Sites Hacked - Advice?

[Xander756]

Hello everybody, I just joined here. I emailed Mr. Pavlina about this and he provided me some good advice but also suggested I post this on the forums to see if I can get any more useful tips on how to proceed from fellow members.

Anyway, I run several online websites which are hosted at AWARDSPACE.COM - Free Web Hosting, Domain Hosting, Professional Web Hosting, Domain registration, Affordable, Reseller Program, PHP, MySQL, Ecommerce. Recently, the sites were hacked and destroyed. I know who the hacker is, but I do not know them personally. I know them by their screen name on AOL, email address, and their IP. I also have their name but it could be fake (though I have known her for 8-9 months). The earliest backups for the sites are at least a month old and I would be set far behind. What I fear is that if I were to simply put in a lot of time and effort into restoring the site, she could always hack it again. I have filed a complaint with the internet crime division on the FBI site and will file a local police report as well.

This is the second time the sites I have hosted at awardspace have been hacked. I like awardspace because it is quality hosting and easy to edit the coding of html and php but I am starting to get the feeling they are not very secure now. Any advice?

[Minsc]

How did it get hacked? Through your own scripts or because of the host?

If your scripts were secure and nobody knew your passwords(and they wern't in a dictionary or something), I guess you should switch hosts, but I'm not sure how that would happen.

If you're still able to log in and everything and none of your settings changed, it's probably your fault.

[Xander756]

Apparently the hacker used a password cracking program which I won't say the name here. The host has been very helpful and has actually restored very current backups of the sites but as I said, I am still afraid that the hacker could always strike again. Should I move domain names so they can't find me?

[JimC]

Quote:

Originally Posted by Xander756

Apparently the hacker used a password cracking program which I won't say the name here. The host has been very helpful and has actually restored very current backups of the sites but as I said, I am still afraid that the hacker could always strike again. Should I move domain names so they can't find me?

If they used a password cracking program (like a dictionary or brute force attack) then just change your password to something more complicated. Add some !@#$%^&* type of characters to it, not just letters/numbers.

[Minsc]

Did they get your hash somehow or did they try logging into your account until they guessed the right password over the web? Your host should have something in place to make sure the latter doesn't happen, but your password must not have been very secure if it did.

The hacker might find your hash in your cookies, for example. If they get your hash, they could crack it a lot quicker than they could by logging in a thousand times and could do it locally without anyone knowing what they're doing. You could still get them to give up if your password is long and uses many different types of charecters.

[VetTechJess]

pardon me for the obvious ignorance here--(Ive never had a site of mine hacked) but how can you TELL that a site has been hacked??

[Xander756]

Yeah they used a brute force. I didn't know you could put those symbols in passwords, I'll do it now.

You can tell a site has been hacked because:
1) You can't login even though you provide the correct info
2) You try to access it and it is completely deleted
3) The pages have been defaced or changed to show stuff they shouldn't.

All three of these happened to me.

[Minsc]

Quote:

Originally Posted by Xander756

Yeah they used a brute force.

Over the web? Couldn't your host detect, say, 100 login attempts within an hour to one particular account and lock for a day it if they're detected?

If your password was all lowercase a-z and six letters long, it'd have taken up to 308,915,776 attempts to guess it... (unless they used a dictionary attack and your password was in a dictionary)

How'd you know who it was? Any reason they did it(just wondering)?

[Doku]

For the admin account, put a delay in the loop before the password is checked. everyone else will be able to log on with no problem.. the admin account will pause for two seconds before you log on.

You really don't want to lock an admin account on X failed passwords... otherwise, I can just keep doing "user: admin password: LOCKme" 100 times until the account locks.

[seeker5]

I'm curious, is the hosting company able to make it so only people from your IP could try to login into an admin account?

[Xander756]

I don't think my host has that capability, no. I was thinking about switching hosts to that Dreamhost but the host I use now has worked their ass off for me and restored all the backups of my sites, so they are back up and running. I was really impressed so I'm going to stay with them now.

My password was actually really like like 17 characters long with numbers and letters so I guess it would have taken a lot of attempts lol.

The person who hacked it was a disgruntled members of one of the games I run whom I banned.

[MadHyeNa]

I do get some sort of vibe that the hacker is more appropiately a script-kiddie rather than true hacker.

Oh, and do your best to make your password complex. Keep their lenght (15-20 characters is fine) but mix in special characters, uppercase and lowercase (if it's case sensitive) and add digits. Make it abstract and complex. Don't add dictionary words, not even if you mix blend them into a password. Not even reversed and leave out sequences like qwert, asdfg, you name it.

Also, it would be worthy if you'd ask your hosting company for some sort of further checkups and 'keep an eye on the logs.' Have you got access for the logs? If not, ask them. Or at least ask them to figure out, skim through the logs to find out what type of attack was used. Like Minsc already explained, it'd took quite a "few" tries. Therefore, the information could be extracted from the logs with ease.

Also, require a permanent ban on that specified IP adress, if you say so that you know it. But this isn't a fix nowadays. Dynamic IPs, Proxies, etc.

[Iksander]

They probably performed an SQL injection query and retrieved your database password hashes - then they most likely used a Dictionary crack program with Rainbow tables.

Making your password 'longer' won't necessarily help - some of the most complex passwords are cracked in seconds using Rainbow Tables (something longer than 16 characters would do well though). Rainbow Tables are pre-compiled combinations of characters; Rainbow Tables generally have up towards 4 million (or more) possible hashes, generally for the really popular hashing algorithms such as MD5 and SHA1.

The fix for anti-cracking would be using a hashing algorithm that produces a MUCH larger hash (like SHA512 or larger, instead of MD5 or SHA1).

SQL injections are VERY easy to do - even with commercial products, because, most developers are very ignorant about their programming (PHP is a lax language and does very poorly in securing code).

I would invest heavily in becoming a proficient programmer if I were you.

[tobyhede]

Is this code you've built, bought or an Open Source application?

Also, you can protect against Rainbow Table by using a Salt on the hash.

I've seen some pretty insecure code recently - securing code isn't hard, but it requires attention to detail and knowledge of the common attack vectors.