15 replies
I just recently got hacked and noticed 2 PHP files on my domains... They are calling a domain for Pharmaceuticals...

How can I deal with this? I'm very surprised they got in because I have a *** digit password. Very strange...

Any suggestions?

Mike Hill
#hacked
  • Was it a WordPress site? In some cases older versions of WP were susceptible to hacking.

    If not, you may want to contact your hosting company.
    {{ DiscussionBoard.errors[1195330].message }}
  • Profile picture of the author LMC
    Been Hacked... Been Pissed...Just Uploaded New Files and Contacted my Host.

    If your using any scripts, most of them can be easily hackable through SQL injections like CMS systems like Wordpress. A lot of scripts that are open source have to many open codes that can be hackable as well.
    {{ DiscussionBoard.errors[1195347].message }}
    • Profile picture of the author adamv
      Originally Posted by LMC View Post

      Been Hacked... Been Pissed...Just Uploaded New Files and Contacted my Host.

      If your using any scripts, most of them can be easily hackable through SQL injections like CMS systems like Wordpress. A lot of scripts that are open source have to many open codes that can be hackable as well.
      That's exactly what I did. I have no Idea how the hackers did what they did but my webhost cleaned things up and I uploaded the files I had saved on my hard drive.
      Signature

      Get a professional voice over for your next audio or video project at an affordable price -- I will record 150 words of text for just $5.

      {{ DiscussionBoard.errors[1195403].message }}
  • Profile picture of the author Mike Hill
    On these domains, 1 was a WP site and the others are membership sites using aMember.

    I contacted my host. Not all of my domains were effected (only 4) so that's a relief... Now I just have to figure out were the hell the hole is

    Mike Hill
    {{ DiscussionBoard.errors[1195388].message }}
    • Profile picture of the author WareTime
      When I got hacked the hacker did a post to a particular wordpress file and was able to drop files in my other sites this way. The other sites were not running wordpress, but were php based scripts. The timestamp on the files that were altered matched precisly the time of the call to wp. Never was able to figure out how the attack worked.

      I was able to block the attack by blocking the ip address that it came from. That worked for several months and then the same hacker or another one did it again from a different ip. Blocked that one and it hasn't recurred.

      They were adding a file and updating a base64 encrypted php file and when they did that I could tell because my site was instantly broken.
      {{ DiscussionBoard.errors[1195875].message }}
      • Profile picture of the author zapseo
        Yes, the "base64" attack was what WP 2.8.4 was designed to fix.


        Originally Posted by WareTime View Post

        When I got hacked the hacker did a post to a particular wordpress file and was able to drop files in my other sites this way. The other sites were not running wordpress, but were php based scripts. The timestamp on the files that were altered matched precisly the time of the call to wp. Never was able to figure out how the attack worked.

        I was able to block the attack by blocking the ip address that it came from. That worked for several months and then the same hacker or another one did it again from a different ip. Blocked that one and it hasn't recurred.

        They were adding a file and updating a base64 encrypted php file and when they did that I could tell because my site was instantly broken.
        {{ DiscussionBoard.errors[1195955].message }}
    • Profile picture of the author Ron Douglas
      Originally Posted by Mike Hill View Post

      On these domains, 1 was a WP site and the others are membership sites using aMember.

      I contacted my host. Not all of my domains were effected (only 4) so that's a relief... Now I just have to figure out were the hell the hole is

      Mike Hill
      I was hacked before because I didn't upgrade my Amember software. The hackers really setup shop and were running a phishing scam with BofA bank accounts. I didn't even know until I noticed a huge spike in bandwidth and got an email from the bank's Internet Security department.

      The hacking went beyond simple files, they actually were running processes directly from the server. The host had to spend two days fixing all the issues. Luckily I backed up all my data or I would have lost my customer list fro that site.

      Lesson learned - always upgrade your website's software to the latest version. They often issue new upgrades because of known security risks.
      {{ DiscussionBoard.errors[1196282].message }}
      • Profile picture of the author gottahave
        One thing many people forget with blogs is that they should be backing-up(downloading a copy) of their blog on a regular basis.

        Most often, they have a copy of an ordinary website on their hard drive but forget to do anything about their blogs. There are plugins to automatically backup blogs on a regular basis and can save much heart ache.
        {{ DiscussionBoard.errors[1196319].message }}
  • Profile picture of the author LMC
    Mike, If you send me the URLs I may be able to find the hole for ya

    After I was hacked a year ago on a network of 20 sites using WP, I researched into it and learned quite a bit.
    {{ DiscussionBoard.errors[1195392].message }}
  • Profile picture of the author zapseo
    Okay -- let's go thru this.

    1. were you using Wordpress 2.8.4 ?
    2. does your hosting company use apache/mod_security -- and, if so, what are your options in mod_security. MS should slow down or stop most XSS/sql injection attacks.
    3. are you using SFTP ?

