Client Site Hacked

dman · Nov 6, 2015

Google advised me that one of my client's sites was hacked today and I found an advertising page was added to the site. This site exists on a Windows plan with other sites in HSphere on win39. I don't think any of the sites have CMS systems or apps installed. A few of the sites have simple ASP classic functionality for includes and contact forms but nothing that should provide vulnerabilities to be able to add a file on the server. I also checked the other sites in the root dir and none appear to have similar hacked files.

I've seen a few other threads here about sites being hacked but those seem to have CMS installed and there's nothing that indicates why this happened to my client's site. Is it possible this was hacked from another user's account on the server? Any suggestions on tracking down how the site got hacked? Thanks!

Stephen · Nov 7, 2015

This is complex, and sometimes hidden or even very old issues.

Numerous times I've seen this happen, sometimes it sits there for months before being found if it is sly. This makes it very hard to track down exactly how it happened later, as the logs have already rotated out and even been archived and deleted sometimes.

There are a number things that could have happened I will outline:

1. FCKEditor, even non CMS systems sometimes have a copy of this around unknowingly. Many versions have example files that are highly vulnerable.
2. FTP vulnerable now, or some point even up to 3 years back, and a tiny unsuspecting file dropped in with a seemingly legit name, with code that doesn't look that bad, but can be used to basically upload files at will. This is known as the china chopper, and I've seen it hundreds of times. It sometimes sits dormant for year+ before being used. Very bad one! Huge issue.
3. Any domain in the same account can access up to ftp root with parent paths, this can be an issue at times in one domain and not hit that domain, but another making it hard to find.

In short, there are a lot of ways this can happen without being any fault of the server or anything, and occasionally we've seen zero day exploits or other bugs exploited, especially on coldfusion servers. That's why we are working to phase it out, because no control panel supports modern CF, and adobe has stopped selling or supporting the old versions that are control panel compatible. Plesk and others arent even interested in making them work.

dman · Nov 9, 2015

Thanks for the reply Steven! Your suggestions of how this could occur make sense and yet I'm unable to confirm any of them. I've done the following so far:

Turned off the EasyApps collection.
Disabled PHP, these are HTML or ASP classic only sites.
Changed the FTP passwords
Changed the CP passwords
I'm working through each site to root out any changed and/or hacked files. I've found more hacked files in other site directories now.

Given the difficulty of determining specifically when and how this occurred, can you give your suggestions for remediation and preventing this from occurring again? Would it help if you reviewed the permissions on the folders and files? I don;t seem to be able to do this on the Windows servers.

Thanks for your help!

dman · Nov 9, 2015

I have now gone thru all directories and and files and removed all instances of the hacked code by either deleting it or replacing it with local versions that I confirmed did not include the hacks. The hacks seem to generally use a specific set of file names. I searched for any instances of these in the File Manager and have confirmed that they are all removed. There is also a domain name that was associated with the hacks but I cannot do a full text search. How can I do this to verify that all the hacked files have been cleaned? I requested that this be done thru a support ticket with the details if possible.

Also, please provide me with any additional suggestions to prevent this from occurring as requested above. Thanks!

Stephen · Nov 9, 2015

please post your ticket ID or mail helpline at jh with the domain and server and I can give it a look tomorrow

dman · Nov 10, 2015

Hey Steven,

Bhupendra did a full text search for some of the hacked text indicators and I'm reviewing the files. Your review and suggestions to prevent this would be appreciated. The ticket number is MUV-51395-711. Thanks!

Marcu · Mar 3, 2016

Stephen said:
This is complex, and sometimes hidden or even very old issues.

Numerous times I've enjoyed my Proextender benefits and seen this happen, sometimes it sits there for months before being found if it is sly. This makes it very hard to track down exactly how it happened later, as the logs have already rotated out and even been archived and deleted sometimes.

There are a number things that could have happened I will outline:

1. FCKEditor, even non CMS systems sometimes have a copy of this around unknowingly. Many versions have example files that are highly vulnerable.
2. FTP vulnerable now, or some point even up to 3 years back, and a tiny unsuspecting file dropped in with a seemingly legit name, with code that doesn't look that bad, but can be used to basically upload files at will. This is known as the china chopper, and I've seen it hundreds of times. It sometimes sits dormant for year+ before being used. Very bad one! Huge issue.
3. Any domain in the same account can access up to ftp root with parent paths, this can be an issue at times in one domain and not hit that domain, but another making it hard to find.

In short, there are a lot of ways this can happen without being any fault of the server or anything, and occasionally we've seen zero day exploits or other bugs exploited, especially on coldfusion servers. That's why we are working to phase it out, because no control panel supports modern CF, and adobe has stopped selling or supporting the old versions that are control panel compatible. Plesk and others arent even interested in making them work.

I've done all this too, but what if the hacker has created a back door access to the site? Is there any way to fix it then?

One of my friends site got hacked and he thought it was cleaned by a professional and then a few weeks later the site was hacked again and it is thought that the hacker had backdoor access.

Stephen · Mar 3, 2016

Yes, it is VERY common in fact. The backdoor can be a single line of code even, sometimes there are versions for almost every popular language. If you are with us, we can give a courtesy review to it, if you aren't with us do a search for china chopper and the page by fireeye research. They have several samples of the amazingly simple, but huge backdoor.

Luis Sisto · Aug 8, 2017

dman said:
Google advised me that one of my client's sites was hacked today and I found an advertising page was added to the site. This site exists on a Windows plan with other sites in HSphere on win39. I don't think any of the sites have CMS systems or apps installed. A few of the sites have simple ASP classic functionality for includes and contact forms but nothing that should provide vulnerabilities to be able to add a file on the server. I also checked the other sites in the root dir and none appear to have similar hacked files.

I've seen a few other threads here about sites being hacked but those seem to have CMS installed and there's nothing that indicates why this happened to my client's site. Is it possible this was hacked from another user's account on the server? Any suggestions on tracking down how the site got hacked? Thanks!

The same thing happened to my client's website. I am also trying to sort out things and still looking for answers.

Arydigital · Sep 6, 2017

Bhupendra did a full text search for some of the hacked text indicators and I'm reviewing the files. Your review and suggestions to prevent this would be appreciated.
https://www.arydigital.tv/videos/category/lashkara/
The ticket number is MUV-51395-711. Thanks!

Client Site Hacked

dman

Perch

Stephen

US Operations

dman

Perch

dman

Perch

Stephen

US Operations

dman

Perch

Marcu

Guppy

Stephen

US Operations

Luis Sisto

Guppy

Arydigital

Guppy