4

I'm suffering from a spam hack where my site periodically starts to show Viagra spam to Google and other spiders. The method of the hack is basically that my .htaccess file gets modified to route all requests through a file called "common.php", which is a big chunk of base64 encoded evilness.

I've noticed it happening on a weekly basis: every time I remove the hacked files, it pops back up a few days later. These are the steps I've already taken to secure things:

  • Changed my FTP password

  • Scanned my (shared hosting) directories for world-writable (777) files/folders and changed them to 755 or something more appropriate

  • Removed old copies of Wordpress from unused directories (the site itself is a custom-written PHP CodeIgniter app)

  • Downloaded the entire site to my local box and scanned the directories for occurences of strings like "base64" and ".ru" (spam domains?).

I'm a little uncertain what to do next as the problem still seems to be there. Is there some smart shell command I can run to figure out how these files are being uploaded? When I last checked, the .htaccess file was edited today by my own FTP user despite me changing the password a week ago and logging out any logged-in users. I don't leave it logged in on public machines, and a few other administrators of the site haven't been given the new password yet.

Any tips / ideas gratefully received. I'm happy to provide the output of any specific commands as needed.

Matt

Matt Andrews
  • 141
  • 2
  • 2
    Have you made sure every file-writing attempt of your CMS is sanitized when it depends on user-input? – TimWolla Jan 15 '12 at 15:39
  • Well, I use CodeIgniter's Input class, which has security filtering built in and XSS filtering: http://codeigniter.com/user_guide/libraries/input.html -- could be something dodgy though. The problem is that I can't seem to find the shell script or whatever that's doing it. – Matt Andrews Jan 16 '12 at 10:50

3 Answers3

1

If your webhost provides SSH / SCP / SFTP access, check if there are any unexpected entries in your .ssh/authorized_keys file in your home directory. (If you haven't added any keys yourself, the file shoudn't even exist.)

Also, since you mentioned you're using WordPress, these instructions might be helpful.

Finally, you probably should contact your hosting provider and let them know what happened — it's in their interest too to keep your site secure. They may be able to help you fix security holes you didn't think of, and they can also help you monitor your site (e.g. through webserver access logs) to detect future hacking attempts.

Ilmari Karonen
  • 9,102
  • 1
  • 24
  • 41
1

It's very well possible, that somebody gained access to the server itself. Since it's a shared hosting, this is not necessarily through your site, the problem can be every site hosted on this server.

In this case you woudn't be able to do much, because the attacker has the same priviledges as you, or even more. In every case i would inform your provider, he should be able to prevent further attacks.

martinstoeckli
  • 940
  • 1
  • 7
  • 11
  • 1
    If other users of your shared webhost can access your files, you should either a) fix your file permissions or, if that doesn't help, b) switch to a more competent hosting provider. – Ilmari Karonen Jan 17 '12 at 17:25
  • @Ilmari Karonen - Actually i don't suspect other users of the server, rather i think that an attacker has possibly gained admin rights, because of a security hole of a site hosted on the same server. And yes, the provider should make sure, this can't happen. – martinstoeckli Jan 17 '12 at 20:18
  • OK, fair enough. If the server has been rooted, there's indeed nothing you can do except alert your hosting provider ASAP and hope they can fix it. – Ilmari Karonen Jan 17 '12 at 20:30
0

I use websitedefender.com on a number of the sites I manage, as it supports wordpress along with other types of site and is presently free - it's been very effective at spotting infections quickly and aiding the lockdown process.

toomanyairmiles
  • 12,555
  • 2
  • 26
  • 49