Getting Hacked Repeatedly - Advice?

[stillshadow]

I've been under a fair amount of stress over the past month because my site that I've had since 2005 has been hacked twice. Without going into a huge amount of detail about 4 or 5 lines of malicious code are placed on every page of my site. I was in full crisis mode a couple of weeks ago when Google found out before I did and blocked all traffic from coming to my site. I quickly thought I had fixed it and, thank goodness, Google cleared me a day later.

I really have no experience with dealing with this sort of thing as I've never had any site I've owned hacked in the 15 years I've been making web sites. I don't have any coding experience outside of straight HTML. My site's coding is extremely basic and is straight HTML almost exclusively. I did have a PHP comment system that I completely removed in case it was causing the problem. The only other non-HTML elements I have are some Facebook Like buttons, a PHP geotargeting system, and Google Analytics/Statcounter.

I re-uploaded my entire site from the clean offline copies the first time this happened, deleted the comments sytem, and thought I was clear. That is, until today when I discovered it again. I quickly uploaded my site to clear it again but I need to get to the bottom of this and solve the underlying issue.

I don't think the hacker has full FTP access as I've changed the password twice recently and they don't alter anything besides adding the code to the top of all my pages. What's doesn't make sense, however, is that both times I've found a weird added page on my server. I've called my hosting company and it's just an outsourced Indian telling me to look at a text log file with no instructions on how to decipher what I'm looking at.

Does someone with more experience with this sort of thing know what could cause this? Could it be a vulnerability in the hosting servers? If they don't have FTP access how can they add code to my pages and add new whole pages to my server? I'm willing to hire a detective of sorts, if necessary, to get to the bottom of this and fix it before it causes me any more damage. If any of you does this sort of thing or can recommend someone please let me know. Thanks for any help.

[cernus11]

We had a hacking issue earlier this week.

Hacker had used a mySQL vunerability to inject code into our database to then execute the hack and insert code onto our pages. Lots of ways to get onto your server - my advice would be to update everything that is out of date on it (I know thats not a lot of help but its what we are doing at the moment!)

James

[Peter Willis]

The "weird page" you refer to will be a backdoor, which is what the hacker will be using to add the malicious code to the files automatically. If you COMPLETELY (and I mean completely, as in wiped everything) removed all the files and then uploaded the clean versions, and you still got hacked - then I would suggest you have a breach inside one of your supposedly clean files. It will either be in a javascript file, a php file or perhaps even your .htaccess file (if you have one). It will look like a bunch of garbled code, usually it will be made to look like a php variable associated with something important - but it's not.

Sometimes hackers will put backdoor hacking files into folders further back than your standard public_html folder too.

I would probably recommend you hire a company like Sucuri Security to get you cleaned up properly.

[stillshadow]

Awesome, thanks for the tips. How do the backdoor pages get created without FTP access? Does there have to be an infected file somewhere else already? I ran the scan at Sucuri and it showed up clean, although this is after I just re-uploaded everything a few hours ago. I looked at every directory and .htaccess and it either looked clean or I barely had any Javascript or PHP. I wonder if Sucuri could find the problem before it gets injected again or if it needs to be currently infected for them to find it?

Cernus, do you know how exactly they would get access to your mySQL? Do you have a script or forum that needs access to it? What did you mean exactly about updating things that are out if date? Fortunately, I removed a forum ages ago that gave me spam grief and the comment system so I don't really have anything installed to update.

[parttimepoker]

Sounds like maybe the geotargeting functions? Maybe research what you're using and see if others are having issues.

[Peter Willis]

Sucuri will run deeper scans than just what they have on the website. I use them on our main site. They will find any hidden code etc.

The backdoors get uploaded due to exploits in your coding (php/javascript/etc). They generally put the backdoors there just incase you delete their injected codes. Backdoors basically are there to let them back in if you close the original exploit, thus allowing them to continue to hack you.

Unless you find/fix the original exploit, they will still be able to hack you again in future - even without FTP access or the backdoor. An exploit can come in many forms, but it's generally from poorly written MySQL statements or PHP code. In your case it's probably the geotargetting plugin. I would imagine it talks to an external data source of some kind, and a hacker has found a way to exploit this connection (e.g. intercepting your server when it's talking to the geotargetting system, and sending something back the other way) to inject his malicious code.

[ptg]

are you running wordpress? shared hosting or your own hosting server?

[Michael Martinez]

Scan your user accounts on both the server and all software like wordpress to see what's new.

Scan your admin logs to see who is logging in from where.

If you're using Linux/Apache for your server you should be able to implement TCPWrappers to restrict which IP addresses can be used to access the server.

Change every password on every admin-capable account for both the server and all applications.

Once you're sure your user account databases are clean, back them up and make sure you can restore them in case of a hack (you'll have to schedule regular MANUAL backups and keep multiple copies if you want to ensure the integrity of your backups).

Check your Wordpress wp-config.php script to make sure that the root admin password hasn't been changed (if you don't normally log in with that account).

And like others said: Update everything to the current level.

If you're not doing anything with your Wordpress or other applications that requires people to log in, then don't allow people to create accounts.

[ptg]

There was a bug in the previous version of wordpress (3.3, I think) where hackers were able inject code into pages. Wordpress fixed the problem by updating your robots.txt file and disallowing the "/wp-admin" and " /wp-includes/". I'd suggest you do this, if you haven't already.

[Peter Willis]

There was a bug in the previous version of wordpress (3.3, I think) where hackers were able inject code into pages. Wordpress fixed the problem by updating your robots.txt file and disallowing the "/wp-admin" and " /wp-includes/". I'd suggest you do this, if you haven't already.

How would issuing an instruction to a crawler prevent you being hacked?

In any case, I don't even think the OP is using Wordpress.