Hacked

Hi,

I have a serious problem.
Today my site got hacked. The site is based on E107 cms.
the hacker only replaced the index.php file and nothing more.
The big problem is that I'm leaving on holliday for 2 weeks in a few days and now i'm worried because if my site gets hacked when I'm gone there will be no one to repair it.
What can I do to get my website in optimal condition against hackers?

Greetz

 

Update any outdated software and maybe pay a programmer to check your site daily. Make sure he has login/password details incase he needs to edit anything.

 

1) Make a backup of your entire server (or at least your website files and all server log files) for later diagnosis.

2) Restore your website and make sure you are patched against all known e107 vulnerabilities.

3) Figure out how the attacker got access by reviewing your server backup files, then protect yourself against that attack.

The bottom line (as you indicated) is that someone has achieved access to your server. All you know is they replaced your index file, you don't know what else they might have compromised or might now have the ability to compromise. You need to figure out from the server logs exactly how they compromised your system.

In most cases like these it is normally either a vulnerability in the CMS itself, or a vulnerability in another program you are using. If you are on a shared server then it could even be a program someone else is using, making diagnosis even more difficult. For example there was a vulnerability awhile back with a major stats program whereby if it was installed on the server then a remote attacker could replace the index file on every website on that server. This would have been totally out of the control of the webmaster on a shared server.

 

They usually get in through holes in the CMS, plug them as good as you can.

You could also put up a static index file that says you are on vacation and will be back in a week.

then remove the CMS files...reupload them when you get back.

 

one of my e107 sites got hacked by a group from turkey a few weeks back, there are serveral exploit scripts in the wild.

 

Hi,

Thx for the quick reply's guys.
I'll try and patch up all the holes but I'm indeed on a shared server.
Btw, where can I find my server back files, I don't have cpanel acces on this website :s ?

 

Make sure you have the latest software version. Probably a vulnerability in the software version. Sorry to hear.

 

chmod 444 the file, so it can only be viewed. If he has your username and password...that's a different story.

 

I say it is mostly the software that is vulnerable, a lot of people with e107 are getting hacked. Either swap software or buy a laptop

 

Where did posts 2,3,4,5,6 go?

 

http://forums.digitalpoint.com/showpost.php?p=733094&postcount=2
http://forums.digitalpoint.com/showpost.php?p=733094&postcount=3
http://forums.digitalpoint.com/showpost.php?p=733094&postcount=4
http://forums.digitalpoint.com/showpost.php?p=733094&postcount=5
http://forums.digitalpoint.com/showpost.php?p=733094&postcount=6

They all show guru-seo's post!!!

Heck, even

http://forums.digitalpoint.com/showpost.php?p=733094&postcount=1337

does!!!!

 

eh? I'm sure I replied to the 1st post

 

Yea, I had written a response to the first post as well.

 

Looks like this thread was hacked!!!

 

this is strange indeed , i read the first 5 replies and now they are gone..
Strange forces are working here.

I'll try and update the script as much as possible.
But i'm leaving for hollyday soon , so will chmod 444 help me protect the site when I'm gone or should I just put up an 'admin away for holiday' screen?

 

It depends on how there changing it. If they have your ftp password, then it won't help at all!!!

 

I looked in to the ftp loging and there was nothing abnormal..

 

What the heck??!!! The time for the 'Last Post' in search results show....Today 10:57 am.

Yet the last post to show is one made a day and a half ago...and it looks like more posts are gone!!!!

As I said before the second round of posts were deleted...it depends on if they have your ftp password. If they have that, then it won't help at all. If there editing that file and don't have the ftp password, it should help.

 

This is becoming very weird. Posts have been deleted from this thread 2 times :s