My website got hacked.. What should I do? [closed]

Answer 1

Try and gather as much information as you can. See if the host can give you a log showing all the FTP connections that were made to your account. You can use those to see if it was even an FTP connection that was used to make the change and possibly get an IP address.

If you're using a prepacked software like Wordpress, Drupal, or anything else that you didn't code there may be vulnerabilities in upload code that allows for this sort of modification. If it is custom built, double check any places where you allow users to upload files or modify existing files.

The second thing would be to take a dump of the site as-is and check everything for other modifications. It may just be one single modification they made, but if they got in via FTP who knows what else is up there.

Revert your site back to a known good status and, if need be, upgrade to the latest version.

There is a level of return you have to take into account too. Is the damage worth trying to track the person down or is this something where you just live and learn and use stronger passwords?

Answer 2

Is the site just plain static HTML? i.e. he hasn't managed to code himself an upload page that permits anyone driving by to upload compromised scripts/pages?

Why not ask webhost4life if they have any FTP logs available and report the issue to them. You never know, they may be quite receptive and find out for you exactly what happened?

I work for a shared hoster and we always welcome reports such as these and can usually pinpoint the exact vector of attack based and advise as to where the customer went wrong.

Answer 3

We had been hacked from same guys apparently! Or bots, in our case. They used SQL injection in URL on some old classic ASP sites that nobody maintain anymore. We found attacking IPs and blocked them in IIS. Now we must refactor all old ASP. So, my advice is to take a look at IIS logs first, to find if problem is in your site's code or server configuration.

Answer 4

I know this is a little late in the game, but the URL mentioned for the JavaScript is mentioned in a list of sites known to have been part of the ASPRox bot resurgence that started up in June (at least that's when we were getting flagged with it). Some details about it are mentioned below:

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

The nasty thing about this is that effectively every varchar type field in the database is "infected" to spit out a reference to this URL, in which the browser gets a tiny iframe that turns it into a bot. A basic SQL fix for this can be found here:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

The scary thing though is that the virus looks to the system tables for values to infect and a lot of shared hosting plans also share the database space for their clients. So most likely it wasn't even your dad's site that was infected, but somebody else's site within his hosting cluster that wrote some poor code and opened the door to SQL Injection attack.

If he hasn't done so yet, I'd send an URGENT e-mail to their host and give them a link to that SQL code to fix the entire system. You can fix your own affected database tables, but most likely the bots that are doing the infection are going to pass right through that hole again and infect the whole lot.

Hopefully this gives you some more info to work with.

EDIT: One more quick thought, if he's using one of the hosts online design tools for building his website, all of that content is probably sitting in a column and was infected that way.

Answer 5

Unplug the webserver without shutting it down to avoid shutdown scripts. Analyze the hard disk through another computer as a data drive and see if you can determine the culprit through log files and things of that nature. Verify that the code is safe and then restore it from a backup.

Answer 6

This happened to a client of mine recently that was hosted on ipower. I'm not sure if your hosting environment was Apache based, but if it was be sure to double check for .htaccess files that you did not create, particularly above the webroot and inside of image directories, as they tend to inject some nastiness there as well (they were redirecting people depending on where they came from in the refer). Also check any that you did create for code that you did not write.