Thread: Site hacked!

Hiya,

It depends on what kind of server you are running. On Unix based systems rootkits can be installed into a directory called dot dot space (.. ) which looks like the notation for the parent directory.

I seriously doubt that deleting files and folders will do anything to elay your fears. Rootkits can embed themselves deep onto your machine and sometimes can load into the kernel which means that the only way to get back to full health is to perform a complete wipe and reinstall on the box.

Rootkits are notoriously difficult to get rid of. It might look like you've cleaned it all up, only for the rootkit to lie dormant for a few weeks, only to respawn at a later date.

On most linux distros you can install "chkrootkit" and run this on regular intervals. You can set this up automatically and get it to flag what it finds and email you a report. There's tons of these security scanners available.

HI Allstar

Originally Posted by php.allstar

Hiya,

It depends on what kind of server you are running. On Unix based systems rootkits can be installed into a directory called dot dot space (.. ) which looks like the notation for the parent directory.

I seriously doubt that deleting files and folders will do anything to elay your fears. Rootkits can embed themselves deep onto your machine and sometimes can load into the kernel which means that the only way to get back to full health is to perform a complete wipe and reinstall on the box.

Rootkits are notoriously difficult to get rid of. It might look like you've cleaned it all up, only for the rootkit to lie dormant for a few weeks, only to respawn at a later date.

On most linux distros you can install "chkrootkit" and run this on regular intervals. You can set this up automatically and get it to flag what it finds and email you a report. There's tons of these security scanners available.

OK - thanks for that. It's a Unix box, by the way, on a business hosting package from Reg365.

As I say - the site's long overdue for a redesign - and I suspect that we may well want to move the hosting at the same time....

It's one of those 'how far do you go?' questions at the moment -
a quick peek at the site index page shows that it's actually got two '<head>' sections - which seems like one more than it really needs....

...so changes in the sort-term will be limited to sorting out some duff links, changed phone numbers and out-of-date events - without trying to re-engineer the thing any more than is absolutely necessary.

..can of worms, anybody ?? <g>

The things we get involved with <g>
- I must learn to say 'No - don't know nuffin' about that, Guv' when asked!

Thanks
Adrian

Is it a CMS powered site?

If it's an old install of Joomla (for example) it's probably been exploited ..

HI Michele

Originally Posted by blacknight

Is it a CMS powered site?

If it's an old install of Joomla (for example) it's probably been exploited ..

Apparently not... thought it was at first but it seems to be an unholy mix of html, javascript, toe of bat and eye of newt (as far as I can see).

You know the sort of thing - loads of super-fading-into-each-other BIG photos on the front page - more animated gifs than you could shake a stick at - and a nice scrolling 'thingy' on the right hand side... yuk!

Car crash web design ! <g>

Supposing we dump the existing hosting contract and move the site - then it's the hosting company's job to sanitise the directory structure.... would I be right ?

Thanks
Adrian

Originally Posted by adrian5750

Supposing we dump the existing hosting contract and move the site - then it's the hosting company's job to sanitise the directory structure.... would I be right ?

I'm not sure I follow you ...

If you dump the current host and move .. and then upload a new site ie. none of the old stuff .. then the problems will go away (I presume..)

HI Michele

Originally Posted by blacknight

I'm not sure I follow you ...

If you dump the current host and move .. and then upload a new site ie. none of the old stuff .. then the problems will go away (I presume..)

Yes - sorry - I didn't make myself clear...

Plan A would be to move hosts <g>
Ideally, I'd want to have the new site running on the new host -
but, if that wasn't possible (time constraints) then carry across only the necessary stuff from the old site to the new host - taking particular note of any scripts/php-type files...

I've not had the pleasure of dealing with a hacked site before - I suppose if there is an infestation then it could be 'anywhere' in the sitefiles.....

Would that be a correct assumption ? - or would you expect anything nasty to bury itself somewhere else on the server ?

Thanks
Adrian

TBH it depends on how bad the "problem" is. It could simply be one or two files or there could be something nasty buried deep on the server .. though on a shared server it's doubtful it would be able to "hide" for very long.

Unless you're 100% sure that the files you're uploading to the new server are 100% clean you could still have issues, though that's more likely to happen with a CMS powered site anyway...

I've recently taken on the job of updating an old Joomla site, only to find out subsequently that the site has been hacked. Seeing that the original site is a a fairly straight forward brochure type site, it will be easier for me to create new site in html, rather than try and fix/update old Joomla site.
Declan.

Going back on my previous post about a possible rootkit, this theory now seems less likely, now that you have mentioned that the site is on a shared host.

Generally speaking, hosting companies (who know what they are doing!) pull all the right strings to prevent the risk of rootkits.

However, I would check to see if there are any directories with full write permissions 0777 which is a big no no unless you have user and group permissions firmly locked down. This is an area that opens the door for defacers to get in and do their worst.

I learned that the hard way when I first started out, had a site defaced, then being a curious cat, I decided to research the whole area and see if I could do it myself. When I found our there were readily available scripts that provided this ability I gave up on the whole subject as it's only script kiddies who use these.