Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

site hacked !

Options
  • 03-08-2009 8:05pm
    #1
    protos
    Closed Accounts Posts: 85 ✭✭


    Hi,

    I run a small website - php running of a CMS called phpWebSite - and it got hacked recently. 3 directories appeared in the site with phishing forms for 3 different banks, which would harvest details people entered and email them to different yahoo and gmail accounts.

    Anytime I tried to delete these directories the would appear again straight away - some process must have been polling and recreating them again - anyone have experience of dealing with something like this ?? Very irritating ...............


Comments

  • Options
    #2
    Webmonkey
    Registered Users Posts: 9,579 ✭✭✭Webmonkey


    If apache, is there a htaccess file present that looks suspicious?

    Make sure none of your directorys are open to writing, CHMOD 777 for eg.


  • Options
    #3
    none
    Registered Users Posts: 569 ✭✭✭none


    Change FTP password.


  • Options
    #4
    MOH
    Registered Users Posts: 6,464 ✭✭✭MOH


    It never struck me before as I generally just ignore those phisihing e-mails, but I guess it's a good idea to mail the admin of the site they're pointing to in case they haven't noticed them.


  • Options
    #5
    $ausage$
    Registered Users Posts: 691 ✭✭✭$ausage$


    Messy! did you find out how they got in?


  • Options
    #6
    ntlbell
    Registered Users Posts: 16,288 ✭✭✭✭ntlbell


    sounds like gumblar or a variant.

    make sure your using scp and not FTP.

    change ftp passwords etc


  • Advertisement
  • Options
    #7
    tricky D
    Closed Accounts Posts: 9,700 ✭✭✭tricky D


    If it's Gumblar you'll have some wierd script stuff just at the end of the head of your pages. You could also have some hidden iframe injected into your pages from something not quite Gumblar.

    Backup all of your site, edit files to remove the line with the script. Remove all your pages and directories by ftp, contact your hoster if problems. Clean your pc for viruses, malware and you might as well do adware too. Hopefully your AV should be up to standard and up to date and find it. Similarly, clean all other pc's on your network. Change your ftp passwords from a clean pc which has been no where near your network/pc's, a cybercafe is good for this. It's important this must be done from a clean pc otherwise you could be wasting your time. Upload your clean files and watch the files on the server like a hawk for a few days. Repeat for any people you got to check the site for you.

    hth


  • Options
    #8
    yupyup7up
    Closed Accounts Posts: 845 ✭✭✭yupyup7up


    change all your FTP passwords and delete any password files. run anti virus and anti spyware SW. yeah that iframe virus is a pain in the orse...:mad: just make sure all the passwords are kept off any machine on your network!


Advertisement