------------ Original Message ------------ > Date: Friday, October 03, 2014 13:05:48 -0400 > From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> > To: php-general@xxxxxxxxxxxxx > Subject: Re: hacked!! > > On 10/3/2014 11:20 AM, Richard wrote: >> >> >> ------------ Original Message ------------ >>> Date: Friday, October 03, 2014 11:07:52 -0400 >>> From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> >>> To: php-general@xxxxxxxxxxxxx >>> Subject: Re: hacked!! >>> >>> On 10/3/2014 11:04 AM, Richard wrote: >>>> >>>> >>>> There are a range of potential vectors, potentially including >>>> your php code, so I would suggest looking at the server (both >>>> the web server and system-level) logs to see if you can >>>> identify the source/manner. >>>> >>>> - Richard >>>> >>>> >>> I have no files with passwords stored in the web accessible tree. >>> Also, I have no idea what to look for in any logs. >> >> The simple act of ftp-ing into a host, as you imply you do, (with >> the default, insecure ftp setup) can expose your credentials. >> >> > Does this mean someone figured out my site password >> >> When looking at logs, start by looking for actions that took place >> around the time(s) that the files were placed on your system. As >> there's no guarantee that the file timestamps are accurate, look >> at the directory timestamps too (assuming you haven't touched >> things there of late). In web server logs look for actions that >> are "unusual" (not simple file retrieval, or whatever is standard >> on your site). In system logs (which you may not have access >> too), look for ftp logins that come from non-standard locations. >> >> This is shared, not virtual, hosting - correct? With shared >> hosting there can be higher-level issues if the overall hosting >> isn't secured properly. >> >> >> - Richard >> >> > All of this is way beyond my pay grade. Yes it is shared hosting > that is very reliable usually. First trouble in 10+ years. > > Two files have been altered and replaced - both index.xxx files. > Minor insertion of some js code that called some other site. > > Normal use of my site is to look at things, no uploads, no > downloads, no ftp-ing done except by me at my home. Yes - I can > alter my filezilla to use sftp I suppose but I'm still concerned > in how to prevent this same attack from occurring again today or > tomorrow. Does this mean that I should alter my master pswd for > the site as well as any protected folders I have setup in the > webtree? If you can't figure out what the vector was (or confirm what it wasn't) then any suggestions made and anything you do is simply guessing. Without any sense of what the issue(s) might be, there is nothing that anyone can really suggest that will honestly keep this from occurring again. That said, I would strongly recommend that you switch to sftp (and change your ftp password). That's a commonsense change that will help to eliminate that vector, though that may not have been the source of your current problem. If it's "beyond [your] pay grade" then you should hire someone who can do the forensics, if you care. [though in a shared hosting environment getting to the necessary logs can be tricky.] As a note, in this day and age, I strongly recommend against shared hosting. There was a time when it was cost-effective, but at this point in time, virtual hosting is a much better approach. With virtual hosting you are rather more protected from others on the same hardware and often have access to the logs, so can see what's going on. - Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
