Hello, Something happened to our site past November and this page was created http://www.bragardusa.com/Canada_Goose_Parka.html , with the purpose to funnel PR to a third site. I've figured out a way to remove this page from Google's index and block it from future crawling but I was wondering how this happened. Anybody had similar problem and how to protect yourself from this happening again? Thanks a lot!
Change the password to your cPanel (if applicable), email and FTP accounts. Are you using WordPress anywhere?
The site loos lie it uses Magento they might of hack through the login page. Maybe you can bring up the access logs and figure out where they got in ? I would change pass words everywhere and make sure they did not install a backdoor in your site
Definitely change passwords. In most situations, I would recommend backing up Magento, wiping the account, reinstalling and restoring. It's a pain but you'll remove any backdoors.
So you think that the only way they could manage to do this is through login page? There are some fishy ftp accounts which I am going to remove. Access logs are useless at this point, since it was done 3 months ago. They've also managed to make this file immutable.
Unfortunately, 3 months after the event, it's hard to say. Could be the host, a Magento exploit, FTP use or anything really. It's just a danger of having a site.
The owner, im afraid. If your CMS was out of date, you should have updated it. If your passwords were weak, you should have strengthened them. If your CMS had exploits, you should have patched them. If your server host was vulnerable, you should have moved servers.
The owner's proficiency with CMS and hosting doesn't go beyond opening emails . So in other words people who developed the site and managed hosting set up are to blame?
If you paid someone to setup your website _and_ maintain it, then the blame stops with them. If they setup the website a year ago and had no more involvement, the blame stops at the owner. More to the point, what's blame going to solve? It's happened, fix it and move on.
I have to explain to the owner why this happened and what has to be done to avoid such screw ups in the future.
You need your CMS to be up to date at all times, someone mentioned Magento - if that's the case the owner or whoever is in charge should be or make someone responsible for the site. Any 3rd party scripts or addons should be patched and up to date, with regular monitoring. All web/ftp accounts should be deleted that are not essential, and enforce password change policies. Regularly review access logs Request a firewall from your host if the site is of importance. Take regular backups Use a dedicated (Managed unless someone know what theyre doing) server instead of shared hosting/vps Those steps you should take all the time, not just after an attack What you should do now is review your access logs as someone mentioned and change all administrative passwords on the site and server itself. Also implement a lockout policy for failed logins to stop brute force attacks. You want to find out where they got in, was it via your site, or did you leave anonymous ftp access enabled? Perhaps your owner who isnt so knowledgable wrote his/her password down? Or saved it on their desktop as passwords.txt and someone got in via their computer? There are hundreds of ways someone could have gotten access to your server, and not all of them mean your server was insecure. You're only as secure as your weakest link - if your owner used the same password for the site, twitter, facebook, gmail etc.. and someone got hold of it, your site is owned and it could have been the most secure site in the world.
If you control your own box, try disabling sym-links. It doesn't look like a sql injection as the end result would reflect in your websites php files and the general running of your site (in most cases), they appear to have got access to your login details and uploaded a spoof index page. But still i would check your database for 'base_64' strings or anything unusual. If you are going to continue to use magento, keep it up to date BUT most of all google how to 'harden' Magento installations