scampsall — 2012-05-31T12:31:51-04:00 — #1
I found a malicious script on the homepage, which I deleted. Like an idiot I didn't change the login password after doing so, and the script reappeared. This obviously suggests that the hack is due to someone cracking into the account and not a code injection - I'm presuming a code injection is not actually a possibility as the site has no executable files (PHP, ASP etc only JS) - could someone confirm that?
What I'm most concerned about is that I found a mysql file ('horde.sql') when I backed up the site and wondered if this could be related? A little google suggests this could be a normal file, but when I look up mysql databases in cpanel there are none shown. I haven't created any (as I say, the whole site is just HTML/CSS) so could this be a dodgy database created under a different user account?
Thanks for any advice
dklynn — 2012-06-03T04:52:50-04:00 — #2
Go to http://strongpasswordgenerator.com and create at least TWO very strong passwords (uppercase, lowercase, digits and special characters) of 12-15 characters in length.
Use one for your cPanel login and the other for the FTP login (and log in at both cPanel and your FTP in a secure mode).
DELETE everything you have on the website and reload from your original files.
Have your host use SuPHP rather than PHP as a cgi script to protect against requests that use a query string to alter PHP settings and load and execute PHP scripts from their websites using your account.
Database? Check your cPanel for a database and DELETE it immediately (you're obviously not using it so it should not exist).
Remember, hackers can load nefarious scripts into .html files (obviously, .js files, too) which can do evil things and you don't want to be taken advantage of.
scampsall — 2012-06-04T05:59:36-04:00 — #3
This is great, thanks for the advice. I've done most of these steps but will look into the PHP advice and how to implement a regular strong password changing procedure.
The site is now back online too!
eastcoast — 2012-06-04T06:24:48-04:00 — #4
horde.sql may be associated with webmail (horde is a common webmail application http://www.horde.org/)
In addition to the measures DK has mentioned, also worth running a good malware scanner over your computer to be sure there's nothing leaking your ftp info (e.g malwarebytes anti-malware)
dklynn — 2012-06-04T20:10:41-04:00 — #5
Good point, Mike!
The host in question uses maldet to scan and can set it up with a CRON job to run on a ... daily? ... basis. It does a good job.