CrispyUK
16th January 2009, 17:39
Just thought I'd mention this as it's something we got caught out with this week...!
If you've ever tried out a script or program on your website, or used to use something and it's no longer in use - it's a good idea to remove the files from the server.
I got a message earlier in the week from one of our site team letting me know we'd been hacked, our homepage had been changed to a political message littered with profanity. After some digging around the server logs (never done this before so was quite pleased with myself to solve it!) I found some suspicious entries and traced it down to an old copy of flashchat that we'd experimented with in June 2006 and never removed.
Turns out this had a vulnerability and had allowed them to upload a PHP file into the flashchat directory, and from that they could edit pretty much what they liked on the server space.
Interestingly, the first thing I did after noting the edit time and taking a 'forensic' copy of the new homepage, was to throw up a quick page in our site colours stating we were offline for maintenance (I didn't have the correct homepage to hand). Shortly after doing that and while hunting for the entry point, it had been left in the same style but wording changed to another political message - are hacked sites usually monitored by the hackers? (I guess a long standing edit is a bit of a trophy piece for them?).
So, if you think you've got anything like that sitting on your webspace, check it out, take a local backup incase you need it again and remove it :)
This also applies equally to keep updated scripts that are in use on your site, although you need to take more care with these and be careful if you've skinned or customised them in any way - updates often break them!
If you've ever tried out a script or program on your website, or used to use something and it's no longer in use - it's a good idea to remove the files from the server.
I got a message earlier in the week from one of our site team letting me know we'd been hacked, our homepage had been changed to a political message littered with profanity. After some digging around the server logs (never done this before so was quite pleased with myself to solve it!) I found some suspicious entries and traced it down to an old copy of flashchat that we'd experimented with in June 2006 and never removed.
Turns out this had a vulnerability and had allowed them to upload a PHP file into the flashchat directory, and from that they could edit pretty much what they liked on the server space.
Interestingly, the first thing I did after noting the edit time and taking a 'forensic' copy of the new homepage, was to throw up a quick page in our site colours stating we were offline for maintenance (I didn't have the correct homepage to hand). Shortly after doing that and while hunting for the entry point, it had been left in the same style but wording changed to another political message - are hacked sites usually monitored by the hackers? (I guess a long standing edit is a bit of a trophy piece for them?).
So, if you think you've got anything like that sitting on your webspace, check it out, take a local backup incase you need it again and remove it :)
This also applies equally to keep updated scripts that are in use on your site, although you need to take more care with these and be careful if you've skinned or customised them in any way - updates often break them!