Not long ago I asked for help in this forum because two of my sites were hacked and after thinking about what happened and how I noticed that my site were hacked I started wondering why. What happened is this, one morning I woke up and checked one of my sites that uses WordPress and to my surprise the index page had a picture that said hacked by bla, bla… the same thing happened with my second site except that this one wasn’t using WordPress this one only had a PHP contact form and was done by a different hacker, here is where my question came.
Why would the hacker alert me? Wouldn’t be easier to do the hack without letting me know and I would probably have never noticed it.
Does it mean that the index page was the only file they could have access to and they just wanted to let me know about their success?
Are there some occasions where the only file hacked is the index file?
Of course the reason I’m asking is because I haven’t find any malicious scripts for the site that wasn’t using WordPress, and I’m trying to understand where the hacking thing came from, may be from my hosting provider?
The hacker alerted you for the glory. They weren’t out to take money or use your server for anything, just to show that they could.
Were your sites hosted on the same sever? If so, your server was probably compromised. I would surmise that anyone who could edit your index page could probably edit any file they chose, also the fact that both a wordpress and a non wordpress site were edited suggests your system was totally compromised.
Yes, both sites were in the same server (in a share server).
Yes, I’m using unsecured FTP. Does this make a difference? I thought SFTP was only to protect you from people connected to your network and I have my network secured.
Should I start using SFTP? If yes, can I ask why and how would this make a difference?
FTP sends your username and password in plain text with every request. It’s not just your own network you need to worry about, it’s every switch and cable between you and your server. I would switch to SFTP.
From what you say I can envisage three likely angles of attack.
your password was intercepted by a hacker sniffing packets
Your account was hacked using a brute force, dictionary attack. or
Your shared hosting is insecure and your account was hacked from another account on the same box.
Without more information, 1 sounds like the most likely to me. Change your password to a random alphanumeric string, use an encrypted connection (SFTP or SSH) and check your hosting provider’s reputation for security. Also check your backup strategy
No one likes getting hacked, hope you get it sorted
I think there are two type of hacker, one who jack for fame or glory aand the other one is to cause harm People( may be financial or some other type of harm)
And you are attacked by the first type of hacker…
These type hacker do hacking just for fun, and for no other reason…
may be your site have some type of loophole or backdoor by which they enter in your site, So check for the all possible loop holes, change admin password if there is any such kind of provision in your site.
Well, it may have been glory, or it may have been like the people I know: they look at some crappy system, sigh loudly, shake their heads that such a system is still being used by anyone at all, then break in to show the sheep how silly or dangerous they are being with their info.
…but the admin is not as dumb as he may look, and logs all activity and have it sent to another server and emailed to several addresses as well, so now he contact authority and start the act of tracking the guy(s) ip and sends requests of info regarding this to several sysadmins and ISP’s about their server and wingt/proxy logs and tracks the guy(s) to their city and house… one can wonder, who’s the sheep now…
I have tracked morons down many times the last 13 years. some times it’s “impossible”, well at least not worth it and maybe even impossible, but other times it’s almost fun
sysadmins and ISP’s about their server and wingt/proxy logs
using a proxy don’t mean you are safe - and there are several types of proxy servers too. some non anonymous, other transparent, forwarding, reverse etc… and then anonymous proxy servers.
and even chaining several anonymous proxy servers doesn’t make you safe, as anonymous proxy servers tend to log all the activities - and there will be more tracks on every hop which can ease the trace.
Contacting authorities, and also the sysadmins of these servers can result in getting the logs so you can continue tracing the hacker through several proxy servers - anonymous or not.
they may also get a court order about handing out the logs.
of course this can be difficult (and impossible) if you have to track him through several countries - but who said it would be easy
this is how hackers get caught - cooperation between people