SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist Azam.net's Avatar
    Join Date
    Apr 2002
    Location
    UK
    Posts
    479
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Exclamation How to identify security loopholes in a website that has been hacked to send spam?

    I've been informed by our webhost that one of our sites has been hacked. By gaining unauthorised access to the site, hackers have been able to send out spam using our domain name (using from: xyz@ourdomainname.com in the spam).

    We've been asked to remove these violated files and close any security vulnerabilities before the webhost can restore the site. We've been able to identify the files and removed them.

    However, how can we specifically pinpoint and close any security loopholes so that it doesn't happen again? The site is using lots of scripts etc. so we don't know where the vulnerability could lie.

    We've ran lots of sites since the 1990s and never had a single security violation, so this situation is a new one to us.

    Thanks a million for any advice.
    Azam Marketing, Inc.
    Award-Winning Digital Marketing and Design Results Since 1997
    Click here to read acclaimed online marketing & design blog

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Az,

    First, please remember that others can SPAM the world using your e-mail address as their Reply To: address, i.e., without accessing your server.

    Since you've discovered that an attack had taken place, you have been hacked.

    First, replace all your passwords with those you can create using http://strongpasswordgenerator.com - and make them STRONG! Don't forget ALL passwords, i.e., cPanel, e-mail, FTP and Telnet (if enabled). Eliminate all the entry points you don't need.

    Have your host run and RErun maldet scans until there is no problem found then have them run by CRON on a regular basis. Maldet is a freeware app that admins won't let others setup and run but they will set it up for you if you ask (at least they do on WebHostingBuzz ... and WebHostingZoom before them).

    If you're paranoid (and I am!), you can also generate a script which will compare and store hashed valued for your scripts (.php, .html and .js in particular) on a daily basis and CRON that, too!

    You can never be too paranoid! "They" may not be out to get you but you may fall as an innocent victim of some hacker "just because he can."

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Enthusiast ideamine's Avatar
    Join Date
    Feb 2012
    Location
    Queen of Arabian Sea
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If its on a shared server, you will have to ask your host to find the source of the hack and give you suggestions regarding the nature of the hack and they will be able to give you pointers to assist you, as the nature of hacking has to be known to fix the loop holes. Since you are using scripts make sure to analyse them for loopholes as well. What DK mentioned is pretty much all you can do to secure your domain.

    If you are on a VPS or a dedicated server you should also check your ssh keys and also see if there are any unknown/suspicious users as well as do a rootkit scan as well. rkhunter is a good tool to do a rootkit scan.

    Also in addition to using strong passwords, changing them periodically is a good practice as well.

  4. #4
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post

    If you're paranoid (and I am!), you can also generate a script which will compare and store hashed valued for your scripts (.php, .html and .js in particular) on a daily basis and CRON that, too!
    Hello! I just came across this concept, and it's a new one to me. I'm familiar with creating hashes for passwords, but I'm not quite sure what you mean by a hashed value for a script. Could you elaborate a bit?

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    kreut,

    hash_file() is a convenient tool to use to obtain a hash value of a file. Hash values are of a fixed length and impossible to determine the original contents but the limited length makes it ideal to save in a database. When the newly generated value differs from the saved hash value, you've got a changed file. If a new file suddenly appears, it won't have a value in the database (ergo, a new file) and any file for which a new hash is not generated is obviously a deleted file.

    You can create your own script very quickly (with a little knowledge of PHP and any database).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  6. #6
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks! Sounds like a powerful and easy to implement tool...

    -Eric


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •