All of my websites are on the same shared server and they were all defaced today, taken to this page: http://magelangcyber.web.id/ I was able to easily replace index.php with backups and everything is all fine and dandy but how do I prevent a deface like this from happening in the future? I am under the suspicion that it is not anything I can do, on the client side, but that it is a security hole on the server side. I talked to my host provider and they gave me a speech about how it must be an exploit from the client side but how can this be true if some of the websites defaced were just plain ol' HTML, not using databases, not therefore not exploitable? Doesn't it seem more likely that there is a security hole in the server which is something that can only be fixed by my web host? What do I do to prevent something like this from happening again? Can anyone give me the run down on how a website is defaced -- is there any good online documentation on that? Appreciate the help.
About 70% of website defaces/hacks/etc completed by uploading remote shell (php script will let execute commands on your server remotely). If you using scripts (forums, counters, etc) - you should check web access/error logs in order to find how exactly they uploaded remote shell.
You need to backup your file (/var/www/) and your database (mysqldump for example) then copy your logs (/var/logs/) to understood how you have been defaced (you can also contact your local CERT) and finally you'll need to reinstall the complet system (to hard to clean every rootkits and backdoors) good luck
Often times a mass defacement like that is due to a vulnerability in some admin software or something else common to all your sites. For instance, are you using phpMyadmin, osCommerce, OpenX, Zen Cart, Wordpress, Joomla, etc.? If so, you should know that all of these need to be kept up-to-date at all times. Other wise, hackers will find out before you do about an exploit and they'll find your sites and infect them. "Lucky" for you it was only a defacement. We've been seeing more and more infections on e-commerce sites where the only changes are where the hackers insert code that sends them each and every credit card transaction. So, update your software immediately. Then change all of the password: FTP, database, cPanel, etc. because the hackers probably have them by now.
Problem is, sometimes it's not even your fault. If you are on shared hosting, other sites may upload compromised script, and the entire server is affected.
You should install an anti-virus locally. If you get a virus they will try to infect index.php files using a bug in your ftp client. Filezilla is known as having this kind of issues.
The contact us form is a vulnerable ground where hackers use it to execute remote shell. What i do is disable it and manually created new page just to show your contact details. Never allow any field which allow client to write their input, as it is the most vulnerable spot to penetrate.
I don't think this is the proper way to think. What if there were no forms on websites ? The proper way is to use secure contact forms.
thedark, you are correct. If you properly sanitize all input, then you don't have to worry about your forms. Hackers like popular software exploits. So if you're using phpmyadmin, older joomla, older wordpress, older plugins, etc. they will find them and exploit them. You have to subscribe to RSS feeds from all software vendors you're using on your site and when they update their software, you have to update your site.
re install your cms or not try to make search on google with your problem.But hiring a developer to fix i think its the best to do fixing your pages
Personally i think or even consider using secured forms...because whatever you do with it, eventually some clever hackers still able to get in as long as you allow input box for them. It would be better just remove/disable it and create new un-editable field to put contact details.
Here is a checklist for web application security: 1: Sanitize all user input. Never trust any form of input. 2: Do not expose private implementation through public methods. If you are doing this in your code something is wrong. 3: Verify, verify and re-verify your permission bits on Linux. This is imperative. 4: Lock down any admin portals you have, only allow access from one IP if possible. 5: KEEP YOUR CMS SOFTWARE UPDATED! If you are running Drupal 4.x or Wordpress 1.0 do you really think that they are secure? If you are using a cms make sure that you back up your data and check for updates daily. It takes 10 minutes, 20 minutes if you use more than one cms.
If he is using shared hosting, chances are the first four will be too complicated for him. Get your host to run a virus scan on your account and check for any backdoors or shells that may be residing within your files. After this, you can check your access logs to see how these were set up and where the vulnerability is. Update that software (you should be updating everything anyway) and protect it. If you are using apache, you can password protect specific directories; do this for the administration folders of all your software. Use a different password so that even if your main password is compromised, access is limited.
The first two are code related. He has complete control over this if he is writing the code. Sanitizing user input is the coders job. Three is configurable with any decent host. I used shared hosting and I had control over my permissions. It is not that complicated.
My suggest, backup your database and don't ever using premium themes or else or plugin that you're not really expected. Sometimes from themes or plugins, there are several hole to inject your website and create some scripts to download your data files, becarefull.
this post has been of great help to me too. I'm going to make sure I backup all my websites. I would hate to lose everything