cancel
Showing results for 
Search instead for 
Did you mean: 

Website 'hacked'

essenby
Grafter
Posts: 139
Registered: ‎30-07-2007

Website 'hacked'

Hi,
I went to my website the other day (after a very long 'off' period) and immediately received a waning that the page was infected.  It seems some 'nasty' scripts had been written into the pages, but only pages named "index.htm" for some reason.  The site is only a 'play' site so there is no real impact or damage but I'd be interested to know how this happens. 
CGI and PHP are activated on the site so is this as result of some SQL infection or such like, or has my FTP password been hacked in some way?
Any pointers that anyone can offer as to how this can be prevented would be most welcome.

Barrie
10 REPLIES 10
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Website 'hacked'

Could be either.  Sad
If it's on ccgi, you can only ftp from a plusnet ip, which would make the latter less likely, unless your pc has actually been botted. If your av was capable enough to warn you about your own site, that also makes the latter less likely.
It would help to know what's loaded onto the site, and if your av identified the injection (please don't post the injected code), and what browser, av, and os you use.
Gabe
essenby
Grafter
Posts: 139
Registered: ‎30-07-2007

Re: Website 'hacked'

Hi, thanks for the help.
The front page is a simple HTML page with no links to any other pages at all.  One of the sub folders contains and index.htm page which is a simple frame set linking to some other HTML pages and images.  Only pages with the name "index.htm" were affected and AVG Free 2012 identified "Exploit Blackhole Exploit Kit" on them.  The code was contained within <Body onload=  > and separate <script> tags and on the framset page these were interestingly inserted after the closing </html> tag.  Possibly because there was no existing <body>  to hijack.  On the front page the <body> tag was hijacked and the <script> tags immediately followed it.
The browsers used were Chrome and IE(8) running under Win7.
Barrie
hadden
Grafter
Posts: 486
Thanks: 2
Registered: ‎27-07-2007

Re: Website 'hacked'

A colleague had a similar problem on a Plusnet hosted website late last year where a re-direct script had been inserted just after the body tag. Removing the script resulted in it being re-inserted within days.
The website was simple HTML with very little interactivity, over a few pages, and only index.htm was hacked. So it seemed that FTP security was the weak point.
The solution has been to change the FTP password. However, it took several attempts over several weeks for that to work, and eventually required manual intervention by Customer support to force the password change to be applied.
No script insertion since then.
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Website 'hacked'

Russians again.  Sad
(BTW, I like the way IE 8 thinks it's cool.)
If your site has no db interface, they can't have got in that way. As JohnJ says, it looks like the ftp password. Changing that would be a first step. If it's on ccgi, then PN will need to change it for you. (Incidentally, if changing a password yourself doesn't seem to stop the hacking, it suggests that your own PC or network is infected.) Passwords can be ripped, intercepted (ftp is plaintext), or (commonly) sniffed from your own pc by malware lurking or just hopping into the browser session.  If the site is on ccgi, it limits the options. If you keep logs, it might be worth checking through those. Your pc doesn't sound unusually vulnerable, but it might be worth hitting it with an alternative av, just to check.
It's a pandemic.
Gabe
essenby
Grafter
Posts: 139
Registered: ‎30-07-2007

Re: Website 'hacked'

Hi John, that sounds VERY similar.  
I'm not sure whether CS read these pages but can anyone confirm whether changing the FTP password will mean changing the PlusNet account password (used in the router and the Member Centre)?
I don't mind having to change it - but I'd rather know before hand than suddenly loose my connection  Wink
@Gabe
Databases and PHP are activated for the site and there is a sub-folder with a simple page that just sets up a connection.  However, as it's only the index.htm pages that seem to be affected I think John's suggestion is probably nearest.  CCGI is activated so I guess  I'll have to raise a call to get the password changed

Barrie
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Website 'hacked'

The index.htm pattern just means that it's an automated attack. You mention databases, php, and ccgi being activated, but is this site actually on the ccgi server? If it is, and the simple page that sets up a connection is vulnerable to injection, then that is still a possible route in.
Gabe
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 15,199
Thanks: 467
Fixes: 127
Registered: ‎27-04-2007

Re: Website 'hacked'

Hi there,
Yes we do read this page too Smiley changing the FTP password would mean changing the main account password.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
essenby
Grafter
Posts: 139
Registered: ‎30-07-2007

Re: Website 'hacked'

Gabe,
There are files on both ftp.plus.net  and cshell.plus.net but only the index files on ftp.plus.net seem to be affected.  There is an index file on ccgi.{username}.plus.com but that seems to be clean Huh
@ Adam - thanks for the warning  Cheesy
spraxyt
Superuser
Superuser
Posts: 10,063
Thanks: 1,369
Fixes: 75
Registered: ‎06-04-2007

Re: Website 'hacked'

I suggest changing your account password as soon as you can - that means the side effects are under your own control.
If your router is an easy start TG585 its connection settings will automatically update, otherwise I don't think you lose your connection until you restart the router. You'd have to update the connection password then.
Your ftp.plus.net password will change, but don't forget the default mailbox email password also changes.
Your cshell.plus.net password *won't* change, but if this is the same as your current main account password it would be prudent to raise a ticket to request your CCGI password be changed.
David
David
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Website 'hacked'

If it's homepages, not ccgi, that's been hacked, then that does sound like the password. Sounds like you've checked thoroughly, but might be worth checking again for any backdoors left open on the site, which would allow rehacking. If you haven't ftped homepages from someone else's pc, you might have to suspect your own.
Gabe