    WP tends to be pretty good about protection from common attacks -- that's one of the advantages of having many people looking at the source code. However, it ALSO means that you should be johnny-on-the-spot to upgrade when WP comes out with a new version because of security issues.

    This is particularly true for WP 2.8.4 -- where there has been an all-out assault against versions prior to WP 2.8.4.

    "finding the hole", as such, may not be possible. There are pieces of software, however, that will check your site (for free!)

    But it is ALSO true that there are companies that hire folks who work for hosting companies and pay them for sites they hack, say, by adding iframes (which doesn't appear to change the behavior of your page.)

    If you want to know more, feel free to contact me here on the forum.

    Live JoyFully!

    Judy Kettenhofen, Copywriter & Marketer's Geek
    {{ DiscussionBoard.errors[1195951].message }}
  • Profile picture of the author jacktackett
    Mike,
    definitely sucks when this happens. I've run several datacenters over the years and no matter how secure you think things are there's always a way in for hackers.

    You should make sure to maintain uptodate patches on all your software and OS, or host with someone who does. As your sites grow you should also have a vunerability scan done periodically to test your security and brings things up to best practices. Things in our industry change over time so what was secure last year may be a gaping hole this year.

    And of course this just screams to make sure you have proper backups. Test restores to make sure they work, and keep track of things as they happen - you don't want to restore a backup that's been compromised already.

    If you're on a shared hosting provider you have a bit less you can do/control. As you move up to dedicated servers etc please plan on having a sys admin or contractor available that can install and maintain your security and also analyze files to figure out who did what when.

    Again sorry this happened and good luck. If there's anything I can do to help out just let me know.

    best,
    --Jack
    Signature
    Let's get Tim the kidney he needs!HELP Tim
    Mega Monster WSO for KimW http://ow.ly/4JdHm


    {{ DiscussionBoard.errors[1195958].message }}
  • Profile picture of the author TimP
    There are two major vulnerabilities that have been actively exploited in the past few weeks. As mentioned above, the wordpress vulnerability has been made in to a worm that has infected over 150,000 sites.

    The other major vulnerability that has recently been announced affects Microsoft IIS web servers. You can read about it here..

    Unfortunately, the number of new web site vulnerabilities is just skyrocketing lately. The software that I use to scan web sites has added an average of 15 to 20 new vulnerabilities every day for the last three months. Not all of these new vulnerabilities have been exploited yet, but there have been many web based businesses hit.

    I know of one business that was hit months ago, and they still haven't been able to recover their site, so be sure you have very good backups.
    {{ DiscussionBoard.errors[1196095].message }}
    • Profile picture of the author seamusb
      The only thing to do is to keep up to date with your WordPress upgrades. The WordPress guys have published a guide on keeping WP secure at

      WordPress › Blog How to Keep WordPress Secure

      There are also plugins available that will help with security for WP:

      5 Plugins to Keep WordPress Secure
      {{ DiscussionBoard.errors[1196147].message }}
    • Profile picture of the author zapseo
      Hey Tim,

      You seem to have respectable credentials and a nice company.

      I'm assuming the software you refer to, that scans websites, is the software you use tp [provide either all or part of the services that you provide as advertised in your signature ?

      Live JoyFully!

      Judy

      Originally Posted by TimP View Post

      There are two major vulnerabilities that have been actively exploited in the past few weeks. As mentioned above, the wordpress vulnerability has been made in to a worm that has infected over 150,000 sites.

      The other major vulnerability that has recently been announced affects Microsoft IIS web servers. You can read about it here..

      Unfortunately, the number of new web site vulnerabilities is just skyrocketing lately. The software that I use to scan web sites has added an average of 15 to 20 new vulnerabilities every day for the last three months. Not all of these new vulnerabilities have been exploited yet, but there have been many web based businesses hit.

      I know of one business that was hit months ago, and they still haven't been able to recover their site, so be sure you have very good backups.
      {{ DiscussionBoard.errors[1196229].message }}
      • Profile picture of the author TimP
        Thanks. I have been in the internet security field for 12 years now.

        Yes, the software I am referring to is the software I use for my business. I have learned that because new vulnerabilities are discovered every day, it is pretty much essential that websites are checked every day. Even though I have extensive experience in securing sites, I still scan my own sites daily because what is assumed to be secure today could easily be vulnerable tomorrow.



        Originally Posted by zapseo View Post

        Hey Tim,

        You seem to have respectable credentials and a nice company.

        I'm assuming the software you refer to, that scans websites, is the software you use tp [provide either all or part of the services that you provide as advertised in your signature ?

        Live JoyFully!

        Judy
        {{ DiscussionBoard.errors[1196329].message }}

Trending Topics