Cleaning up a hacked site


#1

I was hacked a few days ago and am trying to close things down and clean up. I see lots of information but sometimes need some basic questions answered… I to get some help with this here.

I host about a dozen domains on Dreamhost - one, and its subdomain were shut down (by changing the name of the url) by Dreamhost and there was a Google warning about the subdomain, which has just one Wordpress blog on it.

There are .htaccess files all over the place, not just in the suspicious site that have a script that means if the referrer is Google or Facebook or about 50 others it takes the user to a russian site. From my own computer I can type in the url and I see the site as I should.

I have gone through and changed all users to SFTP and put in new passwords.

On the domains I manage (most of them) I had one username with ftp access, I have now created a separate user name for each site with its own password.

Is that last step useful at all? Good practice?

My original username is still there, and weirdly can access the files in SFTP even though each domain is set to another user… not what I expected, why is that? Perhaps that will stop soon as things change in the Internet tubes?

I have deleted the .htaccess files or replaced them with older ones I had that looked ok. They got rewritten overnight (before I’d changed all the pwrds.)

Question: is it ok just to delete .htaccess files?

Enough for one post. Thanks for your interest.


#2

[quote=“waltzzz, post:1, topic:56536”]On the domains I manage (most of them) I had one username with ftp access, I have now created a separate user name for each site with its own password.

Is that last step useful at all? Good practice?[/quote

Yes and it depends. Obviously with different users programs running as one user can be restricted from accessing files of another. This would have prevented all your sites having malicious .htaccess files planted, for example, when those sites themselves were not vulnerable to what was exploited in your WP blog.

With SFTP the server doesn’t chroot to your home directory. It is not a side effect or temporary.

[quote]I have deleted the .htaccess files or replaced them with older ones I had that looked ok. They got rewritten overnight (before I’d changed all the pwrds.)

Question: is it ok just to delete .htaccess files?[/quote]

That depends on their purpose. It is OK if they weren’t there to begin with, but if you have applications or a particular web server setup (ie, custom error pages, friendly URLs, etc) you might adversely affect site operation.

Also, depending on how you do backups, look into using diff/rsync to detect files that have changed or been added to your user accounts, not to mention keeping copies of the HTTP server logs around longer if you get advanced enough to parse attack URIs.


#3

Thanks Atropos7

All helpful.

Still puzzled:

I wrote

"My original username is still there, and weirdly can access the files in SFTP even though each domain is set to another user… "

You wrote:
“With SFTP the server doesn’t chroot to your home directory. It is not a side effect or temporary.”

When I log in with SFTP with one of the new names for a domain I see just that domain.

When I log in with SFTP with the original user name is all the domains it used to manage.

Can I delete that user altogether? Should I or is it somehow a special user?


#4

[quote=“waltzzz, post:3, topic:56536”]When I log in with SFTP with one of the new names for a domain I see just that domain.

When I log in with SFTP with the original user name is all the domains it used to manage.

Can I delete that user altogether? Should I or is it somehow a special user?[/quote]

It’s not a special user and could be deleted altogether. I probably mis-understood your original question. The DreamHost Panel doesn’t automatically delete directories that were being used to serve web sites. So when you switch a domain to being served from the directory of another user, or even to a different directory of the same user, the old directory will remain. You should at least rename it (using SFTP) something like example.com.old instead of example.com to avoid any confusion with the live site.


#5

Yes thanks, good to have that confirmation. I’m re-doing each site with its own username and SFTP, marking the others sites as example.com-old in the case where I keep the old user.

In one case I created a new SFTP user for a domain, deleted the old user from the user list. Was that silly? Whats happened is that I can add new files to the domain, via the new username, and they show up on the web, but when I download and edit one that was there already and replace it, the old version persist. I’ve cleared the cache & cookies etc. Still not seeing it after 6 hrs. Wondering if the old files are still there unattached to a name? Sneaking in to the net. Or if it is an SFTP or a permission thing? I’ve got this problem with a html file and with a pdf. This one should be a December (not May) version of the fees http://www.katetapley.co.nz/fees.pdf

All this basic stuff to learn while I’ve found it was a sm3.php type of attack. Deleting these files from all over as well as corrupted .htaccess files.


#6

Use a tool to get details like http://web-sniffer.net/ or Firebug for Firefox etc instead of relying on the browser.

OK but what did you do to keep the attack from happening again?


#7

That web sniffer is good! And my changes seem to be ok.

I’m still in process about prevention.

I have changed all passwords, moved to SFTP with a new user & password for each domain

Updated all software. Deleted useless things like Wordpress themes.

I have searched around and have a list of stuff to follow up with. Basically things like this:

I appreciate being able to get help here when I get stuck.