My website was hacked!
 

I have a website at www.travelersvideo.com. I check it from time to time to make sure everything is okay and looked at it today. Apparently, my home page (index.htm) was hacked and a bunch of links to various adult sites were inserted. I immediately downloaded the index.htm page to save as reference, and uploaded the clean index.htm. The site is safe if you want to see it.

Reviewing the source code for the hacked index page, I found a bunch of links, along with some java script.

How could this have happened? No one has the password to my account at my web host except me. I don't understand how someone could have gotten access to my index page. Needless to say, I'm pretty ticked off and I'm looking for someone to blame.

Any of you IT gurus have any ideas?

---------------------------------------------

It now appears that all my web pages were hacked. It was easy enough to FTP the non-hacked ones back to the my site, but this is very disturbing. Judging by the dates of the files, there were two separate attacks, one on April 6th, and one on April 14th.

Should I abandon this web host and get another?

First thoughts would be with a crappy web hoster that didn't upgrade vulnerabilities in their webserver.

Along the lines of what ScottC said, I think some app somewhere on the server was at risk. The potential irony is that this week's Security Now was all about SQL code injection vulnerabilities. Depending on how your hosting company's server is setup, it may not even be your fault. If they only have one instance of SQL running, for instance, and someone else is using a vulnerable app then it could give a malicious hacker access to the entire server...thus your page was just a victim and not even the subject of an attack.

That being said, a little more info would be helpful (not only from a diagnosis standpoint but perhaps to help others)... For instance, almost every budget or even 'business' plans, hosting companies only supply FTP and not SFTP. Since FTP is soooo hackable, that alone could be the problem. Then again, if your run any 'apps' on your page, they could have exploits.

I use Joomla to host some of my sites and I've noticed that the security is good, but not boomproof by far... Anyway, a little more info would be helpful.... and if you hear more from your hosting company, please keep up posted! I think we are all very curious as to what the problem may have been (and how to prevent it).

you know... I was looking at your site... I'm pretty sure all your photos were hacked and are infected with some henious virus... I'm guessing all your copies are runied too... I guess, I mean I dont mind, if you want I'd be glad to go back and take them again if you need some help...just send me the tickets :D

I just looked at your site.... are you sure you uploaded a new index.htm?

At the end of your </html> tag, there are a bunch of "interesting" links.

If you didn't do this, then I think your hosting company has some serious problems and you need to look for a new one.

[shameless plug]I recommend Yahoo! web hosting for basic web sites[/shameless plug]

Unbelievable! It must have been hacked again. I'm definitely changing web hosts tomorrow.

Looks like your hosting company was hacked :eek:

A look at http://msshost.com is well... a mess. :(

Interesting.
They probably didnt update the server in a long time. I run my own server, and with cpanel, it auto updates and patches everything. Makes life easy :) I remember running ensim and it didn't do that.
But you know that your site is popular :) Go with a big name hosting company is all I can really say. Also the CHMOD (the read/write options) might be set on the main page for anybody to change it. I would recommend changing those (basically in a ftp client right click on the index file)

This is actualy fairly common, we went through it a couple months ago at the office.

Using different issues in security, people are hacking into ISP's and making global changes to all the websites they can get access to. It doesn't need your username or password, it's just going directory by directory on the server making changes. It almost always happens on weekends so it goes unnoticed until the business day on Monday.

Your host needs to stop it, so drop them a note if you haven't done so already and let them know. If you use your host to keep any personal files like passport copies or anything like that so you can access them, consider they may have been compromised, and get them off there.

It's not fun to fix, but they go from host to host doing this.

"Middleware" is my nominal area of expertise. While I can't comment specifically on what happened to your site, I see almost daily announcements of security vulnerabilities for web serving and associated software. Most of these are never seen by the public and are fixed before they can be exploited by hackers.

If your web host is not on top of things on a daily basis they are simply relying on "security through obscurity" to prevent attacks.

If they haven't been -extremely- proactive in communicating with you about the problem, I would seriously think about finding another host for your domain,.

Unfortunately, it's more than a mess. There's some pretty scary stuff up there. That's why I'm calling the FBI tomorrow morning.

I checked -- only the owner, i.e. me, has read/write, everyone else is read.

My site isn't that popular. I suspect everyone hosted on the server got attacked this way.

One thing I'm considering: My webpages were hacked to include links to both porno sites and some legit services. I've tracked a couple of the legit services down. These are direct links, not the usual pay-per-click through Google, so at some point they must have employed some service to spread their name around. I'm seriously thinking of writing them a letter advising them that, as principals for whatever agent did this, they're liable for violation of 15 U.S.C. Sec. 1125(a) (Section 43(a) of the Lanham Act) and demanding an accounting and damages or I'll sue (I do these kinds of law suits all the time).

It might be interesting. :)

Interesting. That explains why only my webpages were changed, but not other .htm pages that internal defaults, e.g. "404 Not Found" and the like. What amazes me is it happened at least twice, as I had uploaded cleaned versions an hour or so before Peetah noticed my site was compromised again. Judging by the change dates of the files, there were three separate attacks -- one last week, one on Saturday, and then the one tonight. I just checked and everything looks okay now.

I did just that -- sent two trouble tickets and pulled off my passport copy. Hmmm. There are a bunch of photos of FlyerTalkers from one of BJ's Redwood Grill Dos still up. ;)

Interesting. they use cPanel.
I use cPanel.
I better check my security.....

Your site upgraded to Apache 1.3.17 today. That is the latest legacy security release. The previous site update was to 1.3.33 on January 12th.

The current release of Apache is 2.2.4