Websites been hacked

[petelyneey]

Hi all,

Hope someone may be able to help me.
I have had 3 websites maliciously hacked, 2 of them hosted with easyspace.com and one with easyinternetsolutions.co.uk. All of my homepages were directed to a trojan and all of the links were redirected to www.animeorge.com and loads of pop ups and trojan atempts. I have now removed all pages from the sites and reuploaded them but all links still go to another site, the pages work fine from my
PC but not when uploaded. Could someone explain what is going on and how I can prevent it from hapenning again.

Cheers
Pete

 

[Nodsu]

What sort of websites are they? What technologies do you use?

Any PHP, ASP, Perl, other kinds of CGI?
Did you code everything youself or used components made by others?

How do you upload your pages to these services? FTP is not secure, nor is HTTP. Do you have proper (complex) passwords? Any chance anyone has stolen your passwords?

Since it was 3 sites, were they using some common component? Could it be that it is a personal attack by someone who doesn't like your person?

 

[petelyneey]

I designed all the pages in dreamweaver, nothing fancy just html as I am new to this really, No one could have known my passwords and they would not be easy to guess as they are a combination numbers and letters, I believe it to be a personal attack by a competitor, I have managed to sort out one of the sites but not the 2 hosted at easyspace. The html pages load but then do not display the image content and the links do not link to where they should but go somewhere else although the pages work fine from my PC hard drive, its only when I upload to easyspace that I get the problem, I have opened a support ticket with them but will probably not get a reply until after the weekend, would it be a good idea to post the site here or I could email the link to anyone who could take a look for me.

Cheers
Pete

Uploads are via cuteFTP

 

[archerebus]

Hello Pete,

it so happens that the same attack you received, where the website gets
redirected to www.animeorge.com, along with the trojan attempts, and
loads of pop up ads has happened to us. We were hoping to see how far you
got with this hassle, since we also need a solution.

-- rv

 

[petelyneey]

Hi archerebus,

I found out that it was the ht.access file that had been compromised, I changed all of my paswords to my sites and renamed the ht.access file to ht, the ht.access file can be found in your public html folder but by default it is hidden in most ftp software so you will have to select view hidden files. I have also reinstalled my OS since as I was getting lots of problems with browser hijacking and just wanted to be 100% sure I was rid of any Trojans.
Let me know how you get on.

Pete

 

[DelJo63]

I found out that it was the ht.access file that had been compromised, I changed all of my paswords to my sites and renamed the ht.access file to ht, the ht.access file can be found in your public html folder but by default it is hidden in most ftp software so you will have to select view hidden files.

Problem 1) the proper name for the file is .htaccess; it is a filename
that has no file portion and only the dot extension

It MUST be chmod to be -700 (rwx,---,---)
In most cases, this file is unnecessary and SHOULD NOT be allowed.
It may be found in any directory of the website.

you might like to see this guide

also be aware, this file is ONLY READ ONCE, at webserver startup.
if your web hosting vendor has you as a virtual site (ie one server running
several websites), then it's almost certain this file will NEVER get read
as the webhost will not restart the real webserver just for you.

Problem 2) If you upload a new page which contains links,
and when you click on one of them it goes somewhere other than your site
content,
then a) be sure you empty your browser cache and try it again or
b) you're a victim of DNS poisoning.

You should only use links like

href="subdir/somepage.html"
href="/"
href="../siblingdir/somepage.html"​

NEVER use the whole domain eg href="http://$mydomain.com/subdir/somepage.html"

With your FTP interface, look at the privileges of every directory;
if you login as the OWNER, then should all read d755 (rwx,r-x,r-x)
otherwise they should read d775 (rwx,rwx,r-x).

edit:oops. correct permission to this color

 

[archerebus]

Hi archerebus,

I found out that it was the ht.access file that had been compromised, I changed all of my paswords to my sites and renamed the ht.access file to ht,
....
Pete

Hey thanks, Pete and jobeard. I will be looking into fixing our sight
within the next few weeks. I will let you know of my progress.

-- rv

 

[archerebus]

Hellos,

Our problem is now fixed. According to our web hosting company a
robot script was installed on the main page, a file called "ataccess".
They said our password was hacked and the script installed. At first
we thought it was a deliberate attack, but now we suspect it may have
just been a random act.

Its hard to say where the weak link was, but I suspect that when
we first signed up with the webserver there were only a few other
companies hosting on the same server, now there are about 900
sharing the same server ... so its possible one of those decided to hack the
others on the server. The webserver company suggested we upgrade
from the basic $9 a month to the more expensive $49 per month
dedicated server.

They also recommended we change our password from time to time.