Has Your Website Been Hacked Recently? You Might Want to Check Now!

[Tin]

Hi

There seems to be some unsavoury things going on involving a number of the UK's largest and most popular hosting companies at the moment. I accidentally noticed something odd when I veiwed the source code of a home page last week, it contained hundreds of active links to other websites which clearly shouldn't have been there. When I looked at a sample of those other sites they too had all been hacked (not the usual virus/malicious hack). The hacker hits the home page only, a php file is placed in the root domain which results in a shed load of links being added at the base of the home page together with an additional page added to the site with more links in it. It's affecting eCommerce as well as static non dynamic sites.

It's easier to give you an example...

Here's one hacked site (hosted at Heart Internet)

http://www.theukpetshop.co.uk/

Right click on the home page and view source
Go down to the bottom of the source and you'll see what I mean, those sites have been hacked too. This is the sort of file that's placed on the domain http://www.theukpetshop.co.uk/smiling.php?auk=tsunami-haiti

I spoke to the owner of one of the sites that'd been hacked, he cleaned the site by replacing his home page with a new version and removed the php file but he's been hacked again today.

Check your sites!

 

[An Oasis]

Hi Ray


Can see any problems but I've only checked a few sites. Is there a pattern or are random sites targeted?

BTW your SEO day was the best course I've ever attended, will never forget that day.

 

[KM-Tiger]

Ray,

Is there any indication of how the hack was done?

 

[Top Hat]

Ray,

Is there any indication of how the hack was done?

At a guess it would be virus that steals FTP logins and passwords, which it uses to infect web sites, that infect further users.

 

[Tin]

This isn't my area of experitse so unfortunately, I don't know how they got in. One of my clients has been hacked in the same way (I'm not his hosting company) his is a static site also on HI servers.

Hi Ray


Can see any problems but I've only checked a few sites. Is there a pattern or are random sites targeted?

BTW your SEO day was the best course I’ve ever attended, will never forget that day.

Very nice of you to say but I suspect it was memorable because you turned up at some unearthly time of the morning and caught us in dressing gowns

 

[rendy]

Check for out of date software packages such as wordpress, phpmyadmin, roundcube etc, as all these have had exploits which may allow access to your files, where they can add in links (they also could take all information stored in your hosting). They may have also added extra backdoors into your system, so ensure that your entire server is checked and all software upto date.

 

[stugster]

The virus is known as Troj/FakeAv-AAL by Sophos (http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaal.html) it also uses Troj/Sniffer-R (found here: http://www.sophos.com/security/analyses/viruses-and-spyware/trojsnifferr.html)

Synopsis: Troj/Sniffer-R monitors all network traffic, stealing and reporting FTP credentials to a remote site

 

[An Oasis]

Ta Stuggers. About time I moved all the sites to our Apache server

 

[stugster]

Narr. The location of sites is irrelevant. If you get a virus on your computer at home, and then you log on to your FTP, the password/username/etc. is sent to the hackers.

Just mind and have good virus protection on the go: AVG, Avast, Kaspersky, whatever. (Not MacAfee or Norton if you like your machine being fast).

 

[Top Hat]

We had a similar virus earlier in the year, got in via an out of date version of PDF reader.

So thats one to make sure is upto date to.

 

[sysops]

then you log on to your FTP

Are there people still using FTP? Really??

Own up - who is using FTP?

 

[Andy Walpole]

As a point "There seems to be some unsavoury things going on involving a number of the UK's largest and most popular hosting companies at the moment." It shouldn't have anything to do with the hosting company - and especially if they are large and popular as they'll have the proper expertise to secure their hardware and software.

There are three possible ways that the hacker got in.

One, you are using an old version of a CMS like Wordpress or Drupal and which already has a publicised security hole.

Secondly, it may be that a web designer has hand coded a website for you (used his own code and not a CMS) and they have found a security flaw in his work. (Only for dynamic code, not just HTML and CSS)

Thirdly, they have used software to "sniff" your FTP password. Information sent using an FTP client is in clear text and not secure. Make sure that you change your password to something completely un-guessable ^*(&&^R$&^*% as an example

Lastly though it should be pointed out that NO website is 100% secure. If a hacker has enough knowledge and enough determination then they will bring your website down. Unless you are the Amazons and Googles of this world and have the resources to deal with a concerted attack (If you've read today's news about Chinese hackers attacking Google then you'll realise that not even they are safe)

 

[Top Hat]

Are there people still using FTP? Really??

