: Site being repeatedly hacked: any useful tips for tracking down entry point? I'm suffering from a spam hack where my site periodically starts to show Viagra spam to Google and other spiders.
I'm suffering from a spam hack where my site periodically starts to show Viagra spam to Google and other spiders. The method of the hack is basically that my .htaccess file gets modified to route all requests through a file called "common.php", which is a big chunk of base64 encoded evilness.
I've noticed it happening on a weekly basis: every time I remove the hacked files, it pops back up a few days later. These are the steps I've already taken to secure things:
Changed my FTP password
Scanned my (shared hosting) directories for world-writable (777) files/folders and changed them to 755 or something more appropriate
Removed old copies of Wordpress from unused directories (the site itself is a custom-written PHP CodeIgniter app)
Downloaded the entire site to my local box and scanned the directories for occurences of strings like "base64" and ".ru" (spam domains?).
I'm a little uncertain what to do next as the problem still seems to be there. Is there some smart shell command I can run to figure out how these files are being uploaded? When I last checked, the .htaccess file was edited today by my own FTP user despite me changing the password a week ago and logging out any logged-in users. I don't leave it logged in on public machines, and a few other administrators of the site haven't been given the new password yet.
Any tips / ideas gratefully received. I'm happy to provide the output of any specific commands as needed.
Matt
More posts by @Pierce454
3 Comments
Sorted by latest first Latest Oldest Best
I use websitedefender.com on a number of the sites I manage, as it supports wordpress along with other types of site and is presently free - it's been very effective at spotting infections quickly and aiding the lockdown process.
It's very well possible, that somebody gained access to the server itself. Since it's a shared hosting, this is not necessarily through your site, the problem can be every site hosted on this server.
In this case you woudn't be able to do much, because the attacker has the same priviledges as you, or even more. In every case i would inform your provider, he should be able to prevent further attacks.
If your webhost provides SSH / SCP / SFTP access, check if there are any unexpected entries in your .ssh/authorized_keys file in your home directory. (If you haven't added any keys yourself, the file shoudn't even exist.)
Also, since you mentioned you're using WordPress, these instructions might be helpful.
Finally, you probably should contact your hosting provider and let them know what happened — it's in their interest too to keep your site secure. They may be able to help you fix security holes you didn't think of, and they can also help you monitor your site (e.g. through webserver access logs) to detect future hacking attempts.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.