My site was defaced

A website of mine has been recently defaced. The hacker only changed my index.html file, and seems to have left the rest alone.

I have done various cpanel scans for viruses

I am running a 4 year old centOS server, with cpanel installed. Has this happened to anyone else. Can you make any suggestions on how to secure this box?

First of all:

/Douglas Adams/
Apply all os level and application level security patches (safer option would be reinstall server with latest os version, but I assume that this might not be an option). Change all passwords, disable all unnecessary services. Start making (if you have not been doing it before) regular backups and save them off the server, practice recovering from backup. Consider running all administrative tasks through strongly authenticated/encrypted SSL(HTTPS)/SSH instead of HTTP/FTP.

Thanks for the advice,
I cut and pasted your suggestion to the support team at my vps provider. I have been computing nearly 15 years, and this is the first time I have ever been hacked. I just hope these guys can’t just keep coming back. I’m not exactly sure how they got root access. The last root access from Saudi Arabia, yet my host swears they see no such access in the logs.

Oh… one more thing. It wasn’ t just one site that was hacked of mine… It was every site on my server, multiple domains.

I can’t suggest more than Aleksejs already has said above.

a mass defacement points to a known sw/script vulnerability so i would strongly suggest to apply all patches and also have a look at your sw/scripts
a mass defacement is usually done by a script that take advantage of a known vulnerability,
and the defacer just fill in some info into the script and push a button and voila - all index pages are defaced.

a mass deface can be done to a few, or even thousands of sites at the same time with a script like that.

This also happened to me yesterday by a group of hackers. It defaced every index.php page of mine on my host with one of their index pages advertising I’d been hacked (from a foreign country). It did not matter if it was WordPress, WolfCMS, or a custom PHP, it was all defaced.

The difference is I’m on MT Grid, I sent a support ticket to try and find out if anything happened in the logs. Or if some type of ssh or ftp access was hacked. It looks automated, index files were the only thing changed, so I don’t think it was your standard hacking, some of the sites on that Grid aren’t even in search engines and get no visitors.

This is the second time I’ve been hacked, but this time it was done quite professionally. It took me only a few minutes to restore, I have multiple backups going (I learned from the first time), but if I had not checked myself it would have been down for some time.

I would like to know how this was done, it could not have been XSS, somehow they rewrote index files.

Do you administrate the server? It sounds like the hacker found an OS vulnerability or was able to get in through a script that was insecure and allowed root access.

I would suggest securing SSH, using mod_security, and securing PHP further.

If you have the capability, check the index file modification time against your ftp access logs to check that it’s not a gumblar virus related defacement.

It could have come in through one of the websites on your server. We see a lot of infectious code and sometimes a hacker will find an exploit through one of the websites, then upload code that tries to find other websites on the same server to infect.

Sometimes this uploaded infectious code tries to compile C code. This C code can scan for the permissions on other sites. This is why file and folder permissions should be set accordingly. Nothing higher than 644 for files and nothing higher than 755 for folders.