LinkBack URL
About LinkBacks
Reply With QuoteIs the site database driven in any way? It could be that the javascript is in the database and only crops up when a page is rendered.
Hi
I was wondering if anyone could help me as my site has been hacked.
In the source code there seems to be some javascript calling an iframe but it not in the source code on the server anywhere so I cant delete it.
I am running php on a windows server.
Does anyone know how this code is being injected?
Ta
Is the site database driven in any way? It could be that the javascript is in the database and only crops up when a page is rendered.
Nice one, yeah checked for that and the database was clean.
Anyway thanks for looking but the initial panic is over now as I found the rogue code in an include file and have removed it.
It really pisses me off as this is the second time this year now the site has been hacked.
The first time resulted in a ban by google for spyware distribution.
Can anybody recommend any tools or applications I can use to monitor my site or protect it further from hackers?
Ta
On linux there are tripwire systems, which calculate a hash of each files details and store it in a database. The hashes are recalculated on a regular basis, so if they don't match you know the file has been modified.
Unfortunately as I only use linux servers I can't recommend any such software for windows, but i`m sure there must be some. Try searching for tripwire and windows and see if anything useful comes up.
It wouldn't be too difficult to knock something like this up in PHP, so maybe that could be an alternative.
Do you run antivirus on your server?
Yeah I run AVG and also run the window malicious software program twice a day.
Ta
OK, so it's not a virus infection. The obvious things to look for on a webserver are SQL injection or a compromised FTP account. Anywhere you accept user input through a form or a url parameter it should be sanitised before you do anything with it.
If you haven't already done so, change your FTP passwords.
Do you have a firewall in place and do you have any other services apart from IIS and FTP accessible?
I forgot to mention, I would have a scan through the rest of the site just looking for nasties left over. It depends how sophisticated the attack was, but from the sounds of it it seems like a simple worm exploiting some hole.
One of my servers got hacked the year before last by a person in Italy. I managed to reverse the trail and actually found out who they were and managed to talk to them on IRC. They were horrified that I had managed to track them down, but we got quite friendly sharing a mutal interest in computers. They actually told me what they'd done to my server, and whilst I thought it was totaly clean I had actually missed a few bits which were very well hidden.
One of the problems with compromised servers is that if you tell your host, they usually get really jumpy and take it straight off the net, so you can't get access to it to do anything. They then insisting on wiping completely before handing it back. Whilst this does make sense from a security point of view, it has the undesirable affect that people don't report hacks to their hosts as they don't want their server wiped. As a result, usually bits are missed and the server is then used to attack other servers.
There is a particularly virulant worm going round at the moment that morphs each time it installs its self, so it's near impossible for virus checkers to pick up. Even a number of fortune 500 companies and banks have been hit, and it's building a massive botnet estimated to comprise of around 800,000 servers and PC's. These are constantly looking for new targets, as well as using the bots to send out spam emails. One single machine on the bot net was found to have sent over 500,000 emails.
Yep I have changed all my passwords except the root mysql which looks a bit complicated to change, but I am reading up on it now.
I have no idea whether or not I have other services running, I will have a read about 'services' and what they are and let you know later.
Ta
Not sure if you have command line access, but if you do run the command:
which shows all the connections to and from the server. It's likely anything living on your server will be contacting a server outside to get instructions. You should be able to see this in the list. If you don't know what something is do a search on google and it will give you a good idea if its legit or not.Code:netstat -a
To change the MySQL root password, from the command line run:
If you don't have command line access, you can do it through phpMyAdmin if its installed, or ask your host to do it, you don't have to mention why.Code:mysqladmin -u root -p oldpassword newpass
Thanks tbp thats all changed now.
Does everyone think its worth me getting a firewall for my server like ZoneAlarm or something?
Ta
Someone is still busy trying to get in as they are trying to gain access to urls like
mydomain.com/phpMyAdmin
mydomain.com/admin
mydomain.com/adminlogin
mydomain.com/wp-admin
etc etc which don't exist
Very annoyed with it all.
Ta
Thats pretty standard Barry, there are a ton of worms out there which have a long list of url's which have been used in the past to compromise servers and they just try them all indiscriminantly. A lot of the times you'll see url's for linux software being tested on windows machines, the bots don't care, they just keep trying until they get.
Unfortunately, there isn't much you can do about it, its just a fact of life.
You could do with a decent firewall though, and I wouldn't of thought that Zone Alarm would be up to the job on a proper web server. Again though unfortunately I can't recommend one for a Windows server. Probably a good idea to speak to your host and see what they recommend. Often they can implement a firewall on their networking hardware external to your server, which will be much better than one running on the server its self, as it will stop the malicious traffic before it even reaches your server. Configuring firewalls is also an art in its self, you only need one little gap in the armour for something to get in.
Sorry mate, I think that was me. Just seeing if I could see anything obviously wrong with your setup.
No problem matethanks for letting me know.
Ta
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Bookmarks