Hacked site?

**mjp** · 05-05-2009, 04:30 PM

We have seen an increase in the number of sites compromised via legitimate FTP access. The way this typically happens is a worm or virus installs a keylogger or other username/password harvesting program onto your home or office computer. Once a hacker has your login information, they can alter your site files to deliver malware to visitors, or redirect your visitors to another infected site. This is usually done by adding a single line of <iframe> code to a page.

Another common compromise method is through SQL injection. If your web application does not check, filter or otherwise sanitize any data sent to your database, an SQL injection is possible either through a web-based input form or via an altered URL string. The SQL injection is used to perform database queries that your application generally would not perform (such as updating text fields that are displayed on a web page to include malicious links). For a good general overview on SQL injection techniques and how to safeguard against them, please see this article: http://en.wikipedia.org/wiki/Sql_injection

If a site visitor has notified you that they receive a warning from their antivirus software, or get Google's "Reported Attack Site!" warning from their browser, your site may have been exploited.

What you should do to clean up the issue:

1) Perform a thorough virus scan of every computer you use to access your site and remove any malicious programs. There are a lot of free detection tools, here are links to a few:

http://www.microsoft.com/security/ma...e/default.mspx
http://vil.nai.com/vil/stinger/
http://www.safer-networking.org/en/spybotsd/index.html

2) Once you are certain that all of the computers you use to access your site are free from malicious software, delete all the files from your site.

3) Change all of your account passwords - including FTP, database and email account passwords - and the passwords of any users that have FTP access in Control Panel.

4) re-upload your site files (if your site was flagged by Google as an "attack site," see this post for instructions on getting it removed from their database).

If you clear out files and change passwords without being certain that your computer(s) are free from malicious software, it is likely that your login information (and your site) will be compromised again.

05-05-2009, 04:30 PM	#1
mjp DiscountASP.NET Staff Join Date: May 2006 Posts: 2,314	Hacked site? We have seen an increase in the number of sites compromised via legitimate FTP access. The way this typically happens is a worm or virus installs a keylogger or other username/password harvesting program onto your home or office computer. Once a hacker has your login information, they can alter your site files to deliver malware to visitors, or redirect your visitors to another infected site. This is usually done by adding a single line of <iframe> code to a page. Another common compromise method is through SQL injection. If your web application does not check, filter or otherwise sanitize any data sent to your database, an SQL injection is possible either through a web-based input form or via an altered URL string. The SQL injection is used to perform database queries that your application generally would not perform (such as updating text fields that are displayed on a web page to include malicious links). For a good general overview on SQL injection techniques and how to safeguard against them, please see this article: http://en.wikipedia.org/wiki/Sql_injection If a site visitor has notified you that they receive a warning from their antivirus software, or get Google's "Reported Attack Site!" warning from their browser, your site may have been exploited. What you should do to clean up the issue: 1) Perform a thorough virus scan of every computer you use to access your site and remove any malicious programs. There are a lot of free detection tools, here are links to a few: http://www.microsoft.com/security/ma...e/default.mspx http://vil.nai.com/vil/stinger/ http://www.safer-networking.org/en/spybotsd/index.html 2) Once you are certain that all of the computers you use to access your site are free from malicious software, delete all the files from your site. 3) Change all of your account passwords - including FTP, database and email account passwords - and the passwords of any users that have FTP access in Control Panel. 4) re-upload your site files (if your site was flagged by Google as an "attack site," see this post for instructions on getting it removed from their database). If you clear out files and change passwords without being certain that your computer(s) are free from malicious software, it is likely that your login information (and your site) will be compromised again.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to get your site removed from Google's hacked site database	mjp	Tutorials	0	05-05-2009 04:14 PM
so my database got hacked	IPS	Databases	9	07-30-2008 11:10 AM
I want to upload dnn site into the (discount.asp) server my site is installed in my local machine	ashish gupta	Third-party applications	1	12-20-2007 12:44 PM
My web site hacked !!!	patrudu	Web Site Design Critiques/Review/Help	6	10-31-2005 10:09 AM
SQL Connection string for Web.config to my sql2000 server on the asp site from the beta site	easyrealtya	ASP.NET 2.0	0	05-07-2005 03:51 AM