azam_net — 2013-01-10T18:28:39-05:00 — #1
I've been informed by our webhost that one of our sites has been hacked. By gaining unauthorised access to the site, hackers have been able to send out spam using our domain name (using from: firstname.lastname@example.org in the spam).
We've been asked to remove these violated files and close any security vulnerabilities before the webhost can restore the site. We've been able to identify the files and removed them.
However, how can we specifically pinpoint and close any security loopholes so that it doesn't happen again? The site is using lots of scripts etc. so we don't know where the vulnerability could lie.
We've ran lots of sites since the 1990s and never had a single security violation, so this situation is a new one to us.
Thanks a million for any advice.
dklynn — 2013-01-11T01:05:43-05:00 — #2
First, please remember that others can SPAM the world using your e-mail address as their Reply To: address, i.e., without accessing your server.
Since you've discovered that an attack had taken place, you have been hacked.
First, replace all your passwords with those you can create using http://strongpasswordgenerator.com - and make them STRONG! Don't forget ALL passwords, i.e., cPanel, e-mail, FTP and Telnet (if enabled). Eliminate all the entry points you don't need.
Have your host run and RErun maldet scans until there is no problem found then have them run by CRON on a regular basis. Maldet is a freeware app that admins won't let others setup and run but they will set it up for you if you ask (at least they do on WebHostingBuzz ... and WebHostingZoom before them).
If you're paranoid (and I am!), you can also generate a script which will compare and store hashed valued for your scripts (.php, .html and .js in particular) on a daily basis and CRON that, too!
You can never be too paranoid! "They" may not be out to get you but you may fall as an innocent victim of some hacker "just because he can."
ideamine — 2013-01-11T12:50:59-05:00 — #3
If its on a shared server, you will have to ask your host to find the source of the hack and give you suggestions regarding the nature of the hack and they will be able to give you pointers to assist you, as the nature of hacking has to be known to fix the loop holes. Since you are using scripts make sure to analyse them for loopholes as well. What DK mentioned is pretty much all you can do to secure your domain.
If you are on a VPS or a dedicated server you should also check your ssh keys and also see if there are any unknown/suspicious users as well as do a rootkit scan as well. rkhunter is a good tool to do a rootkit scan.
Also in addition to using strong passwords, changing them periodically is a good practice as well.
kreut — 2013-01-23T14:42:19-05:00 — #4
Hello! I just came across this concept, and it's a new one to me. I'm familiar with creating hashes for passwords, but I'm not quite sure what you mean by a hashed value for a script. Could you elaborate a bit?
dklynn — 2013-01-23T16:27:07-05:00 — #5
hash_file() is a convenient tool to use to obtain a hash value of a file. Hash values are of a fixed length and impossible to determine the original contents but the limited length makes it ideal to save in a database. When the newly generated value differs from the saved hash value, you've got a changed file. If a new file suddenly appears, it won't have a value in the database (ergo, a new file) and any file for which a new hash is not generated is obviously a deleted file.
You can create your own script very quickly (with a little knowledge of PHP and any database).
kreut — 2013-01-23T16:30:51-05:00 — #6
Thanks! Sounds like a powerful and easy to implement tool...