Own up - who is using FTP?

Yes we do, what should we use?

 

[sysops]

Yes we do, what should we use?

SFTP at the very least, so that the login credentials aren't sent in the clear. You can get an FTP server that supports SFTP for any OS.

We use SSH, our servers' file systems are mounted remotely onto a linux machine here, and appear as an extension of the local file system.

 

[That Guy]

I login via SFTP instead of the normal FTP will that make a difference or is the virus more like a key logger?

 

[ORDERED WEB]

I dealt with one of these attacks last night

Basically the site was deflecting GET requests, and the sever was responding with a 4xx response... but the new attack was more subtle. Even though GET requests are sanitised, sudenly one got through. this was done subtly spoofing the response code!

We cleaned, made some ammendments to the site, and it is now deflecting the attacks properly. It's worth mentioning that the site just passed a Security Metrics full PCI check

 

[mysterons]

Slightly different thing today here, we had a server which was being DDOS'd - fortunately I and my techies were on the ball and we managed to block the attacking IP addresses as they appeared and the worst we encountered was a few minutes of the server running slowly.

Glad to say normality has been restored - phew!

Cheers

Ewan

 

[ORDERED WEB]

Slightly different thing today here, we had a server which was being DDOS'd - fortunately I and my techies were on the ball and we managed to block the attacking IP addresses as they appeared and the worst we encountered was a few minutes of the server running slowly.

Glad to say normality has been restored - phew!

Cheers

Ewan

Seems rampant at the moment, we pretty much had the same thing last week

 

[sandforthintl]

Using Joomla for all my websites, I have always had problems with hackers from countries such as Turkey, Lebanon etc. In fact whenever I put my simplyibiza.com website up online it gets hacked - perhaps I am on some hit list!

Rgds - J

 

[MrsPWN]

What ARE you lot on about?
:redface::redface::redface:

 

[ORDERED WEB]

Thing is you need to make sure that not only Joomla is up to date but the extensions too. If you are fed up, dont click this depressing list: http://docs.joomla.org/Vulnerable_Extensions_List

By the way the latest version is 1.5.15, and 1.5.14 wasnt arround long!

 

[ORDERED WEB]

What ARE you lot on about?
:redface::redface::redface:

Websites get hacked / abused

Boring but needs addressing

 

[stugster]

... a server which was being DDOS'd - fortunately I and my techies were on the ball and we managed to block the attacking IP addresses as they appeared .

Psshhhh, you ain't seen a DDoS then

 

[debbidoo]

Are there people still using FTP? Really??

Own up - who is using FTP?

I FTP through a client for most sites, although there's one I'm working on at the moment for a client abroad who is using Godaddy (booooo) to host it, and I'm struggling to use the FTP client with that so I go in through the Godaddy control panel.

 

[sysops]

I FTP through a client for most sites, although there's one I'm working on at the moment for a client abroad who is using Godaddy (booooo) to host it, and I'm struggling to use the FTP client with that so I go in through the Godaddy control panel.

If your client's host supports SFTP, then it would be a good move to switch. Most site hacks are achieved through local port 21 sniffers, which capture the unencrypted username and password and send them on to the evildoers.

 

[debbidoo]

If your client's host supports SFTP, then it would be a good move to switch. Most site hacks are achieved through local port 21 sniffers, which capture the unencrypted username and password and send them on to the evildoers.

Thanks m'dear, I'll look into that

 

[groovyjon]

So if SFTP is installed on the host, is it just a case of downloading an SFTP client and connecting with that? Will the usernames/passwords be the same as the FTP ones we've been using (sorry!) or do they need to be configured.

 

[sysops]

So if SFTP is installed on the host, is it just a case of downloading an SFTP client and connecting with that?

Yes.

Will the usernames/passwords be the same as the FTP ones we've been using (sorry!) or do they need to be configured.

Depends on the host.

 

[groovyjon]

Right, I've downloaded WinSCP as an SFTP client, and it seems SFTP is running on the host.

The only way I could get it to connect is to "allow shell access to server with FTP's user credentials (/bin/bash)" in my control panel Plesk.

This is a bit beyond my knowledge, so can someone tell me if this is a good idea? It's only us that log on to the server, we don't have clients that have access. I'm keen to use SFTP after reading earlier posts!

