[ubuntu-uk] Website Hacked.....

[Lucy]

2009/6/27 Tony Arnold <tony.arnold at manchester.ac.uk>:
> John,
>
> John wrote:
>> I run a website, and there's about 2.5 gigs of information on there. The
>> whole lot got deleted and the hackers put a picture of advertising who
>> they were. I have managed to get the host to restore as much as they can
>> back, well, they way they are trying to.
>>
>> What is worrying me, is the password was a really strong password, 100
>> strong according to the password generator, and I was wondering, how
>> they managed to get in. I cant help worry that it might be through my
>> netbook. How do I check to see that my computer hasnt been hacked. I
>> know Ubuntu has a virus checker, but the lst time I tried to use it, it
>> was finding programs that were viruses, and these were programs in the
>> Synaptic. I was not able to use it in the end, as I didnt know what was
>> what. Also is there anything I can do to stop my notebook from being
>> hacked.
>
> Matt and Lucy have given you some good advice and pointers to how your
> site got hacked. To really find out, you need to do some forensics, but
> I realise the information you need may no longer be around.
>
> You need to determine the date & time of when the hack occurred.
> Creation dates of new files put there by the hackers or modify dates of
> anything they have changed will give you a clue.
>
> You then need to trawl the log files for the web server and look for any
> unusual looking URLs that have been requested at about the time of the
> hack. The path in the URL will give a clue as to where the weakness lies.
>
> I would also avoid using FTP and use SFTP (via ssh) instead. Strong
> passwords help, but authentication via ssh keys would be even better.
>
> The concern here is that you restore everything and it just gets hacked
> again because you haven't fixed the vulnerability.

That's also good advice Tony, but sadly it sounds like John is on
shared hosting and doesn't have access to the server or control how he
uses it.

John, my advice right now would be to continue bugging the ISP until
they restore your sites from backups (although I'm guessing you won't
get through to anyone until Monday now). That's assuming they do have
the backups like you said.

For the future, always make regular backups yourself and check that
they work by restoring from them every now and then(you'd be surprised
how many people skip this step). You might also consider looking for a
different provider that uses SFTP.

Also, I've noticed that the sites use cPanel. I've heard that this can
also have security vulnerabilities if not configured properly, but I
couldn't say more without someone more knowledgeable being able to
check the configuration, which isn't likely to happen. It's not
unusual at all for the ISP to be very cagey about security
configurations and how this kind of event happened.