Website(s) compromised what to do?

[rudy]

I have a reseller account its pretty small and mostly all my or my families websites. Well a couple months ago we noticed spam showing up when we searched google for things that would lead to our main website. So we looked around and noticed that in the htaccess file there was a ton of junk, and maybe some other php, files, I cant remember exactly. So I deleted the htaccess file and those other files. Then recently my sites were not loading and or were slow. So I contacted HH and asked them to look into it. After a couple days they disabled one of my accounts. Said to contact them a database was using a ton of resources. 

 

The main problem probably stems from the fact I let these various scripts sit too long. One of a small forum script, the other web site had a hand full of shopping carts I was experimenting with but had left them idle for a long time, maybe years. 

 

So far I think google has pretty much killed searching for any of my sites, even had some random person contact me saying I had to remove a link to their website because their site had been banned from google. I assume they paid someone for some SEO and that person hacked something in my site or forum. 

 

But now I am just worried how do you go about cleaning all this up? What exactly was most likely compromised? Has my main reseller password been compromised? Or is it likely just exploitation of a security flaw in scripts? Is it possible for scripts to inject spam into my htaccess files? That seems insecure. 

 

What places do I go looking for to figure out whats wrong? Are their any scanning utilities that can help me? I want to make sure everything is clean and then change all the passwords. 

[Fowler]

Hi Rudy,

Have you started a support ticket regarding the issue? They might be able to help clean up your account. Usually I would recommend restoring a backup from before your site was compromised but judging from your post, I am guessing you are not sure how long your site has been compromised for?

I would imagine that this was down to an outdated script being compromised although I can't say for certain. Ideally you shouldn't leave unused scripts publicly accessible as it just increases the attack surface. Outdated scripts make it even more likely for your site to be compromised aswell.

I think seeing if HH has any handy tools they can use to "spring clean" your account and un installing all unused scripts and updating ones that you want to keep is the way forward. Also if you have any plugins/addons/extensions for any of the scripts you keep, update them also. Quite often they can open up your site to be compromised. One other option you have is to reinstall the scripts you want to keep after you remove all the old scripts. That will help remove any code that has been added to those files.

[rudy]

Thanks, what do you mean by do not leave them publicly acessible? I never had any public links to these sites, except 1 forum, which was suppose to be accessible so people could post on it. The stores were never linked. Or is there some other way you guys manage and block any person but yourself from accessing a webstore that has not been setup fully yet? 

 

I did contact them and they looked things over, but did not mention if there is anything they can run. 

[Fowler]

You can password protect the directory they are in to stop people from accessing the directories with your outdated scripts in. I do see alot of 404 errors in the logs of bots searching for certain directories which have never existed on our sites but the malicious bots crawling the internet are just hoping that they do exist. Quite often they try /cart, /wordpress, /vb and loads of wp-content/themes/**theme name**/thumb.php. They just hope that something exists in those directories and that it is a script they can exploit. While you may not link to them, they may still be found. I am sure if you buy a new domain and setup a forum at /forum, it will be spammed at some point even if you never link to the forum.

[gunwitch]

I never had any public links to these sites, except 1 forum, which was suppose to be accessible so people could post on it.

Yes, Fowler is right -- once bots found the site is active, they will be hammering to a list of the standard paths for CMSs, which have known vulnerabilities.

If you have a CMS installed, which captures 404 errors into a log file (like Drupal do), you'll see a hell LOT of such automated requests. From time to time I'm getting such for the Microsoft Word directories and .dll's

You should make sure the scripts you run are updated to their latest versions, including the plug-ins you use. Known vulnerabilities there are frequently used to compromise a website and it doesn't depend on a host you use.

 

Also don't save password in your FTP client -- a lot of viruses have the default function to search for the FTP clients installed on an infected machine and steal passwords saved there.