6

one of my site hacked few times :( first I lost all databases, some tables were cleared and some of table's data had changed! than at the second hack, all tables were cleared and some php files' codes had been changed :/

it is hosted in Bluehost, and now they advise me some fixing;

  1. Fix any loose file permissions (this may be the most common exploit vulnerability)
  2. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
  3. Remove any Access Hosts by clicking the “Remote Mysql” icon and clicking the Remove Red X by each entry if there are any entries.
  4. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings.
  5. If your scripts are infected, you may want to rollback to the last good snapshot backup of your account. If your backups are also infected, then you may want to consider having us reset your account to start afresh.

I tried to do all these as much as I could, especially about "Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings". I'm kind of beginner at this work, so I dont have fully control on thiese things...

my question is; is there any way to find out how I was hacked? What was the weak point?

Improve this question
3
  • 1
    What was changed in the PHP files? Those changes can surely give you a hint about what happened.
    – Arjan
    Commented Feb 23, 2010 at 12:03
  • php codes have been removed and replaced with html...
    – art.mania
    Commented Feb 23, 2010 at 14:30
  • More, more detail! (Or, search for those changes using the search engine of your choice yourself.)
    – Arjan
    Commented Feb 23, 2010 at 16:50

2 Answers 2

Reset to default
1

Do you have any logging? That is usually the first place to look at.

My guess is SQL injection - but only because tables were the first thing that you notices changing.

Also - take care to follow the instructions that you got - to make sure the hacker didn't leave any remaining back door.

Improve this answer
1
  • hmm, I just found log files, it has pretty complicated content which doesnt mean anything to me :/ I will keep researching to understand more about log files content. Is there any suppicious thing i need to look for at these log files? Thanks!!
    – art.mania
    Commented Feb 23, 2010 at 11:39
1

Assuming you are using shared hosting, it could actually be attacked via another website running on the same server. If the shared hosting is not set up in a secure way, then sometimes other accounts can be used to read your files, no matter how well you set the file permissions. (Like: when the web server is set up to read any file, then some simple PHP script could be abused to browse files from other users.)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .