only my own mess about site but I also knocked up a website for my brothers business too.

www.fatrakoon.co.uk
www.northwales-cases.co.uk

The North wales cases one is simply a folder on my own webspace of course

And there is no clever code or anything of the sort... Its all fully html and I have done it to be compatible with every browser and the most complex thing is frames but nothing else.

Blocking IP
Yes, but for now thats all I can think of doing that is within my limited experience in these matters.

SINGLEHOP ?

I saw that, but it also showed By Network Solutions and then Inferno Solutions...
I was confused... still am... more so now?
 
If your on shared hosting you should seek advice from your hosting company, they can do more to find the cause which could be another site on the server. You could even ask them to put you on different server. The only way this can happen is someone has the passwords, malicious code, security hole in some software or through being on shared hosting and some other account is infected.

Also check all folder permissions and make sure you cannot browse any directories from the internet.
 
Last edited:
Ok looks like i got incomplete whois data. Inferno Solutions look like a Russian site.

Probably some Russian attackers trying their luck or having some fun.

Take it you've tried changing all your passwords etc?
 
Can you restore the site from a backup as they may have installed something there that allows them back in ?

MW
 
I think at this stage it might be wise to talk to the hosting providor to see if something needs patching or they could advise better.

Judging by them sites I can't really see anything that would effect any files to be placed anywhere within your site. I find it annoying when things like this happen for financial gain if that's their idea.

Off chance, it's not your providor is it that's doing it?
 
Off chance, it's not your providor is it that's doing it?
Click to expand...

Thats what got me wondering. There isnt a script your hoster implements to push this file in for whatever reason?

I would have thought if someone had access to put that file in your site would have been in tatters...

Its not like the sites are the most important websites in the world.
 
Change every password to a newly random generated 10+ character one, delete everything and re upload it from a backup. See if it happens again.

Some (bad) hosting companies have shared platforms architected that one compromised site on the server will allow you to traverse the entire filesystem and exploit all sites on a machine.

I'd move to someone reputable. We've now got to the point where we scan all uploaded php for obvious vulnerabilities automatically, we see dozens of sites a day with exploitable flaws as a result. A decent hosting provider will be doing similar. They won't be £1 a year types though...
 
bigredshark said:
We've now got to the point where we scan all uploaded php for obvious vulnerabilities automatically
Click to expand...

How obvious are the vulnerabilities you're scanning for? Doing this for a decent number of files would be computationally expensive. Are you just testing for bad use of $_POST/$_GET variables or is it cleverer than that?

SQLmap is a good tool for testing for SQL injection related vulnerabilities.
 
Thanks again for the replies guys... Ok, where are we?

kwerk said:
What software are you running on your site. They are most likely exploiting oscommerce, phpbb, vbulletin, etc
Click to expand...

Im not very good at web design. my website was written on an old Atari ST and now its done on my TT. I use a program called QED to write the HTML ( QED is the same as NotePad ) and CAB to display the pages ( CAB is a very old Netscape clone )
All my pages are basic HTML and the most complex bits are frames, but apart from that, there is no scripting of any kind, no special code or anythign like that.

memyselfandi said:
What's the content of this .htaccess file they are putting on the server?
Click to expand...

I may have a copy of the file still on the HD and a quick look didnt find one right now.
So, I cannot answer this question yet sorry.

kain666 said:
if all else fails you could alway try switching to a more secure hosting provider.
Click to expand...

Done. Sort of... I will explain.

I am with 1&1

My brothers website is held on the main server, inside a folder on my website and his url simply forwarded to the location.

I am absolutely 99% sure that whoever did this, has done it to his site and its affected my entire lot too!
I say this, because while Im not expert, Im not a knob either and the logs definitely showed his site was the last one looked at, every time it got hit, and by the same IP too.

Now, I have asked him to find out if his provider also offers a basic website and if so, then I can simply FTP the files to there instead and point his url to those.

Eventually he found out the info and thats what I have done and so far, both his files and my site have not been hit.

CrimsonAvenger said:
Latest versions of all software running on your website.

Change all your passwords to more secure ones as someone has already said.
Click to expand...

Done. I recently bought Windows 2008 Server ( Oh sometimes you learn the hard way dont you ) but thats taught me to use mixed characters. I have now made a fairly robust password that I hope is making things more secure.

They will never get it ... Its "AbC123" LOL



bigredshark said:
Change every password to a newly random generated 10+ character one, delete everything and re upload it from a backup. See if it happens again.

Some (bad) hosting companies have shared platforms architected that one compromised site on the server will allow you to traverse the entire filesystem and exploit all sites on a machine.

I'd move to someone reputable. We've now got to the point where we scan all uploaded php for obvious vulnerabilities automatically, we see dozens of sites a day with exploitable flaws as a result. A decent hosting provider will be doing similar. They won't be £1 a year types though...
Click to expand...

Yes, I thoguht that 1&1 were fairly reputable and when I first got hit, they mentioned the .htaccess file and I have to be honest but I have never heard of that before.

But I have been hit now 7 times and the moment it stopped was when I did all these in one go.

And yes, had I been paying £1 a year then I would simply have to say tough, but Im not... Its closer to £2
 
You must log in or register to reply here.
Back
Top Bottom