Comments on: RoboZZle hacked, and 100+ sites are still compromised

By: Eurania

Eurania — Wed, 09 Dec 2009 01:41:33 +0000

That’s the worst thing that can happen to a website, I think this might help http://www.eduardobaret.com/20.....tack-site/

By: Robert Dillon

Robert Dillon — Fri, 06 Nov 2009 18:46:51 +0000

Hi guys, ive got a problem too, i have an online auction site that ran perfectly well until about a month ago, then it started to get really slow and pages where not opening as quick as they should. i checked my files and found files for halifax and other banks and a cleverly written page that has been planted on my server amongst my files, it looks like they where using this program page to get any info they wanted from my site and probably any other site on the shared server, i deleted just about everything i could find and kept all the files for future ref. now i have an ugly link appearing over my home page at http://www.antiques-market.net it leads to a directory page somewhere / could someone shed some light on this and possably how i can get rid of this link, ive looked in my header.tpl but i file and cant find the code when i look into it although i can see it when i look at the original source. this is the code that appears over my header code, document.write("“)
//–>

By: Hans

Hans — Fri, 30 Oct 2009 00:33:58 +0000

I had the same problem with a shared hosting service I used to use. The hosting service merely blamed it on a weak, guessable password. I tried to help them by pointing out the complexity of my password was mathematically impossible to guess at random in a thousand years on top of the fact that I was aware of other clients and friends using their hosting service who had the exact same thing happen. All I cared about was helping them sort it out so it wouldn’t happen again (as this was the second time in a few months my site got hacked). It became incredibly infuriating that, despite all the evidence I was laying out in front of them, they refused outright to admit that it was anything else other than a ‘weak ftp password’. Whatever the case, I came to a similar conclusion that either they had bad security and passwords were somehow leaked. In our case, it was a script that would update all index.php/html files with a hidden iframe and, in another case, adding an htaccess rule that would redirect to an external site if your referrer was a search engine (presumably to disguise it from the owner of the site, until the seo damage has been done). I then informed everyone I knew that hosted with their service and most of us left. It’s one thing to hide the real truth from a casual user, but another to continue denying things from a group of people, who have evidence and display an obvious understanding of what’s really going on. I now host my own servers and haven’t had a problem since. Ubuntu server has a nice feature of letting you decide whether you want updates to be automatically applied as they come in, keeping your system patched, as well as ksplice, which allows you to patch your kernel without rebooting.

By: Igor Ostrovsky

Igor Ostrovsky — Thu, 29 Oct 2009 20:30:31 +0000

Michael: Thanks, you definitely make a valid point.

However, using versioning control in a shared hosting setting is problematic. E.g., the webhost for robozzle.com specifically does not support versioning control, at least not for Windows hosting.

I agree that the ability to use versioning control is an important thing to have in mind when choosing the host for a serious site, though.

By: Michael Hill

Michael Hill — Thu, 29 Oct 2009 20:23:04 +0000

This is exactly why people should not use ftp and instead use a versioning tool. I work with clients who go through the same issues you have and it’s a direct result of not implementing proper procedures in both your scripts and the method you use to push code and content to your site.

All professional sites need to have versioning control in their workflow. A system like git would have save you countless hours of finding exactly what files were changes(and when) which in turn gives you the method in which your site was exploited. This is obviously not true with all attacks such as SQL injection which will not change your files but puts harmful data into your database.

In your case you could’ve taken 2 seconds to find out what files were changed/added by simply doing this:

git status

In addition you should NOT be using ftp for site file transfers for anything you value. FTP passwords are sent in plain text and it’s not uncommon for them to be compromised. I’m assuming however, that the tool that was used allowed for the exploiters to see your username/pass directly from the backdoor php script. Transfering your files and changes to a site is also horribly inefficient. Copy and Paste is a tool for people who don’t understand the importance of security and their websites. Instead you should be doing something like this:

Locally:
git commit -a -m “Adding latest files and changes”
git push origin master

On the server:
git pull origin master

And about 75% of your security issues would be resolved.

By: Ezra

Ezra — Thu, 29 Oct 2009 19:20:22 +0000

I turn off FTP on all of my sites as FTP passwords are sent unencrypted and can be sniffed by any server in between the server and client — probably at least 2 dozen servers. If you use SFTP and don’t save your password you should be in good shape.

By: Igor Ostrovsky

Igor Ostrovsky — Thu, 29 Oct 2009 18:10:06 +0000

Brendan: Those are indeed the most common ways sites get attacked, but that wasn’t the case this time. I know that the hackers had my FTP password because until I changed it, updates kept getting automatically uploaded to the site.

By: Brendan

Brendan — Thu, 29 Oct 2009 18:05:12 +0000

it could just be a cross-site scripting attack or a SQL injection. You can check the DB for the url’s or code or look into sanitizing your user’s input/use prevention techniques against XSS from affecting your site.

By: Anonymous

Anonymous — Thu, 29 Oct 2009 16:17:41 +0000

Check out http://www.dasient.com

By: Anonymous

Anonymous — Thu, 29 Oct 2009 15:53:48 +0000

This is the big danger of using shared hosting. All it takes is one other user on your shared host that is vulnerable to someone uploading a .php or a .gif.php file with PHP embedded in the comments and all the sites on the server are compromised. Then the hacker just opens the file and the server executes the embedded PHP code. Any where on my sites that accept file uploads, I put a .htaccess file that contains: RemoveHandler .php to completely disable the ability to execute an uploaded PHP script.