 

[sysops]

Right, I've downloaded WinSCP as an SFTP client, and it seems SFTP is running on the host.

The only way I could get it to connect is to "allow shell access to server with FTP's user credentials (/bin/bash)" in my control panel Plesk.

This is a bit beyond my knowledge, so can someone tell me if this is a good idea? It's only us that log on to the server, we don't have clients that have access. I'm keen to use SFTP after reading earlier posts!

It's only a risk if your FTP details are also being sent in the clear. Change your ftp password, and make sure your new password is only ever used to connect via sftp, and you'll be fine.

 

[3cellhosting]

I have been using FireFTP for some while and it has sftp although the default is ftp.

Must say that for a free piece of software it works amazingly well and is quite user friendly, unlike my previous ftp which was SmartFTP.

David

 

[debbidoo]

Just checked my client (WISE-FTP 5) and this has an "SFTP (using SSH2)" option.

 

[groovyjon]

I've changed the password and uninstalled the previous FTP client so I can sleep a bit easier now. Thanks for your help sysops!

 

[deanzod]

If you do a whois on all the links in the hacked site you will see that every single site that has been hacked is hosted on HI. To me that says that heart has been infected and the coding of the sites (lots of static ones) themselves aren't the security hole.

 

[Jay-UK]

seems this has been fixed? I also saw BT and few other ISPs being hacked and people doin gthis link stuff?

 

[SannonsDad]

Hi Guys
Yes my site was hacked on Friday 14th January from an IP address in Riga, Latvia. The hackers are not really concerned at the trace as it also shows IP owners name address and telephone numbers. A simple google search using the data shows that they are a well known group raking in zillions of dinero.
Hack was the same as at the start of this thread, .php in root plus rogue directories. I only found out by accident as I noticed my business name showing as descriptive text across hundreds of sites while doing some SEO on Saturday morning. All url’s show the same signature eg: mydomain.whatever/au-printables-some other-text.htm or similar. Alarmingly a search using meta descriptions from my hacked site showed hundreds of other domains affected. Simple check with site owners confirmed that they had all been hacked with the same method. Intrigued, I started to sample other sites across my local area (Colchester) and found dozens of hacked sites. From there you can find 1000’s of sites across the globe that have been hacked. So far I have received replies from site owners I contacted at random across the UK, America, France and Australia all confirming being hacked with the same method. Interestingly, the majority of sites are all hosted with Heart Internet and Hostgator.
Surely this is a big issue and the worrying bit is how many people have been hacked and don’t know about it – YET !!!

 

[Jay-UK]

Heart have since put in a system which means ftp access is only given when YOU enable it for periods of time - so my question is - are you with heart internet?

 

[SannonsDad]

Yes I am with Heart Internet. Heart Internet put the automatic lock on some time ago after they inadvertently sent out emails to all the wrong people giving details of eXtend control panel passwords.

In my case I have over 50 domains with Heart Internet and all are locked by default. I have been hassling Heart for an answer as to how my site got hacked/passwords changed etc. etc. Here is their original reply:-

It appears that your site has been subject to an attack via a method known as script injection. Typically, this works by forcing a site to execute code when it was expecting to process another input, fake .txt files are often used for this purpose.

Because script injection attacks the site code itself, it is able to completely avoid webserver security. Unfortunately, some content management systems are extremely susceptible to this form of attack.

Load of old cobblers really. This particular site was static code, dead simple four pages of html. I now have a support call open with about 2 million updates from all up the Heart management chain but I doubt that I will get an admission of a security breach on one of their webservers. What I do know is that they took server 148 down on Monday and moved my site to server 232. Server 148 has not been back up since to the best of my knowledge.

Thanks for your interest Jay

 

[SannonsDad]

Just additional information regarding this website hack

 

[SannonsDad]

Seems that some of the 1000's of links generated by the hack are now turning nasty. What appeared to be a harmless link yesterday is now directing to a domain hosted in Russia. Now I am not going to publish details of the domain because if anyone tried to visit it they would definitely catch a real bad cold. I know this because I have a test PC that I am using for the purpose of examining the attack. Seems that the first thing that happens is that a new hosts file is written plus browser (in this case Firefox) is infected. Don't know much more at the moment.

Perhaps a moderator could advise on publishing the domain as some of you really clever people might want to probe it.