In the fall of 2010, I noticed that someone had been adding scripts to my website(s), usually an onload() stuck in the body tag with an encrypted script.
After doing reading, I found out that leaving my file permissions set to 777 was leaving my site wide open to the world. After that I started setting all files to 444 which seemed to fix the problem.
Friday June 24, 2011, I went to my main testing site and noticed that the page was loading slow and saw that it was waiting for something that I didn’t recognize. Quickly I closed the browser and ran a virus scan. After it came out clean, I connected through FileZilla and saw that my index page file permissions had been changed. (I am very cautious about the permissions and know that I didn’t leave it set to anything but 444).
I deleted the index page and uploaded a clean copy then changing the permission to 444 as usual.
Without thinking, I went to my other site (without checking FileZilla first) and a java applet downloaded a virus to my computer.
When I finally was able to go there through FileZilla, I found both the index page and log-in page had the permissions changed.
Now to my question…
How could someone change the file permissions other than myself and change my files? (I’m the only one with access)
How can I stop this from happening again?
To be honest, this kind of stuff almost makes me want to give up web design and learning anything about it. I really like doing it, but if my sites would hurt anyone else, I don’t want to do that…
I have no experience with Malwarebytes. For free AV I usually choose Avast.
As for cleaning up your computer - I’d better back up all documents and reinstall OS from scratch (with formatting system drive). Then I’d create two accounts - one with administrative permissions - to use for installing/uninstalling of programs and keeping system up to date; and one limited account that I’d use for day to day work. That would be an additional line of defence against malware.
There are several ways. To name a few -
someone/something has figured out your password (if you are using FTP to manage content, then ask your provider to give you a more secure means for doing that / also - if you save passwords in FileZilla, then if your computer gets infected your stored passwords might end up in wrong hands);
someone/something is exploiting some vulnerability in your code that let’s them execute commands on server (including but not limited to instruction to change file permissions) which are run with your/web-server privileges;
the code got infected on your computer before you uploaded it to web-server.
That depends on how the code got there. Suggestions range from not using insecure means to transfer files to keeping all client/server software to the latest security-patch level.
I found a bunch of mal-ware on my computer after I got hit Friday. It’s possible some of it had been there for quite a while and caused the problems I had last fall as well as this time around.
I use FileZilla exclusively to upload to my site. It automatically saves the connection information including the password (which I already changed for both sites).
I was going to ask if there was a way to make it not save the passwords then I looked again and found it.
As for my computer, I use Webroot antivirus with spy sweeper and it missed the mal-ware. I downloaded Malwarebytes anti-malware (free version) that was suggested by our IT guy at work, and after 4 scans it caught 15 trojan’s / viruses. Since then I have had 15 “clean” scans.
I was wondering though, is there anything else I should try to make sure my machine is clean? (free preferably though I may buy the full version of Malwarebytes)
Malwarebytes is pretty comprehensive - far more so than many of the popular free AV applications. Hijackthis is also a useful and comprehensive tool but is for analysis only and requires in depth knowledge to be useful.
Also, do a search in all your files for an unknown file, perhaps during your vulnerability somebody uploaded a PHP or some other script that allows them to change things on you. If they have your PW, it doesn’t make sense for them to change the permissions.