HELP - Website crashing

[michael_s]

Just because you cant see how a pw was compromised doesn't make it secure. If you are using plaintext ftp it is very easy to steal the pw with minimal effort.

Check for keyloggers or viruses on the computers where the pw's are stored. If they are clean, good. Also check the server's /var/log/messages log if you have access to it. It logs all of the FTP logins and their IP's. If you see a login from an IP other than yours, the pw is compromised.

Yes the sql script will wipe all the standard oscmax tables completely and reinstall fresh tables and data. If you need to keep your table structure, don't run the full sql script, edit it and grab the records you need and run the queries in phpmyadmin.

[Huski]

Hi Michael,

I have customized a lot of pages so don't want a fresh install of files given it only looks like all records have been deleted - nothing else. Would there be a way the client could accidently have done this in the admin site anywhere?

Cheers

[michael_s]

No, there is no way the entire database can be deleted using normal admin procedures.

[jpf]

You lost everything - might as well reinstall.

[ozstar]

Hi,

Just read this and hope you got over your problems.

We too have been hacked in a similar manner excpet they haven't go to the db.

They change files especially all index files and some others right across the site.

Check all the dtaes to see what files were changed and you will see all index on the same date, time. We checked server logs and they were logging in ftp from Romania, Bulgaria,Bangladesh,Sweden, Netherlands,Slovenia etc all within seconds of each other to access and upload index files with iframes and other Trojan crap in them.

I checked some of the IP numbers and many were already banned by many IP banning sites.

Cost me 2 weeks just changing passwords ad nauseum and index files for 10 clients with shops just to keep them or restore them online every day as this was a daily thing.

Found some php files in image directories as well.

Have been clean now for a while until yesterday and I can't belive it buit I got stung again. How I don't know as all passwords have been changed twice. Must have missed an infected file when I did the last clean out or upload and it just timed out yesterday.

All the years I've been free and now can't get rid of it..

I have a clean XP system thanks to SpywareWarriors and using AVG FEE 8.5, Malware Bytes and now got free 60 days Avast as it was the only one that picked these things up. Don't rely on 1 anti Virus Malware.

Anyway, I hope others who get in a similar way, learn a little from this post.

Make sure you have avast or good anti virus/malware enabled before you connect ftp to your server becvause you may bring the files down to your box. Then check the dates of all your files to see if any have been changed. Upload new clean files over them. Then check image dirs for any php files.

Shame there seems to be no definitive way to stop them

Good luck!

oz

[michael_s]

oz, if you have them logging in via ftp, they somehow obtained a valid ftp password. The only way to protect against this is to close FTP to all but your specific secure IPs or domains. That way even if the password is compromised, the attack has to come from your machines, not the outside world.

If you changed the FTP passwords and they grabbed them again, you have a hole somewhere in your organization (if on shared hosting, could also be someone you don't know putting your site at risk).

[ozstar]

Hi Michael,

Yes that's what I thought and you are right. Except for 3 clients, I am it now for any connection except through admin and the front end browsing. I changed all passwords on all sites even my clients had new passwords and also my primary cpanel web host account.

My server support who have been exceptionally good, tell me that i am the only one on the server who is infected.

After the first infection a month ago which got to about 10 shops, thats when my XP box became infected and I am sure I was inadvertantly allowing it in every time i ftp'd to clean them. Once I did change all the passwords, I still had problems on about 5 of the sites. My AVG found iframes on my XP box and then only Malware found some, so I decided to get Spyware Warrior to help me clean it up. We did this and full scans produced a clean box. All sites were clean for abouyt 2 weeks, then a coupe of days ago, one which I had not even looked at either front or admin, let alone ftp, went down. When I looked sure enough another lliframe Trojan had got into the index's and this time more files, right across the shop.

This is what scares me. I did not go anywhere near this site, all pwds were changed twice, it was clean for 2 weeks and then here it is out of the blue. Are these files like time bombs maybe?

I took a file and uploaded it to Jotti Malware test site.. Jotti's malware scan and of all the anti malware programs only 2 found it. Avast and Nod 32.

So if AVG and Malwarebytes did not find it, I could still be reinfecting the sites whenever I used ftp.

I got the free 60 days Avast and found about 20 infected files on the drive I have allocated for my websites. They were not in the directories that I uploaded to go over the infected files on my shared server, but maybe because they were on my drive they somehow could still infect whilst I was connected via ftp even to other sites. Not sure about that tho.

It is so time consuming and really puts a lot of pressure on when you know clients are relying on their sites. If this happens again, until I get this clean I will put new versions of the sites on another server which I will access from another XP box, until I am sure my box and the sites are clean.

One question though, If I connect ftp to 1 site on a shared server can an infection get to other sites I have not accessed or are they restricted to the actual site I am connected to.

At the moment i have ons site still down which I cannot get up although have uploaded a whole new catalog backup. I have made this another pots in the hope I can get some help here as well.

Many thanks Michael as always..

oz

[ridexbuilder]

Just an observation.
Why persist in using Windows?
Run Linux and put a stop to at least one backdoor
Set up Virtualbox and you can run Windows in that, when absolutely needed.

One question though, If I connect ftp to 1 site on a shared server can an infection get to other sites I have not accessed or are they restricted to the actual site I am connected to.

I do notice that some people use hosting providers that bundle domains all under one root. Who's bright idea is that? The cPanel servers that I've used all separate into individual domains. This surely provides at least one additional barrier for Trojans to traverse.

[ozstar]

Hi,

Don't the same virus and malware that I see on my Xp box do the same damage on a Linux box?

Our sites are on line on a shared Linux server, but the Desktop box I do all my work on is XP.

Would it be more secure if I set up a Linux Desktop for all my web sites then transfer them to the online server?

Trouble is all my graphic, DW and other progs are on my XP box so I would have to take the files back and forth from XP to the Linux Desktop, then to online.

Or do I not understand what you are saying.

Thanks,

oz

[michael_s]

oz,

You may have cleaned your infected sites, but you did not close the hole that they are using to get in. That is why you continually get re-hacked.

If you are seeing FTP logins from these bad guys, that means your passwords are being compromised for FTP/Cpanel. You need to determine how the passwords are being obtained.

I have dealt with this exact hack on other sites before, and the way the hole was closed was to patch all code to current, block all public access to the admin panel, and either disable public access to ftp or at the very least force the use of encrypted FTP logins. Other things to do include making sure suphp is running on the server as well as mod_security with current rulesets, and suhosin properly configured. Of course, on shared hosting, you don't really have the option of recompiling php, so do what you can.