Three of my sites were hacked a few weeks ago, and I’m trying to learn as much as I can to prevent it happening again. I’m a complete beginner at these things, so I apologise if this is a daft question.
I’ve been checking the 404 error logs for all my sites, and on the three that were hacked, there are requests for back-up copies of legitimate pages e.g. index.html.bak, index.html.~, index.html.sav etc. - same pattern for every page on the site. None of my other (unhacked) sites have this.
I understand that a .php back-up file with an altered extension can allow a hacker to read the content, but why would they want an old .html or .css file? There are no backup copies of anything on any of my sites, but why is somebody looking for them? All three sites are very small, static html sites, with nothing more interactive than a Google map.
I’d really just like to understand what’s going on here, as I’m feeling generally very bemused by the whole thing. Thank you.
What is the user agent and IP of the requests generating these 404s?
This can just be a scanner looking for backup resources. Sometimes these include developer comments or additional information that can help an attacker to find a way into the application.
What was the result of the hack? Are you sure your site is clean?
Thanks for your reply. I don’t have user agent/IP information for the 404 requests.
The three hacked sites are on shared hosting, all with the same company but on two different servers. Two of them (on different servers) had directories added and the .htaccess file amended and its file permissions altered. The third site had files added to the cgi-bin. One site was hacked using FTP, so I have an exact date and IP for that; the other one with an additional directory could only have been a couple of weeks earlier or I’d have spotted it sooner and the third one (the cgi-bin) I have no idea about.
One hack appeared to be using the domain name without the www. to host stuff. The other extra directory was presumably intended to do the same thing, but I caught it the day after it was posted. I couldn’t read the cgi-bin files and have no idea what they were doing or trying to do.
I removed all files from the sites, carried out a virus scan, uploaded clean copies from my computer, re-ran the virus scan, changed all the passwords and changed file permissions to 404 and directory permissions to 505. I asked Google to re-evaluate the one site that was flagged up and they found no problems with it. I’m as sure as I can be that the sites are clean now.
No, I meant 404 and 505. Unless I’m much mistaken, those are read-only permissions. Certainly, I can’t upload anything to the image folder without first changing the permissions to 705, so I’m pretty sure that’s right.
