SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Dec 2010
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HTML site attacked - have I done enough to rectify problems?

    Hi,

    So, I built my first website for a friend last year. It's only seven pages of HTML and has only a few instances of Javascript (Lightbox and an image slider on the homepage). Last week my friend was notified that the site had been blocked by Google and subsequently his account was suspended by the web hosting firm.

    I found a malicious script on the homepage, which I deleted. Like an idiot I didn't change the login password after doing so, and the script reappeared. This obviously suggests that the hack is due to someone cracking into the account and not a code injection - I'm presuming a code injection is not actually a possibility as the site has no executable files (PHP, ASP etc only JS) - could someone confirm that?

    I've now changed the passwords for both the login and email login as the email account was being used to send spam. I've updated all the Javascript files to current builds and cleaned out a whole bunch of dodgy files from the home directory including a bunch of PHP and images that were from the spam email.

    What I'm most concerned about is that I found a mysql file ('horde.sql') when I backed up the site and wondered if this could be related? A little google suggests this could be a normal file, but when I look up mysql databases in cpanel there are none shown. I haven't created any (as I say, the whole site is just HTML/CSS) so could this be a dodgy database created under a different user account?

    Thanks for any advice

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    scamp,

    1. Go to http://strongpasswordgenerator.com and create at least TWO very strong passwords (uppercase, lowercase, digits and special characters) of 12-15 characters in length.

    2. Use one for your cPanel login and the other for the FTP login (and log in at both cPanel and your FTP in a secure mode).

    3. DELETE everything you have on the website and reload from your original files.

    4. Have your host use SuPHP rather than PHP as a cgi script to protect against requests that use a query string to alter PHP settings and load and execute PHP scripts from their websites using your account.

    5. Database? Check your cPanel for a database and DELETE it immediately (you're obviously not using it so it should not exist).

    Remember, hackers can load nefarious scripts into .html files (obviously, .js files, too) which can do evil things and you don't want to be taken advantage of.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Enthusiast
    Join Date
    Dec 2010
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is great, thanks for the advice. I've done most of these steps but will look into the PHP advice and how to implement a regular strong password changing procedure.
    The site is now back online too!

    Thanks again

  4. #4
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    horde.sql may be associated with webmail (horde is a common webmail application http://www.horde.org/)
    In addition to the measures DK has mentioned, also worth running a good malware scanner over your computer to be sure there's nothing leaking your ftp info (e.g malwarebytes anti-malware)

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Good point, Mike!

    The host in question uses maldet to scan and can set it up with a CRON job to run on a ... daily? ... basis. It does a good job.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •