Pages hacked


#1

All of my html pages had code to access http://94.247.2.195/… added to them, (quite well obscured, and was just before the body tag in script tags). It appears to be a website that attempts an exploit of Adobe swf and reader both. Javascript and php files also had code added, javascript at the end and php at the top. The php code dealt with the output buffer and attempted to make the same mods to generated pages that the static pages had made to them.

I’ve cleaned it up, and just want to first, share the info, and second, share some great info Dreamhost support and abuse/security team got me. We determined the ftp/sftp password was compromised somehow, because upon specific request they got me the logs of ip addresses and connect times for (s)ftp and ssh. Very useful info, and it pinpointed the security breach! The times an unknown, out of town, ip accessed ftp matched the times on the hacked files! It was a poor password, so could have been a dictionary attack, or since we have half a dozen people who need access, it could have been a compromised user machine.

In any case, THANKS dreamhost, for the detailed log info. It really helped pin it down.


#2

That was nice of them to be able to track this down.

Lessons learned?

  1. Don’t pick easy passwords
  2. When hacked, change all passwords

Thanks for the heads up. I hope other users turn a critical eye toward their passwords, as you have.

-Scott


#3

Lesson 3: Ask about ftp/ssh access logs for the hacking timeframe, even if they don’t volunteer them at first. They do exist. And if you don’t know about the web access logs, learn.

Action: Push harder for limited (s)ftp. I just put in a suggestion. The only way to establish a limited (s)ftp today is using separate user id’s and groups, and even that has issues. Other hosting companies offer additional, limited ftp users that can access only a subdirectory and use the same underlying linux user id. Makes for better security practices of having separate logins and not sharing them.