Author Topic: Beware of hackers inserting PHP files into your web hosting space.  (Read 2392 times)

elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Dear WeatherCat web spinners,

A while back I had noticed that there were some additional PHP files in the root directory of my web server space.  They had puzzling names.  Even so, GoDaddy had provided me with some default PHP programs, I supposed they had included a few more and moved on.

This morning I received an email from the GoDaddy security team with ominous news.  Somehow someone had hacked into my web server space and inserted those files.  A security scan had detected the rogue files and some had been deleted because they were interfering with server operations.  Others were left for me to ferret out.  The files had names like:

html/dyan-crickets.php

html/happen-inane.php

html/incomplete-embarrassed.php

html/lonely-dorrie.php


These files were literally all over my directories and it took some time for me go through and delete them all.  A .htassess file had also been added.  Fortunately, I don't use the root directory of my web space so hopefully very little damage was done.  The only devices that could have going there are web spiders.  I made some attempts to determine what sort of attack had occurred based on the filenames but didn't turn anything up.

I still have no idea how the hackers got access and GoDaddy didn't recommend any changes in my server operations.  I'm trying to lock things down further, but I'm running into trouble with the GoDaddy management software.

Since many of use run PHP based templates, this sort of hacking might be much more difficult to detect on your sites.  I had hoped to disable PHP on my since I don't use, but I couldn't find any obvious way to do that.

The increasing sophistication of hackers is well-documented.  One of the reason I gave up running my own LINUX server was clearly I was losing that arm's race.  I'm disappointed that GoDaddy took weeks before noticing the files that I wasn't aware were dangerous.  It would be clearly in their best interest to increase the frequency of scans and educate users about how this particular sort of attack works and how to prevent it.

In the meantime, we all must become more vigilant - even if we hardly have the time for that.

Oh well, . . . . . Edouard 

Blicj11

  • Storm
  • *****
  • Posts: 3941
    • EW3808
    • KUTHEBER6
    • Timber Lakes Weather
  • Station Details: Davis Vantage Pro2 Plus | WeatherLinkIP Data Logger | iMac (2019), 3.6 GHz Intel Core i9, 40 GB RAM, macOS Ventura 13.6 | Sharx SCNC2900 Webcam | WeatherCat 3.3 | Supportive Wife
Re: Beware of hackers inserting PHP files into your web hosting space.
« Reply #1 on: May 04, 2017, 12:25:49 AM »
So sorry to hear this news, Edouard. I am also sorry to say this has happened to me also, twice. After the last one, I buttoned up my security efforts, changed my password, begin reviewing my backup logs regularly and generally started watching things much more closely and more frequently. Unfortunately, it's all necessary in this mindset of hacking for entertainment.
Blick


elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Dear Blick and WeatherCat web spinners with all the responsibility that entails,

So sorry to hear this news, Edouard. I am also sorry to say this has happened to me also, twice. After the last one, I buttoned up my security efforts, changed my password, begin reviewing my backup logs regularly and generally started watching things much more closely and more frequently. Unfortunately, it's all necessary in this mindset of hacking for entertainment.

I just went through the same drill.  GoDaddy has a relatively nice web-based server management system.  I had forgotten that you could create user agents that can only FTP and you can assign them to only one directory.  So now WeatherCat uses a dedicated FTP agent and all my connections to my site will be SFTP or SSH.

In your miseries, did you learn anything about how the hackers are doing this?  Are they getting your password somehow or is this some other sort of exploit?

Unfortunately, WeatherCat does send a lot of data via FTP, so if someone were able to snoop on Internet traffic your WeatherCat password would occur frequently.  I looked around and didn't see any other damage, so I suspect the hackers in question didn't get my password or weren't interested in messing around.

It suggests another unexpected reason to switch of a different web presence like Meteotemplate.  Jachym's template requires zero FTP.  Alas, to submit data to AWEKAS you still need to FTP the data.  Like so much in our world today - no easy choices . . . . . .

Oh well, . . . . Edouard

Blicj11

  • Storm
  • *****
  • Posts: 3941
    • EW3808
    • KUTHEBER6
    • Timber Lakes Weather
  • Station Details: Davis Vantage Pro2 Plus | WeatherLinkIP Data Logger | iMac (2019), 3.6 GHz Intel Core i9, 40 GB RAM, macOS Ventura 13.6 | Sharx SCNC2900 Webcam | WeatherCat 3.3 | Supportive Wife
Re: Beware of hackers inserting PHP files into your web hosting space.
« Reply #3 on: May 05, 2017, 01:31:47 AM »
I think much of it exploitation, but I know I had people (and bots) attempting to login to my admin panel. I actually found another admin user besides myself one day when I logged in to look around. I deleted that used and changed my password. And as you did, I found extra PHP files as well as modified files. What a pain to try to sort these attacks out.
Blick


elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Dear Blick and WeatherCat web spinners,

Today I got a call from GoDaddy which I assumed was more bad news about my website, but turned out to be a sales call for their own security add-on service called Sitelock.  These guys are charging an arm and leg for a service they should be doing anyway, but I gave in and added the service.  It will scan my website very 24 hours and remove any malware it finds.

Unfortunately, I think we all need to consider this sort of service.  Hacking has become a fine art and the security folks are struggling hard to keep up.  It is certainly more than someone with a casual interest in websites can hope to deal with.

Edouard

Blicj11

  • Storm
  • *****
  • Posts: 3941
    • EW3808
    • KUTHEBER6
    • Timber Lakes Weather
  • Station Details: Davis Vantage Pro2 Plus | WeatherLinkIP Data Logger | iMac (2019), 3.6 GHz Intel Core i9, 40 GB RAM, macOS Ventura 13.6 | Sharx SCNC2900 Webcam | WeatherCat 3.3 | Supportive Wife
Re: Beware of hackers inserting PHP files into your web hosting space.
« Reply #5 on: May 10, 2017, 12:56:19 AM »
I have doing something similar for about 5 months now, ever since the last time I got hacked. I run a scan on my entire site, which flags any modified files, letting me view the modifications and decide which version to keep.
Blick