TechSpot

Websites been hacked

By petelyneey
Jan 26, 2007
  1. Hi all,

    Hope someone may be able to help me.
    I have had 3 websites maliciously hacked, 2 of them hosted with easyspace.com and one with easyinternetsolutions.co.uk. All of my homepages were directed to a trojan and all of the links were redirected to www.animeorge.com and loads of pop ups and trojan atempts. I have now removed all pages from the sites and reuploaded them but all links still go to another site, the pages work fine from my
    PC but not when uploaded. Could someone explain what is going on and how I can prevent it from hapenning again.

    Cheers
    Pete
     
  2. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    What sort of websites are they? What technologies do you use?

    Any PHP, ASP, Perl, other kinds of CGI?
    Did you code everything youself or used components made by others?

    How do you upload your pages to these services? FTP is not secure, nor is HTTP. Do you have proper (complex) passwords? Any chance anyone has stolen your passwords?

    Since it was 3 sites, were they using some common component? Could it be that it is a personal attack by someone who doesn't like your person?
     
  3. petelyneey

    petelyneey TS Rookie Topic Starter

    I designed all the pages in dreamweaver, nothing fancy just html as I am new to this really, No one could have known my passwords and they would not be easy to guess as they are a combination numbers and letters, I believe it to be a personal attack by a competitor, I have managed to sort out one of the sites but not the 2 hosted at easyspace. The html pages load but then do not display the image content and the links do not link to where they should but go somewhere else although the pages work fine from my PC hard drive, its only when I upload to easyspace that I get the problem, I have opened a support ticket with them but will probably not get a reply until after the weekend, would it be a good idea to post the site here or I could email the link to anyone who could take a look for me.

    Cheers
    Pete

    Uploads are via cuteFTP
     
  4. archerebus

    archerebus TS Rookie

    Hello Pete,

    it so happens that the same attack you received, where the website gets
    redirected to www.animeorge.com, along with the trojan attempts, and
    loads of pop up ads has happened to us. We were hoping to see how far you
    got with this hassle, since we also need a solution.

    -- rv
     
  5. petelyneey

    petelyneey TS Rookie Topic Starter

    Hi archerebus,

    I found out that it was the ht.access file that had been compromised, I changed all of my paswords to my sites and renamed the ht.access file to ht, the ht.access file can be found in your public html folder but by default it is hidden in most ftp software so you will have to select view hidden files. I have also reinstalled my OS since as I was getting lots of problems with browser hijacking and just wanted to be 100% sure I was rid of any Trojans.
    Let me know how you get on.

    Pete
     
  6. jobeard

    jobeard TS Ambassador Posts: 9,322   +622

    Problem 1) the proper name for the file is .htaccess; it is a filename
    that has no file portion and only the dot extension

    It MUST be chmod to be -700 (rwx,---,---)
    In most cases, this file is unnecessary and SHOULD NOT be allowed.
    It may be found in any directory of the website.

    you might like to see this guide

    also be aware, this file is ONLY READ ONCE, at webserver startup.
    if your web hosting vendor has you as a virtual site (ie one server running
    several websites), then it's almost certain this file will NEVER get read
    as the webhost will not restart the real webserver just for you.

    Problem 2) If you upload a new page which contains links,
    and when you click on one of them it goes somewhere other than your site
    content,
    then a) be sure you empty your browser cache and try it again or
    b) you're a victim of DNS poisoning.

    You should only use links like
    href="subdir/somepage.html"
    href="/"
    href="../siblingdir/somepage.html"​
    NEVER use the whole domain eg href="http://$mydomain.com/subdir/somepage.html"

    With your FTP interface, look at the privileges of every directory;
    if you login as the OWNER, then should all read d755 (rwx,r-x,r-x)
    otherwise they should read d775 (rwx,rwx,r-x).

    edit:oops. correct permission to this color
     
  7. archerebus

    archerebus TS Rookie

    Hey thanks, Pete and jobeard. I will be looking into fixing our sight
    within the next few weeks. I will let you know of my progress.

    -- rv
     
  8. archerebus

    archerebus TS Rookie

    Hellos,

    Our problem is now fixed. According to our web hosting company a
    robot script was installed on the main page, a file called "ataccess".
    They said our password was hacked and the script installed. At first
    we thought it was a deliberate attack, but now we suspect it may have
    just been a random act.

    Its hard to say where the weak link was, but I suspect that when
    we first signed up with the webserver there were only a few other
    companies hosting on the same server, now there are about 900
    sharing the same server ... so its possible one of those decided to hack the
    others on the server. The webserver company suggested we upgrade
    from the basic $9 a month to the more expensive $49 per month
    dedicated server.

    They also recommended we change our password from time to time.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...