Website 'hacked'

essenby · ‎30-07-2007

Hi,
I went to my website the other day (after a very long 'off' period) and immediately received a waning that the page was infected. It seems some 'nasty' scripts had been written into the pages, but only pages named "index.htm" for some reason. The site is only a 'play' site so there is no real impact or damage but I'd be interested to know how this happens.
CGI and PHP are activated on the site so is this as result of some SQL infection or such like, or has my FTP password been hacked in some way?
Any pointers that anyone can offer as to how this can be prevented would be most welcome.

Barrie

Gabe · ‎29-10-2008

Could be either.

If it's on ccgi, you can only ftp from a plusnet ip, which would make the latter less likely, unless your pc has actually been botted. If your av was capable enough to warn you about your own site, that also makes the latter less likely.
It would help to know what's loaded onto the site, and if your av identified the injection (please don't post the injected code), and what browser, av, and os you use.
Gabe

essenby · ‎30-07-2007

Hi, thanks for the help.
The front page is a simple HTML page with no links to any other pages at all. One of the sub folders contains and index.htm page which is a simple frame set linking to some other HTML pages and images. Only pages with the name "index.htm" were affected and AVG Free 2012 identified "Exploit Blackhole Exploit Kit" on them. The code was contained within <Body onload= > and separate <script> tags and on the framset page these were interestingly inserted after the closing </html> tag. Possibly because there was no existing <body> to hijack. On the front page the <body> tag was hijacked and the <script> tags immediately followed it.
The browsers used were Chrome and IE(8) running under Win7.
Barrie

hadden · ‎27-07-2007

A colleague had a similar problem on a Plusnet hosted website late last year where a re-direct script had been inserted just after the body tag. Removing the script resulted in it being re-inserted within days.
The website was simple HTML with very little interactivity, over a few pages, and only index.htm was hacked. So it seemed that FTP security was the weak point.
The solution has been to change the FTP password. However, it took several attempts over several weeks for that to work, and eventually required manual intervention by Customer support to force the password change to be applied.
No script insertion since then.

Gabe · ‎29-10-2008

Russians again.

(BTW, I like the way IE 8 thinks it's cool.)
If your site has no db interface, they can't have got in that way. As JohnJ says, it looks like the ftp password. Changing that would be a first step. If it's on ccgi, then PN will need to change it for you. (Incidentally, if changing a password yourself doesn't seem to stop the hacking, it suggests that your own PC or network is infected.) Passwords can be ripped, intercepted (ftp is plaintext), or (commonly) sniffed from your own pc by malware lurking or just hopping into the browser session. If the site is on ccgi, it limits the options. If you keep logs, it might be worth checking through those. Your pc doesn't sound unusually vulnerable, but it might be worth hitting it with an alternative av, just to check.
It's a pandemic.
Gabe

essenby · ‎30-07-2007

Hi John, that sounds VERY similar.
I'm not sure whether CS read these pages but can anyone confirm whether changing the FTP password will mean changing the PlusNet account password (used in the router and the Member Centre)?
I don't mind having to change it - but I'd rather know before hand than suddenly loose my connection

@Gabe
Databases and PHP are activated for the site and there is a sub-folder with a simple page that just sets up a connection. However, as it's only the index.htm pages that seem to be affected I think John's suggestion is probably nearest. CCGI is activated so I guess I'll have to raise a call to get the password changed

Barrie

Gabe · ‎29-10-2008

The index.htm pattern just means that it's an automated attack. You mention databases, php, and ccgi being activated, but is this site actually on the ccgi server? If it is, and the simple page that sets up a connection is vulnerable to injection, then that is still a possible route in.
Gabe

adamwalker · ‎27-04-2007

Hi there,
Yes we do read this page too

changing the FTP password would mean changing the main account password.

If this post resolved your issue please click the 'This fixed my problem' button

Adam Walker
Plusnet Help Team

essenby · ‎30-07-2007

Gabe,
There are files on both ftp.plus.net and cshell.plus.net but only the index files on ftp.plus.net seem to be affected. There is an index file on ccgi.{username}.plus.com but that seems to be clean

@ Adam - thanks for the warning

spraxyt · ‎06-04-2007

I suggest changing your account password as soon as you can - that means the side effects are under your own control.
If your router is an easy start TG585 its connection settings will automatically update, otherwise I don't think you lose your connection until you restart the router. You'd have to update the connection password then.
Your ftp.plus.net password will change, but don't forget the default mailbox email password also changes.
Your cshell.plus.net password *won't* change, but if this is the same as your current main account password it would be prudent to raise a ticket to request your CCGI password be changed.
David

David

Gabe · ‎29-10-2008

If it's homepages, not ccgi, that's been hacked, then that does sound like the password. Sounds like you've checked thoroughly, but might be worth checking again for any backdoors left open on the site, which would allow rehacking. If you haven't ftped homepages from someone else's pc, you might have to suspect your own.
Gabe

Website 'hacked'

Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'

Re: Website 'hacked'