Hi One of my friend's website has been hacked. He runs his website on a linux server. The hacker has managed to overwrite his index.html file only, leaving other files intact. His password consist of 25 characters with alphanumeric and symbols so its not possible to crack his password hypothetically. Even though it was, the hacker would have deleted all his files or could have done more damage to his account. So, I was wondering if anyone of you have any idea on: 1) How did the hacker replace the index file without knowing the password? 2) What measures can my friend take so that this does not happen in future? Many thanks in advance. Screenshot: http://img405.imageshack.us/img405/134/websitehacked.jpg
It is Called Home Page Defacement!! The hacker runs a Shell Script, Using your Anonymous FTP as a Source to Get connected!! With the shell code, he gets a panel, where he can insert his code to all Text based files like php, Js and CSS. Also, he gets a one touch injection option to hackinto the database!! Well, Once when my friends got hacked, I was able to find this thing... but hacker was so efficient that, i couldnt find out where the shell code was running from!! ~ExP~
Watch what advice you take from here, sometimes not everyone knows what they are talking about - e.g above. The site was most likely exploited at either PHP level, or via an insecure server daemon running on the linux server. If anonymous FTP is enabled, this will allow any attacker to gain access to your files and database. Ensure the server is up to date and get a server security administrator to review your server as soon as possible.
you dont make sense either sorry, what do you mean by php level? what do you mean by insecure server deamon,,, it would be great if you can dive deeper and explain, thanks
I saw several times simialr attacks...modifying the index files only. I have listed out the possible reasons. 1. The PC or the machine from which you access the FTP is compromised. Check for trojans and key loggers if any. Trojans copy the typed password using key loggers and they will send the same to remote hacker server. the hacker will access your FTP account using the valid login info. Your account will get compromised, even if you have a very strong password. Check the access logs of your server, where your domain is hosted. 2. Server itself is compromised. Make sure that the server daemons are updated properly. Also run a scan in your server. 3. Make sure the php dangerous functions are disabled. Ex: exec. The hackers will misuse the exec like functions in PHP to hack the server. 4. Check for any anonymous logins. If yes, please disable them. 5. Check for your account permissions. If your account is provided with more permissions than it is required, there are high chances of getting compromised. Folders should have 755 and files should have 644. hope it helps.
Sorry for the late reply but I thought I might tell you how it has been done by me and my friends. It's quite easy. Get any sort of web hosting on the server, once you have access to the server it is pretty straight forward from there. Upload a PHP shell e.g c99, MulciShell and use that to exploit the servers vulnerabilities. Most have an execute form which uses shell_exec(), curl_multi_func(), system() or PHP eval to run the code. They then cat /etc/passwd find out the username of the main account generally first 7chars of the website name. ls -al /home/USERNAME/public_html/ They see all your files, they can click on it in the shell it opens at 0777 or 0644 in SuEXEC's case and you can still modify the file. You're very lucky no more harm was done to your server if that sort of access is available I could very easily root (Gain Full Administrative Power) to that server.
You can refer following thread to secure web sites. http://www.eukhost.com/forums/f42/how-secure-optimize-websites-linux-host-12020/