Site Hacked and files deleted

[DSD]

My site was hacked a few days ago. Whoever did it apparently is running a script on the server or on my site to change every file name that has 'index' in the file name, even the indexdefault.htm was changed. Every file with 'index' in the name, including in every directory was hacked. I replaced the index file last night before going to bed, and this morning when I got up I checked my site again and all files in the main directory that had 'index' in the file name were gone. I'm not sure what's going on, or why this is happening. I would really appreciate knowing that my site is safe and secure.

I would like my experience to help others. Don't ever think your site is safe, backup, backup, backup!! I had backups, but not as current as JPC did, in fact they were so current that the backup was the hacked version of my site.

I am currently looking for a more secure web hosting provider, because this is the second time one of my sites have been hacked with JPC.

[Spathiphyllum]

Yes. That does stink... to put it lightly.

Are you on a shared, VPS, reseller, semi-ded, or dedicated server? If on a shared, there are, of course, more risks involved. You may need to consider a plan with fewer persons with access - wherever you go. Not a great option but one worth considering.

[Ron]

Just curious, do you know if your server is running PHP as CGI yet, or are you still running PHP as an Apache Module?

[DSD]

Ron - I have no idea. Why would it make a difference?

[Connie]

I think PHP run as CGI is supposed to be more secure.

I have to wonder since this has happened to you twice in a short period of time if you might not have a script running that can be exploited easily by hackers.

I know nothing about PHP other than a few things I read here and elsewhere, but these are questions that come to my mind based on your post.

There is a point I think that the security of a website is your (or my) responsibility.

[DSD]

I think PHP run as CGI is supposed to be more secure.

I have to wonder since this has happened to you twice in a short period of time if you might not have a script running that can be exploited easily by hackers.

I know nothing about PHP other than a few things I read here and elsewhere, but these are questions that come to my mind based on your post.

There is a point I think that the security of a website is your (or my) responsibility.

This was something that happened to my entire site and every directory. A security hole in a script as I have been informed will only affect the directory the script is in. This was a hack that was used sitewide, because every directory with 'index' in the file name was hacked.

[Rebel007]

Surely that shows its a problem on your site?

If it was a server problem everyone hosted on that server would also have been affected and they would all be in here complaining.

Have you asked JPC support to look into your site security, or do you think "moving to a more secure host" if you can find one and taking your security hole with you is really the solution? (Oh yeah, dont forget if its your script causing a problem, they wont be secure for very long)

The fact you have been hacked twice must tell you something, especially since there are no other sites complaining about the same thing.

[Connie]

The fact you have been hacked twice must tell you something, especially since there are no other sites complaining about the same thing.

My thoughts too.

[mattsiegman]

This was something that happened to my entire site and every directory. A security hole in a script as I have been informed will only affect the directory the script is in. This was a hack that was used sitewide, because every directory with 'index' in the file name was hacked.

This is not neccessarily true. Most of the time, when sites are hacked, a rootkit type tool is installed which will allow access to more directories and files than are just in the sub directory.

[DSD]

The fact you have been hacked twice must tell you something, especially since there are no other sites complaining about the same thing.

I suppose it would tell me something had it been the same site hacked twice having the same files, but they were two very different sites.

[DSD]

This is not neccessarily true. Most of the time, when sites are hacked, a rootkit type tool is installed which will allow access to more directories and files than are just in the sub directory.

Can you explain to me in more detail how sites are hacked with a rootkit type tool? How is it installed? How do they gain access to the root directory?

I would like to know, so I can figure out why and how my site was hacked, in order to hopefully prevent it from happening in the future.

[mattsiegman]

I don't know the specifics, usually it involves a Forum, Upload or Comment script because those have two properties: they either send lots of queries to the server that need to be checked for bad data, or they upload files to the server which may contain malicious code.

The bext way to protect yourself is use the latest board version with the latest security patches.

Also, The PHP to CGI thing should help with some potential PHP issues due to some problems with how PHP works.

Honestly, though, I'd need more info on what is running on your site to even come up with a good sounding answer. I'm not a security expert, but I know a few things about it.

[DSD]

I don't know the specifics, usually it involves a Forum, Upload or Comment script because those have two properties: they either send lots of queries to the server that need to be checked for bad data, or they upload files to the server which may contain malicious code.

The bext way to protect yourself is use the latest board version with the latest security patches.

Also, The PHP to CGI thing should help with some potential PHP issues due to some problems with how PHP works.

Honestly, though, I'd need more info on what is running on your site to even come up with a good sounding answer. I'm not a security expert, but I know a few things about it.

Does a script actually have to be installed and running in order for it to be a security risk? I have some scripts that are on my site but aren't actually installed and connected to mysql yet. The files are just sitting there, because I haven't had the time to fully install the scripts.

Thank you for your feedback.

[Ron]

If the vulnerability doesn't involve access to the database, then absolutely yes.

[Gwaihir]

Absolutely yes! A good number of applications comes with install scripts that you are expected to delete right after the install. The running application often informs you of this, but well, if you don't have it running, you won't ever see that warning, right? Having a number of unzipped but otherwise untouched install packages hanging around accessible from the web is a definate security risk.