Comments on: Hack’d

By: Hami

Hami — Tue, 01 Jul 2008 02:03:15 +0000

I am planning to host my sie with godaddy, I heard a lot about them. DO you think they are safe ?

By: Brightman09

Brightman09 — Sat, 24 May 2008 20:54:24 +0000

Hi there,
I see you are hosted on dreamhost. Overall do you find them reliable? I am worry about this issue you experienced!

By: Max

Max — Fri, 23 May 2008 13:43:18 +0000

I just had this happen and finally checked my logs, not for .txt, but for .php. Turns out I’ve been getting hit via an external site… the hack somehow used my TXP index.php to process a remote .txt file containing the malicious code.
My solution was to edit php.ini and make a new .htaccess entry, which may or may not have a permanent effect

By: Alexander Davidsen

Alexander Davidsen — Mon, 19 May 2008 02:42:18 +0000

A good idea is to chmod the files instead of deleting them, so that only root has read access. This will prevent anyone overwriting or uploading the same files later on if a new bug is found and exploited. Updating the software and changing password are of course the also needed. But as I can see you already done that:)

By: Levien

Levien — Sun, 11 May 2008 19:14:01 +0000

I see it also from the bright side. This means that your website is getting very visible. Your site is getting spidered by the search engines. Unfortunately there are also bad spiders.

By: Nate Cavanaugh

Nate Cavanaugh — Sat, 10 May 2008 02:01:55 +0000

I also host my site with Dreamhost, and I was having the exact same thing.
It kept driving me nuts because I’d grep, and there would links in every single index.html, index.php, etc on the server.
After talking to dreamhost, they recommended changing my password, which I had done, and it never happened again.
So somehow, peoples passwords were leaked or have been accessed.
I love DH, but this was particularly annoying…

By: Ajith Edassery

Ajith Edassery — Tue, 06 May 2008 17:56:50 +0000

Hi,
I had similar issues sometime back with one of my php-nuke based sites… It was mainly SQL injection based hacking then, your case seems to be different.
Thanks for the tips…will do keep my eyes on the log file.
Ajith

By: Karl Hardisty

Karl Hardisty — Tue, 06 May 2008 13:28:23 +0000

We had this happen a while ago with our own sites, and I only noticed it when I was doing a manual update for a link across the site. It took a while, but we eventually traced it to our then host being compromised.
We found this out by looking at other sites hosted on the same server and noticed that most of them had the same issue. Needless to say the host for our own site (which is hosted on a 3rd party server as opposed to our own for obvious reasons) has now been changed. Since then, no problems whatsoever.

By: Hamish M

Hamish M — Sat, 03 May 2008 18:24:07 +0000

A similar thing happened to a friend of mine. http://i.never.nu/hack-update/ Thanks for sharing your experience, Dan.

By: ChadL

ChadL — Sat, 03 May 2008 10:14:56 +0000

What has come in handy for me in the past is having your web roots as SVN working copies. That way, a simple svn status/diff/revert fixes your changed/hacked files.
Of course, the root issue is avoiding the hack to begin with. :)