Question about hacking

Started by HockeyGod, April 01, 2012, 04:43:34 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

HockeyGod

So, an organization with whom I am affiliated recently experienced a website hacking of sorts. Basically the hacker added code to their website so when their website is searched on any search engine they are redirected to a malicious website where a virus waited patiently.

To remedy we erased all files on the server and replaced them with archive files from nearly 3 months ago. Now when you search for the website you are redirected to google.

Anyone have thoughts on this? Do you think the redirect code is still there? Is it odd that google sends people to a website without the "www" when their website does in fact have "www?" Why would the engines be sending people to google?

Vekseid

I'd really have to see the site in question to tell  you. PM or IM me if you want.

Vekseid

alx sent the link.

Something might have happened to make Google think you preferred that one. You can sign into their Webmaster Tools to fix that, or alternately set up a redirect using .htaccess rules to force the www.

It's probably not related to the hacking. I don't see any suspicious headers getting returned.

HockeyGod

Quote from: Vekseid on April 01, 2012, 05:57:38 PM
alx sent the link.

Something might have happened to make Google think you preferred that one. You can sign into their Webmaster Tools to fix that, or alternately set up a redirect using .htaccess rules to force the www.

It's probably not related to the hacking. I don't see any suspicious headers getting returned.

Thanks Veks, that is very helpful!  ;D

HockeyGod

Just to follow-up and give an update.

First, I learned that the infected file resided in the non-www site. I was going mad trying to find any coding in the www. That certainly brought some relief.

We did in fact find a redirect within the coding on the site. The redirect was to a .ru extension. We thought all was well if we removed the coding. We discovered that the .htaccess file keeps getting replaced. We believe that the Apache server setting has a redirect from an infection. We're going to try a couple of things...

1. We thought about creating a read only .htaccess so that if this virus was designed to add an .htaccess file we might be able to stop it by putting a file there that no one can replace. Not sure about this, but it's worth a try.

2. We have requested shell access to the server with the account login information we should be able to take a deeper look at the control panel.

Viruses and hacking suck.

Vekseid

1) Check to make sure all of your login credentials to whatever control panel you use are secure and unique. Change them if you haven't already.
2) Remove any authorized_keys in the .ssh directory unless you know they belong there. Similarly, any 'additional accounts' that might have access.
3) Check your crontab. This might show up as 'scheduled tasks' or something similar in your control panel. If there is something there that you don't already know about, it means your account did get compromised somehow.
4) Check any other scripts that you might be running. Any file with an execute permission set that is not a directory is suspect. Ideally, you should have zero.
5) It is possible that another account on your host's server is compromised. Make sure all global and group write permissions are disabled. chmod 644, generally.

In that order.

It's also possible that the host, itself, is compromised. There's little to do in that case except go to a better host, I'm afraid.