So, I built my first website for a friend last year. It’s only seven pages of HTML and has only a few instances of Javascript (Lightbox and an image slider on the homepage). Last week my friend was notified that the site had been blocked by Google and subsequently his account was suspended by the web hosting firm.
I found a malicious script on the homepage, which I deleted. Like an idiot I didn’t change the login password after doing so, and the script reappeared. This obviously suggests that the hack is due to someone cracking into the account and not a code injection - I’m presuming a code injection is not actually a possibility as the site has no executable files (PHP, ASP etc only JS) - could someone confirm that?
I’ve now changed the passwords for both the login and email login as the email account was being used to send spam. I’ve updated all the Javascript files to current builds and cleaned out a whole bunch of dodgy files from the home directory including a bunch of PHP and images that were from the spam email.
What I’m most concerned about is that I found a mysql file (‘horde.sql’) when I backed up the site and wondered if this could be related? A little google suggests this could be a normal file, but when I look up mysql databases in cpanel there are none shown. I haven’t created any (as I say, the whole site is just HTML/CSS) so could this be a dodgy database created under a different user account?
Go to http://strongpasswordgenerator.com and create at least TWO very strong passwords (uppercase, lowercase, digits and special characters) of 12-15 characters in length.
Use one for your cPanel login and the other for the FTP login (and log in at both cPanel and your FTP in a secure mode).
DELETE everything you have on the website and reload from your original files.
Have your host use SuPHP rather than PHP as a cgi script to protect against requests that use a query string to alter PHP settings and load and execute PHP scripts from their websites using your account.
Database? Check your cPanel for a database and DELETE it immediately (you’re obviously not using it so it should not exist).
Remember, hackers can load nefarious scripts into .html files (obviously, .js files, too) which can do evil things and you don’t want to be taken advantage of.
This is great, thanks for the advice. I’ve done most of these steps but will look into the PHP advice and how to implement a regular strong password changing procedure.
The site is now back online too!
horde.sql may be associated with webmail (horde is a common webmail application http://www.horde.org/)
In addition to the measures DK has mentioned, also worth running a good malware scanner over your computer to be sure there’s nothing leaking your ftp info (e.g malwarebytes anti-malware)
