Site was defaced...server wide what to do?

So yesterday I was looking around on Google to see what was being displayed for my site when I came across my domain on hack-db.com.

That's when I realized that a page had been added yo my site without my consent and upon further investigation was a mass defacement to essentially every site on the same shared server from my host eleven2.com.

I contacted my host and they disabled the script and informed me yo remove 6 php files that were infected. Looks to me like this defacement is more of a grafitti game than anything seriously malicious, but it has me concerned now with the overall security of my site.

Being that this was a server wide attack, is this more of something my webhost has to prevent or something I can take more personal defensive against. My cpanel site scanner and google webmaster tolls never mentioned any malware. I just don't know where to go from here. The pages have been removed, however my site is still linked to on hack-db and it shows up on Google search which I fear could turn people away from my site.

 

Well for one, if your webhost is experiencing problems like this server wide and they did not notice, its time to change hosts. When it comes to website defacement, a majority of the time the hackers gain access through the means of outdated scripts, weak passwords, and code injection methods. A good step to take to help prevent the issue would be to ensure your scripts that power your website for example wordpress, drupal and phpbb all remain up to do date to ensure your installations are always up to date and using the latest security fixes.

 

You can secure your website as effectively as possible, truth be told, if the server owner doesn't effectively secure their server then all your hard work is feeble.

I agree with Josh, time to look for a new host and definitely get yourself up to speed with latest security advancements. Make sure your running the latest versions of everything too. Oh and the age old technique of regular backups!

 

I would ask the host how the breach occurred, and how they will prevent it from happening again.

Also consider moving.



PS: There's a million different ways your website can be compromised, and if it was a server-wide attack, there are even more variables.

 

This is why I never go with small hosts.

The likes of HostGator, BlueHost, GoDaddy, RackSpace etc... will rarely have security breaches and the server security is pretty tight..
I tend to run my own VPS which I manage the security on and have a friend who's fantastic at mitigation and general server security..

 

Never go with small or free hosts. You don't have any guarantees or security. Call your provider to figure things out.

 

As many people said, you cannot do much in case your server is unsecured.

Uploading shell and defacing sites via Symlink is too common these days and the funny thing is 80% of the host don't even know how to block them.

Just go with a known host, or a host that is backed up by a professional management / security company.

 

Its goes both ways with hosts and clients, In general Hosting providers should secure their cpanels and shared hosting, But their for because its shared hosting you are more likely for something to happen, And with your code if your code isn't secure there isn't necessary anything the host could of done, This will depends on the method used to exploit your website. For the best possible Security I would recommend you get a VPS/Dedicated server and setup your own webserver and secure it yourself, Unless you get a good cpanel host

 

Just move your site to a host having better security. Don't simply sign up for a host having cpanel. Some of these cpanel maybe cracked ones leaving you vulnerable.

You can't implement your own security unless you are using a VPS or Dedicated server. Only go for VPS or dedicated server if you know if you are in need of more power and have good deal of knowledge in setting them up. Otherwise its better to use a shared hosting or a managed VPS.

 

Unfortunately there's little chance the host is at fault here, since most will run your domain under a user with strict permissions. No host will guarantee any security outside of a service agreement, it would be too much work anyway.

It's a constant chase and hackers are constantly looking to exploit any flaw they can find.

If you have low traffic, you can monitor your access log, although you may have to add further logging of your own to include POST content (make sure to secure this log and it will be fine). You will most likely find a POST query with the filename of the malicious script being called. You can't really do that after the fact, unfortunately. You have to wait until the bot that succeeded tries again.

If you have a sitemap, you can update the modified date of the pages and wait for Google to update its listing. On lower traffic sites, you have little control over this.

 

I see this quite a bit. It's usually the result of another account on the server being compromised and you have a directory or files with permissions set to 777. Anything set to 777 is writable by everyone of course.

 

Thanks for the replies all. Been really busy with our little baby and my full time job.

I've contacted the hosting company and they've responded with very little in terms of reasoning. That company is Eleven2 and I've always thought they were a reliable host - at least from what I've read.
I'm looking into moving to HostGator or BlueHost within the next month or so.

I've always fixed some things on my site per your comments.

 

Aww HostGator/Bluehost people seem to think by suggesting the biggest is the most suitable but then you see multiple bad reviews on Multiple forums about their support etc. Not to mention the WHMCS hack where hostgator gave the root login details out to some random person that called and asked? Guess it depends on what you think and your knowledge of the hosting world.