Site Got Hacked. Want to know how. Ideas?
A site I work on got hacked this morning. a small snippet of code (html, css, javascript) was appended to a number of pages of an ad system (PHP) we use.
How does this happen? How do they get write access to these pages (which have permissions of 755 as does the containing dir). They are not pages that are editable through the ad system so as near as I can tell you need to have admin access via ssh to edit these. Is that correct?
Any info is appreciated as I want to get a handle on how this happened.
10 comments
[ 5.3 ms ] story [ 34.2 ms ] threadotherwise, if you're using a downloaded software package, upgrade it and report the problem.
Often sites are hacked by automated bots rather than an actual person. Which means you are using some popular piece of code with a vulnerability. Whatever you run, you need to keep track of security announcements for that product. Especially if it is popular, like Drupal for example. I'm not saying Drupal is bad, it's just that lots of people look for vulnerabilities in it.
Look at your server logs (assuming they are still there). This should give you a clue as to how they got access. Also, you say permissions are 755. And the owner is...?
Maybe installing Jailkit to chroot SSH users might plug a hole for you too. This is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. It is used to secure cvs, sftp, shell or daemon processes. You can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.
As a future potential preventative, you might want to think about installing fail2ban. It is an intrusion prevention framework. It blocks selected IP addresses for hosts that are trying to breach the system's security by monitoring log files and will ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
These are for Linux, and I’m not an expert with them, so I can’t really walk you through installing or using them, but you might want to look into them and see if they might help you.
If this "Security" stuff is not your cup of tea, these guys might be able to help: http://www.serverwizards.com/ I have never used them, but have come across a few of their happy "Security" customers in tech forums in the past. I keep them in my contact list just in case.