[Technology] Website Hacked - The font of knowledge that is NSC

[Superphil]

Does anyone know of a person or firm I can contact to help me removing a hack on a website. We've had quite a big problem and despite all our efforts we are struggling to get rid of the malicious code that keeps causing the problem, even after we think we've got rid of it. If you know someone, or are someone who can help, please PM me.

Many thanks, Phil .

 

[Bozza]

What's the site developer had to say about it Phil?

 

[Superphil]

We were hit on the weekend, we’ve know there is a backdoor somewhere on the site, we thought we’d got rid of it but obviously not. We’ve completely deleted all the malicious code a number of times, and within half an hour or less it comes back.

Originally it was leaving google ads all over our page but we’re guessing the hackers google account has been shut down, but we are still getting the un-closable Red Cross appearing in the middle of our pages.

We can see the code, we can delete it, but it just comes back again.

 

[Dave the OAP]

We were hit on the weekend, we’ve know there is a backdoor somewhere on the site, we thought we’d got rid of it but obviously not. We’ve completely deleted all the malicious code a number of times, and within half an hour or less it comes back.

Originally it was leaving google ads all over our page but we’re guessing the hackers google account has been shut down, but we are still getting the un-closable Red Cross appearing in the middle of our pages.

We can see the code, we can delete it, but it just comes back again.

Can you not recover your site using the backups you would have as part of your BC? Can you not go back to Friday night?

 

[Bozza]

We were hit on the weekend, we’ve know there is a backdoor somewhere on the site, we thought we’d got rid of it but obviously not. We’ve completely deleted all the malicious code a number of times, and within half an hour or less it comes back.

Originally it was leaving google ads all over our page but we’re guessing the hackers google account has been shut down, but we are still getting the un-closable Red Cross appearing in the middle of our pages.

We can see the code, we can delete it, but it just comes back again.

Oh it's your OFS site?

I've just been there and seen that red cross - it's also showing me seemingly logged in as m***.shel***@impro***.com (I put the stars in) in the top right of the site. So, do the bad guys have login credentials?

Obvious places to look, although I'd have expected the people who developed the site for you do this (and maybe they already have):

- read/write protection of each directory and each file of the site.
- patch up each component (eg the LAMP stack and all of this) that is used on the site to the latest known secure version, in case any old versions are running with known vulnerabilities that are being exploited.
- whether SQL injection, or similar, is possible via any data entry points on the site.

 

[Superphil]

Can you not recover your site using the backups you would have as part of your BC? Can you not go back to Friday night?

Done that, but the back door is still there.

 

[Dave the OAP]

Done that, but the back door is still there.

Then it must have been there for a while....have you found from your BC or AV provider if they have seen this before? If so it may be worth on a test rig, restore from a couple of weeks ago and apply the patch/ fix they suggest. That will hopefully close the door.

 

[Superphil]

Oh it's your OFS site?

I've just been there and seen that red cross - it's also showing me seemingly logged in as m***.shel***@impro***.com (I put the stars in) in the top right of the site. So, do the bad guys have login credentials?

Obvious places to look, although I'd have expected the people who developed the site for you do this (and maybe they already have):

- read/write protection of each directory and each file of the site.
- patch up each component (eg the LAMP stack and all of this) that is used on the site to the latest known secure version, in case any old versions are running with known vulnerabilities that are being exploited.
- whether SQL injection, or similar, is possible via any data entry points on the site.

Thanks for that, you just uncovered something else we didn’t know about the login.
This is becoming a bit of a nightmare but I’ll make sure all the thongs you’ve mentioned are addressed.

 

[Superphil]

Then it must have been there for a while....have you found from your BC or AV provider if they have seen this before? If so it may be worth on a test rig, restore from a couple of weeks ago and apply the patch/ fix they suggest. That will hopefully close the door.

Thanks for the suggestions, we are aware that the backdoor must have been there a while. But when we found what we thought was it, and removed it, another one appeared.

 

[Eggmundo]

Have you tried turning it off and on again?

(can't believe that hasn't been suggested already)

 

[Gary Leeds]

I have just looked at the site and noticed in top left corner it says I am logged in with an account name mark.sh***ey@im***dia.com and as at the bottom it says site copyright improdia I am guessing there is an exploited admin account somewhere. What software are you using for the site?

edit: Bozza beat me to it but leaving post here incase not every one can see the logged in account

 

[Bozza]

Thanks for that, you just uncovered something else we didn’t know about the login.
This is becoming a bit of a nightmare but I’ll make sure all the thongs you’ve mentioned are addressed.

