------------ Original Message ------------
The web server logs likely won't show you explicitly how, but will
give you pointers of things to look at -- e.g., a php script where
the QUERY_STRING aren't being properly sanitized. With the system
security-related logs you'd be looking for accesses from
non-standard locations. That would probably point to the "simple"
issue of compromised ftp credentials. The problem is that in a
shared-hosting environment you may not be able to tell connections
to your content vs. that of some other user, making it harder to
figure out if that's the source.

Doing hacking forensics is not simple and you're unlikely to get
answers handed to you, but if you want to figure out the cause of
this hack, and fix it, then this is what's needed.


- Richard

be due to your hosting provider not installing the latest security updates.
Often, they don't. Here is an example of what I viewed in my logs today:

[149.210.135.28] - - [03/Oct/2014:12:20:56 -0400] "GET
/wp-content/plugins/wysija-newsletters/readme.txt HTTP/1.1" 404 - "-"
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8)
Gecko/20100722 Firefox/3.6.8"

1) If you look closely, the last line is a hack attempt. It was not
successful because I have firewall rules that monitor all incoming and
outgoing traffic.
2) On shared servers, another user on the site could have an insecure
script that allowed the hacker to gain access to your account or all
accounts hosted on the server.
3) If you use the command line, please note that others can see commands
being run by you or others.
4) Before you go changing passwords, it may be REALLY important to find out
HOW they did this, because the security hole may still be there.

I'm afraid I can't keep the info you mentioned since I already cleaned
this up. Yes - some of the problem was with large chunks of code at the
bottom of a couple of index.php files. Most of it was a small commented
out piece of <script> code that called some site in Germany. I have a
utility to scan every file in my domain that helped me find all the
occurrences (about 30) which I then updated after cleaning them.

Thanks for the tips tho.

Yes. 644 => (Binary) 110_100_100 => RW-(User)_R--(Group)_R--(Other)

Only the User (owner of the files) can write the file,
but members of the owner group and all others can read it.

Search for "man chmod" and you will get a detailed explanation of permissions.

Check directory permissions as well. A file can only be deleted from or added to
a directory if the the perpetrator has write permission (as user or group or other)
on the parent directory.

Peter West

"See that you do not despise any of these little ones..."

Okay, but nothing has been mentioned about any database
hacks.
I have no way to verify that.
Do you understand the reasons for the changes you made?

--
http://www.spinics.net/lists/centos/

Not so true. Andy Lester made a great point:
"prepare does not do magic that makes your code safe. If you have built a
SQL command with outside data, you are in danger." - Andy Lester
<http://stackoverflow.com/users/8454/andy-lester> Sep 5 '13 at 4:00
http://stackoverflow.com/questions/18627150/hack-prepare-statement-read-first

Have you protected yourself from cross-site scripting? How? Append this to
your Albany Handball site"i=<script>alert('Hacked')</script>" without the
quotes. If you feel that your scripts are safe, the most anyone can do from
here is suggest talking to your hosting provider as just about everything
else has been discussed as to how your web site was hacked. Hopefully you
will resolve this soon.

Jim
I look after a lot of sites where others have created the original code,
and as 'exploits' are documented around the net you see hackers trying
them against random sites. They like to identify just what a site is
using to target particular exploits, so if the detect Joomla or
wordpress or MySQL they will 'have a go' with their library of 'tests'.
This is where understanding just what the log file shows can be useful
as you may see a long list of URL's trying out combinations of things. I
use Firebird myself and the logs for that show all the failed MySQL
attacks ...

Another useful tool I have is a package called 'beyond compare'. One of
the few packages I've actually paid for. All of the websites on client
hosted services I have a local copy of the working site and can BC with
th live site when problems are spotted. takes some time to run on remote
file systems with the bigger frameworks, but modifications stick out
like a sore thumb and one can usually establish quite quickly how a
problem arose, but more important - fix the problem rapidly. There is a
lot of legacy code that I don't need to rework and this allows an
economic maintenance process.

A vector for adding stuff is where third party sites provide javascript
and the like and even php.net has been affected by making files that
were editable via git accessible via the site. I prefer to keep to my
own copies of these so I can include them in the cross checking.

I think what I am seeing is that your own 'attack' has been extra links
added into your own files? Which would mean that something has access to
write, but that may be via a back door created elsewhere. I've a couple
of .asp sites which kept getting attacked and I could not see why - not
normally using ASP - but eventually it was tracked down to a know asp
exploit in a third party element.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk