Re: hacked!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/3/2014 11:20 AM, Richard wrote:



------------ Original Message ------------

Date: Friday, October 03, 2014 11:07:52 -0400
From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Subject: Re:  hacked!!

On 10/3/2014 11:04 AM, Richard wrote:



There are a range of potential vectors, potentially including your
php code, so I would suggest looking at the server (both the web
server and system-level) logs to see if you can identify the
source/manner.

     - Richard



I have no files with passwords stored in the web accessible tree.
Also, I have no idea what to look for in any logs.


The simple act of ftp-ing into a host, as you imply you do, (with
the default, insecure ftp setup) can expose your credentials.

   > Does this mean someone figured out my site password

When looking at logs, start by looking for actions that took place
around the time(s) that the files were placed on your system. As
there's no guarantee that the file timestamps are accurate, look at
the directory timestamps too (assuming you haven't touched things
there of late). In web server logs look for actions that are
"unusual" (not simple file retrieval, or whatever is standard on
your site). In system logs (which you may not have access too), look
for ftp logins that come from non-standard locations.

This is shared, not virtual, hosting - correct? With shared hosting
there can be higher-level issues if the overall hosting isn't
secured properly.


     - Richard
All of this is way beyond my pay grade. Yes it is shared hosting that is very reliable usually. First trouble in 10+ years.
Two files have been altered and replaced - both index.xxx files. Minor insertion of some js code that called some other site.
Normal use of my site is to look at things, no uploads, no downloads, no ftp-ing done except by me at my home. Yes - I can alter my filezilla to use sftp I suppose but I'm still concerned in how to prevent this same attack from occurring again today or tomorrow. Does this mean that I should alter my master pswd for the site as well as any protected folders I have setup in the webtree? 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux