Server Issues Anyone have Ideas?

**commodityman** · 04-25-2012, 03:58 PM

Okay,

I am going to try and attempt to explained what happened. Early this morning, I got a call from my webmaster/development company saying that my site was hacked sending out trojans and if some was to go to a page on the site it would redirect them to a malicious site. In total they found ten files placed into the server sending out spam and redirects. I have no idea how to do this. At the same time this was going on the rankings for the site plummeted to nowhere to be found?

I am trying to get a straight answer out of someone that may be versed in this area of having your server infected and doing this? It was hosted on a dedicated server, now I have to change the hosting because they think believe I infected so many others servers, etc, which I don't understand how that happens either. Is there anyone, expert, that is versed in how to recover from this and what to do to prevent this from happening in the future?

**SteveGerencser** · 04-25-2012, 04:05 PM

What CMS, custom or open source? Server OS? When was the last patch put in place? Are the patches current? MySQL? Is it up to date? PHP? Up to date?

Way too many questions at this point to give you any real advice.

**commodityman** · 04-25-2012, 04:11 PM

The CMS was Custom html, the server ran Linux, had a blog on the site running wordpress, which was up to date, the last patch, I don't know, my web guy takes care of that, I am assuming everything is up to date. Right now the server is being cleaned, and all computers that had access to the site through FTP are being scanned and cleaned.

**SteveGerencser** · 04-25-2012, 04:57 PM

Which files were infected on the server?

**commodityman** · 04-25-2012, 05:22 PM

10 files where placed on the server sending out redirects to malicious sites. From what I understand the reason I am not receiving any messages in GWT for Malware/Viruses is because of the redirects. First time it has happened so I guess I am going to learn a lot about internet security.

**ozdogan** · 04-25-2012, 08:37 PM

[It was hosted on a dedicated server, now I have to change the hosting because they think believe I infected so many others servers, ]

Really?

I believe there is something they are not telling you! The reality of the whole thing about VPS or dedicated server is that you can't infect them unless you have access to their login credentials.

Which hosting company are you with? Are you on a VPS or a true Dedicated Server?

Too little information here to really tell you where the problem has arisen.

**ozdogan** · 04-25-2012, 08:53 PM

Actually, what I can tell you from past experience is the following:

I've had similar problem on a big hosting company. I had some sites that was hacked through from the back entrance of the server.
If a server is not setup securely someone with a shell access can actually login through the back entrance using the shell to write files into another users directory. If the usual protocols are slack.

The other way to write any file to your websites directory structure is via the web browser but this is only possible if your password was compromised.

Your password can be easily compromised through many avenues.

1. You have spy software on your personal computer you use to connect and administer your site
2. Your network at which point you connect to the server is unsecure and that there are interceptors who are collecting your data as you logon to the server.
3. The interceptor can be at any point on the path to the server. - Most likely near your location and other alternative is on the server itself where your website is hosted.
4. There was already a spy software on your hosting account within the codes of your website (CMS)
5. You use dictionary passwords for ftping to the server or login in via a browser.
6. You used software that is already infected on your computer collecting all your passwords etc.

What can you do?
1. Change your ftp passwords.
2. Do a thorough virus and spyware scan of your computer.
3. Change your computer passwords.
4. Even your browsers store passwords - they too can be copied.
5. Don't trust anyone using your computer.
6. If you've worked with others editing your site then you need to regularly change your passwords once the work has finished.
7. Get another php coder to check the code on your website for hidden spyware.

Hope that would help you.

But my professional opinion would be that the server (not your website), the one that has the root access is the one that is compromised. It would indicate that the problem is server wide and point to an account that has privileges to write to Users directory.

Goodluck!

**alphaomega** · 04-26-2012, 11:46 PM

Any password is compressible. Just a matter of time. If you have high traffic website you are attractive to hackers. CHANGE PASSWORDS EVERY WEEK! All of them Don't use on for all. Upload fresh from your backup. Make sure your computer is not affected by malware. Use secure FTP for uploads.

**SteveGerencser** · 04-27-2012, 12:21 AM

Originally Posted by alphaomega

Any password is compressible. Just a matter of time. If you have high traffic website you are attractive to hackers. CHANGE PASSWORDS EVERY WEEK! All of them Don't use on for all. Upload fresh from your backup. Make sure your computer is not affected by malware. Use secure FTP for uploads.

While this is generally good advice, it doesn't explain how his hacked password would help anyone gain access to other servers at the ISP. Something sounds very fishy there. (Formerly a partner in an ISP with hundreds of servers)

**alphaomega** · 04-27-2012, 12:34 AM

If his Control Panel password and user is known to hackers, than it would be breeze to alter what ever they wish. I am not familiar with the history of the commodityman so I can't comment on that.

Thread: Server Issues Anyone have Ideas?

Thread Tools

Display

Server Issues Anyone have Ideas?

Posting Permissions