web site hack

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • mharding
    Junior Member
    • May 2004
    • 3

    web site hack

    One of my websites has apparently been hacked, to no great effect, but I wonder how it was done.

    I've replaced the corrupted file. The good file is the index at www.markharding.org, the bad one is www.markharding.org/index_hack.html

    The bad one has all this viagra stuff added at the end - it doesn't actually display, but it slows down the load time, and how it was done eludes me. I noticed it as I watched the status bar while the page was loading.

    The added material is

    <div align="right" style="overflow:auto; height: 1px;"><a href="http://buy-xanax-cheap-xanax-online.com/"><img src="http://buy-xanax-cheap-xanax-online.com/xanax.gif" alt="effects xanax dosage" width="3" height="5" border="0"></a><a href="http://buy-vicodin-cheap-vicodin-online.com/"><img src="http://buy-vicodin-cheap-vicodin-online.com/vicodin.gif" alt="vicodin side effects" width="3" height="5" border="0"></a><a href="http://x-hydrocodone.info/"><img src="http://x-hydrocodone.info/hydrocodone.gif" alt="effects hydrocodone overdose" width="3" height="5" border="0"></a><a href="http://x-phentermine.info/"><img src="http://x-phentermine.info/phentermine.gif" alt="cheapest phentermine diet pills" width="3" height="5" border="0"></a><a href="http://buy-cialis-cheap-cialis-online.info/"><img src="http://buy-cialis-cheap-cialis-online.info/cialis.gif" alt="lilly cialis bestellen" width="3" height="5" border="0"></a><a href="http://cialis-levitra-viagra.com.cn/"><img src="http://cialis-levitra-viagra.com.cn/cialis-levitra-viagra.gif" alt="cialis online buy levitra cheap viagra" width="3" height="5" border="0"></a><a href="http://buy-levitra-cheap-levitra-online.info/"><img src="http://buy-levitra-cheap-levitra-online.info/levitra.gif" alt="vardenafil levitra uk" width="3" height="5" border="0"></a><a href="http://7x.cc/"><img src="http://7x.cc/hgh.gif" alt="natural hgh products" width="3" height="5" border="0"></a><a href="http://sq7.co.uk/"><img src="http://sq7.co.uk/diet-pills.gif" alt="effects diet pills safe" width="3" height="5" border="0"></a><a href="http://buy-adipex-cheap-adipex-online.com/"><img src="http://buy-adipex-cheap-adipex-online.com/adipex.gif" alt="discount adipex information" width="3" height="5" border="0"></a><a href="http://buy-phentermine-cheap-phentermine-online.com/"><img src="http://buy-phentermine-cheap-phentermine-online.com/phentermine.gif" alt="purchase phentermine addiction" width="3" height="5" border="0"></a><a href="http://buy-hydrocodone-cheap-hydrocodone-online.com/"><img src="http://buy-hydrocodone-cheap-hydrocodone-online.com/hydrocodone.gif" alt="oxycodone hydrocodone acetaminophen" width="3" height="5" border="0"></a><a href="http://buy-valium-cheap-valium-online.com/"><img src="http://buy-valium-cheap-valium-online.com/valium.gif" alt="valium side effects" width="3" height="5" border="0"></a><a href="http://buy-lortab-cheap-lortab-online.com/"><img src="http://buy-lortab-cheap-lortab-online.com/lortab.gif" alt="does lortab withdrawal" width="3" height="5" border="0"></a><a href="http://detox-products-online.com/"><img src="http://detox-products-online.com/drug-test-detox.gif" alt="liver detox marijuana drug test" width="3" height="5" border="0"></a>r1a2ba</div>

    Any thoughts?
  • ChrisTech
    Senior Member
    • Mar 2004
    • 530

    #2
    What scripts do you have loaded on your site? That would be the best place to start. Oh, and that you have a password that isn't an easy guess.
    Hosting at Dathorn since March 2003!

    My Interwebs speed on Charter Cable!

    Comment

    • mharding
      Junior Member
      • May 2004
      • 3

      #3
      no scripts, unguessable password, but I believe that I've noticed sometimes that other users files have appeared in my directories - I guess that's shared hosting. I assume that if somebody new my password they'd wreak more havoc...

      Comment

      • ChrisTech
        Senior Member
        • Mar 2004
        • 530

        #4
        Originally posted by mharding
        no scripts, unguessable password, but I believe that I've noticed sometimes that other users files have appeared in my directories - I guess that's shared hosting. I assume that if somebody new my password they'd wreak more havoc...
        When "other files" have magically appeared in your directory, did you change your password, did you create a trouble ticket about it?
        Hosting at Dathorn since March 2003!

        My Interwebs speed on Charter Cable!

        Comment

        • mharding
          Junior Member
          • May 2004
          • 3

          #5
          No - they weren't bad files. It was just like somebody's FTP upload had landed in the wrong place. I don't remember the details very well - at the time I felt that no action was necessary, but I'll look out for it happening again. Since I don't run any scripts, and the nature of the change to my index file was both relatively benign and not implemented correctly, it would seem unlikely to me that my password has been compromised. I assume that somebody else's script vulnerability has given limited access to my directories - I was just wondering if this is a known problem, and if the actual content of the hack is of any interest.

          Comment

          • Amitabh
            Member
            • Mar 2004
            • 78

            #6
            If some other accounts page are appearing into your webspace, this is something that Andrew should be looking into. Having said that, it seems highly unlikely. I think you should contact support for more details on this.

            Comment

            • AndrewT
              Administrator
              • Mar 2004
              • 3653

              #7
              Originally posted by mharding
              No - they weren't bad files. It was just like somebody's FTP upload had landed in the wrong place. I don't remember the details very well - at the time I felt that no action was necessary, but I'll look out for it happening again. Since I don't run any scripts, and the nature of the change to my index file was both relatively benign and not implemented correctly, it would seem unlikely to me that my password has been compromised. I assume that somebody else's script vulnerability has given limited access to my directories - I was just wondering if this is a known problem, and if the actual content of the hack is of any interest.
              Someone elses scripts cannot give access to your files. The only way this could have been done is with access to that domain directly or through insecure scripts on your domain.

              Comment

              Working...