website Being hacked every few days

[FatRakoon]

I have a bit of an issue with my site.

Some sod is hacking into it all the time and to be honest, I dont really know what I can do about it... Not really.

Ok, first of all, they seem to be putting a .htaccess file in each folder

I cannot have one, not eve na dummy one otherwise the pages just wont load at all and I dont know why.

I have to go in and remove them from each folder and a few minutes later the site is back up.

Unfortunately its happened a number of times and so I am looking at the FTP logs now and sure enough, the IP shows up ( as youd expect it to ) and its showing up as 173.236.69.60 and on checking that with whois, it turns out to be a company based in London ( and others apparently ) and its a network & Security firm called Inferno Solutions ( Probably some git in his bedroom more like )

Anyway, what can I do to stop this from happening again?

 

[FatRakoon]

Most hosting sites have a block IP option, might be the quickest way to resolve the problem.

I want to try blocking the IP from the htaccess file however, no matter what I do, even if I have a dummy / empty htaccess file, the site does not show up at all? - I have to have no htaccess file at all for some strange reason?

This is what I had in mind

----
order allow,deny
deny from 173.236.69.60
deny from 173.236.69.
allow from all
----

I dont really have a clue to be honest, but I have plopped it in to give it a shot anyway.

Is there no phone number for this 'company'? Mind providing a link to the site?

Thats just it no...

I have simply gone by WHOIS with the IP and it gave me that info

It did however give an address

I have a sneaky that it could be a fake address and / or IP but then when I do a search I find the company is a network hacking company, and so it certainly feels like they are hacking into me for sure.

 

[FatRakoon]

Well, thats just it... They dont seem to have changed a thing, except for the .htaccess file.

You cannot access the site when the file is there, and as soon as I delete it, I get access to the site again.


---

The site is really only my own mess about site but I also knocked up a website for my brothers business too.

www.fatrakoon.co.uk
www.northwales-cases.co.uk

The North wales cases one is simply a folder on my own webspace of course

And there is no clever code or anything of the sort... Its all fully html and I have done it to be compatible with every browser and the most complex thing is frames but nothing else.

Blocking IP
Yes, but for now thats all I can think of doing that is within my limited experience in these matters.

SINGLEHOP ?

I saw that, but it also showed By Network Solutions and then Inferno Solutions...
I was confused... still am... more so now?

 

[FatRakoon]

Thanks again for the replies guys... Ok, where are we?

What software are you running on your site. They are most likely exploiting oscommerce, phpbb, vbulletin, etc

Im not very good at web design. my website was written on an old Atari ST and now its done on my TT. I use a program called QED to write the HTML ( QED is the same as NotePad ) and CAB to display the pages ( CAB is a very old Netscape clone )
All my pages are basic HTML and the most complex bits are frames, but apart from that, there is no scripting of any kind, no special code or anythign like that.

What's the content of this .htaccess file they are putting on the server?

I may have a copy of the file still on the HD and a quick look didnt find one right now.
So, I cannot answer this question yet sorry.

if all else fails you could alway try switching to a more secure hosting provider.

Done. Sort of... I will explain.

I am with 1&1

My brothers website is held on the main server, inside a folder on my website and his url simply forwarded to the location.

I am absolutely 99% sure that whoever did this, has done it to his site and its affected my entire lot too!
I say this, because while Im not expert, Im not a knob either and the logs definitely showed his site was the last one looked at, every time it got hit, and by the same IP too.

Now, I have asked him to find out if his provider also offers a basic website and if so, then I can simply FTP the files to there instead and point his url to those.

Eventually he found out the info and thats what I have done and so far, both his files and my site have not been hit.

Latest versions of all software running on your website.

Change all your passwords to more secure ones as someone has already said.

Done. I recently bought Windows 2008 Server ( Oh sometimes you learn the hard way dont you ) but thats taught me to use mixed characters. I have now made a fairly robust password that I hope is making things more secure.

They will never get it ... Its "AbC123" LOL

Change every password to a newly random generated 10+ character one, delete everything and re upload it from a backup. See if it happens again.

Some (bad) hosting companies have shared platforms architected that one compromised site on the server will allow you to traverse the entire filesystem and exploit all sites on a machine.

I'd move to someone reputable. We've now got to the point where we scan all uploaded php for obvious vulnerabilities automatically, we see dozens of sites a day with exploitable flaws as a result. A decent hosting provider will be doing similar. They won't be £1 a year types though...

Yes, I thoguht that 1&1 were fairly reputable and when I first got hit, they mentioned the .htaccess file and I have to be honest but I have never heard of that before.

But I have been hit now 7 times and the moment it stopped was when I did all these in one go.

And yes, had I been paying £1 a year then I would simply have to say tough, but Im not... Its closer to £2