1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Our site got hacked, would appreciate an advice

Discussion in 'Web Hosting' started by serlak2007, Feb 6, 2014.

  1. #1
    Hello,

    Something happened to our site past November and this page was created http://www.bragardusa.com/Canada_Goose_Parka.html , with the purpose to funnel PR to a third site. I've figured out a way to remove this page from Google's index and block it from future crawling but I was wondering how this happened. Anybody had similar problem and how to protect yourself from this happening again?

    Thanks a lot!
     
    serlak2007, Feb 6, 2014 IP
  2. AgileRack

    AgileRack Greenhorn

    Messages:
    13
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    13
    #2
    Change the password to your cPanel (if applicable), email and FTP accounts. Are you using WordPress anywhere?
     
    AgileRack, Feb 6, 2014 IP
  3. averyz

    averyz Well-Known Member

    Messages:
    1,228
    Likes Received:
    167
    Best Answers:
    2
    Trophy Points:
    115
    #3
    The site loos lie it uses Magento they might of hack through the login page. Maybe you can bring up the access logs and figure out where they got in ?

    I would change pass words everywhere and make sure they did not install a backdoor in your site
     
    averyz, Feb 6, 2014 IP
  4. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #4
    Site is running Magento Community platform.
     
    serlak2007, Feb 6, 2014 IP
  5. AgileRack

    AgileRack Greenhorn

    Messages:
    13
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    13
    #5
    Definitely change passwords. In most situations, I would recommend backing up Magento, wiping the account, reinstalling and restoring. It's a pain but you'll remove any backdoors.
     
    AgileRack, Feb 6, 2014 IP
  6. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #6
    So you think that the only way they could manage to do this is through login page? There are some fishy ftp accounts which I am going to remove. Access logs are useless at this point, since it was done 3 months ago. They've also managed to make this file immutable.
     
    serlak2007, Feb 6, 2014 IP
  7. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #7
    Thanks a lot for your advice. Who would you blame for this happening if this was your website?
     
    serlak2007, Feb 6, 2014 IP
  8. averyz

    averyz Well-Known Member

    Messages:
    1,228
    Likes Received:
    167
    Best Answers:
    2
    Trophy Points:
    115
    #8
    The k is going out on my keyboard.. ahhrr Toshiba keyboards suck. lol
     
    averyz, Feb 6, 2014 IP
  9. AgileRack

    AgileRack Greenhorn

    Messages:
    13
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    13
    #9
    Unfortunately, 3 months after the event, it's hard to say. Could be the host, a Magento exploit, FTP use or anything really. It's just a danger of having a site.
     
    AgileRack, Feb 6, 2014 IP
  10. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #10
    lol, I've even googled word "loos" for definition and that sentence made perfect sense :)
     
    serlak2007, Feb 6, 2014 IP
  11. dayvo

    dayvo Active Member

    Messages:
    585
    Likes Received:
    52
    Best Answers:
    1
    Trophy Points:
    55
    #11
    The owner, im afraid.

    If your CMS was out of date, you should have updated it.
    If your passwords were weak, you should have strengthened them.
    If your CMS had exploits, you should have patched them.
    If your server host was vulnerable, you should have moved servers.
     
    dayvo, Feb 6, 2014 IP
  12. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #12
    The owner's proficiency with CMS and hosting doesn't go beyond opening emails :). So in other words people who developed the site and managed hosting set up are to blame?
     
    serlak2007, Feb 6, 2014 IP
  13. dayvo

    dayvo Active Member

    Messages:
    585
    Likes Received:
    52
    Best Answers:
    1
    Trophy Points:
    55
    #13
    If you paid someone to setup your website _and_ maintain it, then the blame stops with them.

    If they setup the website a year ago and had no more involvement, the blame stops at the owner.

    More to the point, what's blame going to solve? It's happened, fix it and move on.
     
    dayvo, Feb 6, 2014 IP
  14. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #14
    I have to explain to the owner why this happened and what has to be done to avoid such screw ups in the future.
     
    serlak2007, Feb 6, 2014 IP
  15. dayvo

    dayvo Active Member

    Messages:
    585
    Likes Received:
    52
    Best Answers:
    1
    Trophy Points:
    55
    #15
    You need your CMS to be up to date at all times, someone mentioned Magento - if that's the case the owner or whoever is in charge should be or make someone responsible for the site.
    Any 3rd party scripts or addons should be patched and up to date, with regular monitoring.
    All web/ftp accounts should be deleted that are not essential, and enforce password change policies.
    Regularly review access logs
    Request a firewall from your host if the site is of importance.
    Take regular backups
    Use a dedicated (Managed unless someone know what theyre doing) server instead of shared hosting/vps

    Those steps you should take all the time, not just after an attack

    What you should do now is review your access logs as someone mentioned and change all administrative passwords on the site and server itself. Also implement a lockout policy for failed logins to stop brute force attacks. You want to find out where they got in, was it via your site, or did you leave anonymous ftp access enabled? Perhaps your owner who isnt so knowledgable wrote his/her password down? Or saved it on their desktop as passwords.txt and someone got in via their computer?

    There are hundreds of ways someone could have gotten access to your server, and not all of them mean your server was insecure. You're only as secure as your weakest link - if your owner used the same password for the site, twitter, facebook, gmail etc.. and someone got hold of it, your site is owned and it could have been the most secure site in the world.
     
    dayvo, Feb 6, 2014 IP
  16. serlak2007

    serlak2007 Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    3
    #16
    Huge thanks, I appreciate your advice ! :)
     
    serlak2007, Feb 6, 2014 IP
  17. Adam James Jack

    Adam James Jack Banned

    Messages:
    39
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    48
    #17
    If you control your own box, try disabling sym-links. It doesn't look like a sql injection as the end result would reflect in your websites php files and the general running of your site (in most cases), they appear to have got access to your login details and uploaded a spoof index page. But still i would check your database for 'base_64' strings or anything unusual.

    If you are going to continue to use magento, keep it up to date BUT most of all google how to 'harden' Magento installations :)
     
    Adam James Jack, Feb 6, 2014 IP