How are my sites getting hacked?

danshaw · June 25, 2014, 12:28pm

Hi all, I hope you can help.

This year two of my clients websites have been “hacked”.

In the first case, keywords with links were inserted in amongst my clients real content across the whole site.

In the other case, an extra page was created which just had a load of nonsense, but amongst the nonsense were links to an external website

In both cases the inserted content was relating to watches/handbags. The two sites are with two completely different web hosting companies.

The first site was built with a custom php CMS, so I wondered whether somehow SQL injection was taking place (although some static html pages were affected also)

The second site is all just static .html files, some javascript (lightbox JS etc), so I am intrigued as to how someone could just gain access and upload a new page.

I wondered whether anyone could explain how this could happen, what should I be looking for etc?

In both cases I do not have FTP logins stored on my computer, so I cant see my system being the cause.

Many thanks in advance
Dan

WolfShade · June 25, 2014, 12:49pm

Well, I think the most common way for this to happen is if there are any forms that allow users to input data. IF the data is not sanitized and/or if the query to insert said data is not parameterized, you’re leaving yourself open to it. I believe PHP has built-in methods for “scraping out” HTML that allows them to insert links.

I’m not too familiar with cross-site scripting (XSS) attacks, but it would be a good idea to Google all you can about it.

There are other ways, but I don’t want my boss giving me the hairy eyeball, so I gots to scoot. Hope this helps.

V/r,

danshaw · June 25, 2014, 5:26pm

Awesome, many thanks. I’ll have a look into those 2 things initially

Cheers

TechnoBear · June 25, 2014, 5:32pm

There is a detailed post in the stickies about recovering from a hack: http://www.sitepoint.com/forums/showthread.php?634630-Resources-on-web-application-security&p=5324870&viewfull=1#post5324870

You might find that useful.

dheerajgulia · July 10, 2014, 9:02am

Change your password monthly and do not discuss your password to any person.

WolfShade · July 10, 2014, 12:58pm

Additionally, make sure that all passwords are STRONG passwords. “password123” is not a strong password. Strong passwords are at least 10 characters long, and use a combination of special characters, numbers, and upper- and lower-case letters. Actually, it’s usually easier to remember a pass phrase than a password. Examples (and don’t use any of these, these are just for example):

$Th|s_C@n_b3_con5ider3d_str0ng*$
! 1 <3 Pr0gr4mm1ng CoD3 %
&%n0@cC3ss_f0r_Y0U!

vitinhgiahung · July 17, 2014, 8:16am

check chmod in FTP website http://www.sitepoint.com/forums/showthread.php?634630-Resources-on-web-application-security&p=5324870&viewfull=1#post5324870

redhat01 · July 19, 2014, 9:09pm

That is paranoia

Ontopic:

scan your systems for viruses and malware
change your ftp passwords (use some strong passwords)
remove any cracked / nulled software that you have
secure your scripts
Voila

dklynn · July 21, 2014, 12:53am

rh1,

An ounce of paranoia trumps many pounds of site rebuilding to remove hacking residuals (backdoors).

Of your list, you forgot to KEEP CMS APPS UP TO DATE and VALIDATE EVERY USER-SUPPLIED PIECE OF DATA.

Regards,

DK

WolfShade · July 21, 2014, 12:52pm

That’s not paranoia; that’s attempting to be secure in a day and age of the internet where XSS and SQL-injection attacks (along with MITM and others) are more than just commonplace.

Study for a Security+ exam and you’ll see.