I am in a bit of disbelief that one of my sites on a shared host was hacked THREE times in three days, all the files were deleted, and everytime the password gets reset (with an IMPOSSIBLE to crack new one), the hack my site immediately again.  Whatever is wrong has GOT to be obvious, it is clearly serious, and my trouble ticket is just languishing in "medium" priority.  It has been days I have been trying to iron this out now and all they've been able to do is occassionally help change the password (not even very often at that).  They did offer to restore the backups for $75 a site, without even addressing the issue of how the sites got hacked to begin with!

The hackers are racist and have replaced my front page with racist links - and lunarpages does not seem to care despite my explanation.  I don't understand what I have to do to solve this, since it is just not getting solved and by now tens of thousands of visitors on my shared and virtual hosts have been exposed to this racist propoganda instead of my sites.

How on earth are the sites getting hacked??  HEEEEEEELLLLLPPPPPPPPP!!!

Oh, and make sure they haven't uploaded something outside of the public_html directory which might be giving them access in someway... and that no cron job has been setup to automatically create the hacked page...

No, no, there were no scripts.  The blogs were on blogger, and the discussion board/classifieds/chat were long gone or in the case of chat hosted on ICQ.

Passwords all were changed.

I dunno...

Any user-input form/field is susceptible to injection attacks if the user input is not properly scrubbed. For example, on Armeniapedia.org I see this:

On Cilcia.com, I see this:

Often, form input is processed by PHP or some other script. For example, you might have a form with a text field that asks for a person's name. Then, the user submits the form, and on the next page it says "Welcome John Doe" (or something like that). The PHP code would be something like:

But if instead of entering "John Doe", what if a user entered "John Doe; $file = fopen("index.html", "w"); fwrite($file, "<html><head><title>HACKED</title></head><body><h1>This site has been hacked !!!</h1></body></html>"); fclose($file);"

If that user input is unfiltered, that input might actually get executed by PHP and actually write over your index.html file. By inserting a semi-colon and some more PHP commands, it's possible for a user to do a lot of damage. This type of attack does happen. The key is scrubbing any and all user input before processing it. For example, you might limit a user's name to be only so many characters long and only contain alpha characters. And again, there have been plenty of 3rd-party scripts that have had this kind of security hole.

I'm not sure if that's the type of hack that is happening to you, but it's a possibility.

I am sorry to hear about it, really sorry. Your problems are part of the reason I am hesitant about upgrading my page at all.

I know some codes can allow you access to a site, I don’t have the foggiest what they are or how they work.  So you can imagine I am not too excited about adding any codes to my pages.

I saw your corrected (unhacked) page and it really looks great. I can tell you’ve really taken a lot of time with it. Let us know if you find out what’s going on.

my rough guess is, check your PC

you might have some nasty software on your PC else I have no clue how they get access to your cpanel even after PW changes.

I'm almost possitive you have somewhere a keylogger on your system installed if this happens over and over again.

SQL and html injection is also possible if your scripts aren't secure.

Hi,


We do not let exploits sit on a server for the server itself.  In fact, sites that are exploited can't get scripts the hackers put into the global /tmp partition to run as /tmp partition has noexec for it (so scripts can write to it since PHP sessions usually need to write the files to /tmp, but processes can't actually run from /tmp).

Since shared customer accounts do not have jailed or regular shell, they run as their own users and can't go about in the normal course affecting other people's sites, so yes, raffi's could have had exploit files sitting there in the account itself (not the global portion of the server, but the customer's own site files) that weren't cleaned out and they re-exploited via those files, but no, we do not have exploits sitting around on the server itself outside the customer's account going about for ages then periodically attacking 1 customer out of hundreds (if something were exploited in that manner, it wouldn't be 1 person but a bunch on the same server posting here about it in fact).

Additionally, accounts are pretty well jailed from interacting with other accounts.  Although there are php shell scripts that used to be able to run to grab customer information like username (only username, not passwords), we scan for those and have begun adding security rules to disable them from even running to get such information. 

Finally, I wanted to give an example from the other day, although this happens  frequently.  There was an exploited customer who noted he didn't run any scripts at all 2 times in a ticket, yet he was exploited and wanted his account restored.  When we performed the restoration of the account back to the state prior to the exploit, we checked it over and found a bunch of php scripts, including one with no security that was used to delete files (the exploit had deleted most of his public_html content).  I wrote back asking that these scripts be secured.  Since that script had a path to another one of his scripts, and was dated from way before the exploit, it appeared apparent this was his script not a hacking one, but it could easily be hacked into (and it was never denied in the email for being his script either).  The point is that many people say they have no scripts and upon checking the account, it usually has many scripts in it, some that are self-written even and not the hacking scripts at all but ones on the account prior to the hacking--scripts used as the entry point for the attacker.

Have a Blessed Day