The last one would be the hardest to find and deal with and would need someone highly technical, But it's also unlikely to be an issue unless it's a home-written site and someone has gone after your site for a particular reason.

Directory and file permissions, if incorrect, would easily allow a bad actor to place malicious code behind your site. I'd be checking there first - it's quick and easy to do. That, and login credentials too, if you've not updated them since the bad stuff started happening. It could be a simple hack of those, and they're simply re-accessing that way.

And we all get lazy with updating and patching up software until we feel we have a reason to do so, like this.

 

[Gary Leeds]

Add a shirt is also switched off (not sure if that was your doing or part of the hack). could it be possible someone has injected some php code into a shirt description that is then being pulled up when viewing the home page showing the most recent shirts and rather than printing a description its opening some php or html code that is altering the site and because no new shirts can be added it stops the malicious code from being moved down the recently added list and therefore its displayed every time? I know its clutching at straws. I would also check for a hidden directory on the server. I had something similar with a wordpress site and every time I removed the code it came back from somewhere then i found a hidden folder that was the source of all the problems

 

[Superphil]

I have just looked at the site and noticed in top left corner it says I am logged in with an account name mark.sh***ey@im***dia.com and as at the bottom it says site copyright improdia I am guessing there is an exploited admin account somewhere. What software are you using for the site?

edit: Bozza beat me to it but leaving post here incase not every one can see the logged in account

The last one would be the hardest to find and deal with and would need someone highly technical, But it's also unlikely to be an issue unless it's a home-written site and someone has gone after your site for a particular reason.

Directory and file permissions, if incorrect, would easily allow a bad actor to place malicious code behind your site. I'd be checking there first - it's quick and easy to do. That, and login credentials too, if you've not updated them since the bad stuff started happening. It could be a simple hack of those, and they're simply re-accessing that way.

And we all get lazy with updating and patching up software until we feel we have a reason to do so, like this.

Improdia is my brothers business, he wrote the site. it is pretty much bespoke, on the Apache platform(?) The discovery that "he" was logged in is now being investigated as this has come as a surprise. He is also reading this thread, so really, thanks so much for the suggestions. He built the site from scratch, but these days doesn;t really work in the busniess, apart from our site. Trying to keep up with changes and developments in the field is pretty hard, as we are possibly now seeing. .

 

[Superphil]

Add a shirt is also switched off (not sure if that was your doing or part of the hack). could it be possible someone has injected some php code into a shirt description that is then being pulled up when viewing the home page showing the most recent shirts and rather than printing a description its opening some php or html code that is altering the site and because no new shirts can be added it stops the malicious code from being moved down the recently added list and therefore its displayed every time? I know its clutching at straws. I would also check for a hidden directory on the server. I had something similar with a wordpress site and every time I removed the code it came back from somewhere then i found a hidden folder that was the source of all the problems

I think, or hope, that we have switched that off. We think the original hack may have come from a file masquerading as an image file that had been posted to the site, but was in fact a malicious file that may have started the whole thing off.

 

[Bozza]

Improdia is my brothers business, he wrote the site. it is pretty much bespoke, on the Apache platform(?) The discovery that "he" was logged in is now being investigated as this has come as a surprise. He is also reading this thread, so really, thanks so much for the suggestions. He built the site from scratch, but these days doesn;t really work in the busniess, apart from our site. Trying to keep up with changes and developments in the field is pretty hard, as we are possibly now seeing. .

Happy to take a quick check of the file system if you want to email me login credentials.

 

[Superphil]

Thanks [MENTION=347]Eggmundo[/MENTION]

We've taken the site down for now while we carry on working on this. Thanks for the comments, suggestions and observations, really appreciated.

 

[father_and_son]

Happy to take a quick check of the file system if you want to email me login credentials.

Oh the old "send me your login details" scam!! We know what you are up to [MENTION=6886]Bozza[/MENTION].

 

[superbrother]

And here I am, the other half of oldfootballshirts.com. Thanks for all the quick comments and support.

oldfootballshirts.com is now offline, completely. As the backdoor was regenerating itself we must do full scan when we know nobody can be making any modifications.

You will all know that OFS is rather a large collection of photos of thousands of shirts across several thousand teams. All organised in a rather large file system which when you consider all the various sizes of each shirt there is likely to be close to a million files spread over thousands of folders. Just zipping up the entire images folder takes several hours on the server as does a full scan for malicious code embedded in the files. So, it is a bit of a monster and I was coming close to a mental breakdown worrying about it.

 

[Gary Leeds]

which version of php is the server running? Hasn't there just been a major update to PHP and an old insecure version totally depreciated?