Thread

I’ve been hacked a few days ago, the hacker published tons of links towards low quality viagra sites. How can I ensured this doesn’t happen again? Also, how can I not approve the changes made to my core file “index.php”?

Thanks

The same thing happened to one of my EE sites once. The way I found out was that it was flagged as hacked on Google’s search result page. I had left member registrations and profiles open even though I wasn’t using them in the site, and some spam bot signed up for about 27,000 accounts and put a Viagra-like advertisement in the profile field. Here are some tips to prevent such an attack:

* Create strong passwords for your admin accounts, obviously
* Use a human validation field like CAPCHA or something homebrewed on all input forms
* Make members confirm their accounts before posting
* Turn on EE’s throttling control to limit HTTP requests
* Set up email notifications to yourself when someone signs up. How did I miss 27,000 sign ups?
* Set up some kind of server monitoring notification to get an SMS or email when a certain threshold of traffic is reached. I use Linode which lets me set up notifications about CPU usage, etc.
* Moderate all comments before they go public, and set up some kind of email if appropriate
* Check your traffic analytics regularly, note any irregularities.

In my case, no SSH or EE admin passwords were breached, so I just deleted all the spam member accounts and closed registration. If your core code has been modified, definitely cleanse and re-install those core files to get rid of any malicious code. Create really strong passwords for your server and for your EE, and for any sub-accounts you issue, create a limited-permissions member group.

Thanks squiid, I’ll do just that!

julienraby, thanks for reporting this.

We take security very seriously and will do our best to work with you on figuring out what’s going on. Please let us know:

1. EE version and build (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)

If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

Please also check these files:

* config.php
* index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions, or if you are on an older version, perform a version update instead.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

I had a hack attack too today.  When I visited my website Google flagged it as trying to link to a malware site.  When I checked the index.php file, I saw someone had inserted a script linking to a URL.

I tried to fix the problem by replacing the index.php, but when I did, I could log into my control panel.  I suspect the hack entry point was somewhere else in the system.

That said, I’m going to update to the latest build, I’m running 2.1.3 with current build unknown.

Regards,
Tom Ott

Hi Tom,

Please follow the directions that Brandon posted above and please follow up with us after you have spoken to your host about this.

Cheers

Greg

Hello Brandon,

I did everything you advised and the hacker can still access my site and inject his links…

Version: v2.1.3
Build:  20110411

I did a build update and I did everything my host advised…

Can you please help me further more in cleaning this mess?

Thanks,
Julien

Hi, julienraby.

If you are still having issues after replacing files and doing everything your host recommends, then it’s time to change hosts. I personally recommend EngineHosting.

One important thing to look for if you been hacked is backdoor scripts used to access the server directly. As sometimes they hide them deep down in the file trees that not many look there a lot of the time.

@Sophie H,

ok, and how would you go and look for backdoor scripts (any process you can recommend?)

Thanks,
J

I would check your account logs in the hosting control panel your provider uses this will help track files changed and or added. typically it be under the logs option in cpanel and in plesk as well.

Thanks Sophie.

julienraby, can you clarify where the links are being injected? What URLs specifically are they showing up on? You can rename your domain to “mydomain.com” here for security.

Hey Brandon,

the links are being injected in the footer and they’re changing the title tag. They’re only cloaking it so the site is actually fine but Google doesn’t really like it 😊 I have no idea how they’re doing it. I believe they’re cloaking every page, so just by looking at any Google cached page of my site you would see what I’m talking about.

Thanks for helping,
Julien

Julien,

You may actually have a trojan or malware on your own machine which may allow somebody, bot or otherwise entering your site via FTP. The trojan may be sending your FTP details to another source

You need to determine if a) you are the only user with FTP account details for this host b) run a virus scan on your own machine. Once you are certain you are clean and only then change your FTP password.

To be sure even get your host to change the password for you

Normally if you have this type of hack you will see files all change at the same time usually each day so matter how many times you replace them with clean versions they will be replaced.

This happened to a client of mine as well, but the entry point was an out of date wordpress install that was hanging out on the server. Just another thing to check.