Website hacked 4 times 1-1/2 days

[mucklucks]

Well that's it, Our site has been successfully attacked four times in a day- and-a-half. In the first attack, the hackers defaced over 1,500 sites besides ours.

Question 1) Can there be some malware embedded now in our website itself, in the files? After each attack we have restored from backup. Can it be that our backups are now infected?

Question 2) Can our computer now harbor an infection from the hackers?

Question 3) Is our problem the fault of our hosting service? Can any hosting service protect against hackers?

Question 4) What services or software should we use now on our site (on the files themselves) to detect and hopefully repair, malicious daemons?

All thoughts & comments will be most gratefully received!

 

[Nodsu]

1) Yes! Sloppy active content is the main cause of security breaches in web servers. If you use anything to do with PHP, ASP, Perl or any CGI stuff, then most probably that is the attack vector.

2) Maybe. You can be sure only by reformatting and starting over.

3) Could be. Depends on what kind of a service is it. If they are supposed to take care of the operating system, then they may have failed to patch some critical flaw.

4) If you use any ready-made products, subscribe to security alerts (CVE list if nothing else is available) and always make sure you have the latest version. If you have custom code, have it audited.

If you are supposed to take care of the operating system yourself, then things are a bit more complicated. You should hire some experienced administrator to secure the OS.

 

[DelJo63]

disclose the environment:

what OS / version
what Web Server / Version
what scripting services are installed (php, perl, mysql)​

 

[mucklucks]

Details will come

Thanks, Nodsu & Jobeard for whiz fast replies. I should make clear that this is not my website, it is my sister's site. So I cannot answer all questions off top of head. But answers will come fast.

Nodsu, when you say 'sloppy content', you mean in the site files or in the server protocol? (The site, I know, was authored in Front Page.)

'Reformatting and starting over'--Do you mean rebuilding the site from scratch, or do you mean reformatting the _computer_ on which all the work was-and-is done, then rebuilding the site from scratch?

The hosting service is a small one, picked by the webmaster. They have been working overtime to get the site up after each attack. After the 3rd attack they "guaranteed 100%" that they'd closed _all_ doors. Wrong, as it turned out. So, yes, this seems to be a server error. We will move to another hosting service immediately.

Any recommendations, gentlemen?

Sorry for ignorance, what do you mean by "custom code". The site is mainly HTML, with a shopping cart and many reference links. Strange phrases were found yesterday in the HTML. (But is there anyway to scan HTML automatically?)

We are not supposed to take care of the server operating system ourselves. It is their job, and they are in turmoil...but so they should be.

Jobeard - You'll have your answers later today. As I said above, the site was made in Front Page using local OS of WinXP. About the server protocols, I'll shoot the answers back the second I have them.

Thank you, and Thank you,

mucklucks

 

[Nodsu]

If the service provider say that they had holes and they are plugging them, then this attack was probably their fault. Could have been a zero-day attack too of course. This means that maybe a flaw was exploited that didn't have a fix yet. Unfortunately there is not much one can do against those.

No, you don't have to do anything on the computer that you develop the website on (except for fixing any faults in the web site of course )

Plain HTML is safe, unless there are bugs in the web server software itself (which should be the problem of the service provider in your case). I'm not sure how one would implement a shopping cart in plain HTML though
Any scripts that run on either the server or the client computer are a potential security risk indeed.

 

[mucklucks]

Reply to Nodsu

I'm not sure how you run a shopping cart in HTML either -- we don't. It is an imported shopping cart, and it isn't the problem since five sites were hacked on our server--none of which had the same shopping carts.

I'm mighty glad we don't have to reformat the computer (I _really_ don't like going thru that!) And our computer shows clear in all scans we've run on it. Good.

How should we go about selecting a new _safe as possible_ hosting service? What would one look for in their service? We're thinking of Yahoo Small Business, hosting service, but we'd would welcome other ideas. Have any?

All best, mucklucks

 

[mucklucks]

Just to put a cap on this thread, here's what I finally found had occurred re our server.

The webmaster, it turns out, has been hosted the site himself. He leases a server from a senior server company then sells his hosting services to his clients (i.e. a "virtual server".)

The senior server company from which he leases is so arranged that permissions (doors) do not close automatically after the webmaster FTPs changes. There is no problem when he uses Front Page for that leaves no open permissions.

But to close the doors after he has made a manual change he must telephone the master server and tell them to close thpse doors.(!). There is no way, he tells me, that he is able to close the doors himself.

Wow! That sounds a little creaky to me, not to say rusty. That can’t be true of all server providers, can it?

Anyway that's what happened to us.

All thanks to you guys for your help,

mucklucks

 

[DelJo63]

yes, YOU NEED A NEW HOSTING SERVICE :knock: