|
chinooka
|
 |
« on: November 06, 2009, 09:43:17 AM » |
|
Hello, we were recently hacked, probably through our message board or image gallery. I will be downloading the entire site to my home computer and then reconstructing the entire website. My question is once I have downloaded the files off the server what is the best way to wipe the server to eliminate any possible backdoors or bad code? What files should be left on the server? I also host another friends site on a subdomain which appears to be unaffected and has a seperate password so that will have to stay up on the server. I want to be as dilligent as possible but don't want to take anything off that will make rebuilding the site more difficult.
Thanks in advance
Bob
|
|
|
|
|
Logged
|
|
|
|
|
Mitch
|
|
« Reply #1 on: November 06, 2009, 10:48:28 AM » |
|
Depending on when the hack happened, you could get a restore done by Lunarpages support. This link should help: How to Request a Regular Backup Restore Please note, we only keep backups for up to 3 days. Now going back to your original question, would really depend on how badly your web site was infected. If you had a personal backup of the site, I would say you should compare how it is now with out it was then. Hopefully this link will also come in handy. Hope that helps some, and if you have any other questions or concerns, please feel free to ask! |
|
|
|
|
Logged
|
|
|
|
|
MarkCale aka Madscape
|
|
« Reply #2 on: November 06, 2009, 02:01:29 PM » |
|
Hello, we were recently hacked, probably through our message board or image gallery. I will be downloading the entire site to my home computer and then reconstructing the entire website. My question is once I have downloaded the files off the server what is the best way to wipe the server to eliminate any possible backdoors or bad code? What files should be left on the server? I also host another friends site on a subdomain which appears to be unaffected and has a seperate password so that will have to stay up on the server. I want to be as dilligent as possible but don't want to take anything off that will make rebuilding the site more difficult.
Thanks in advance
Bob
To also add to Mitch's response, you would want to completely audit your content to prevent any further issues. Depending on the content such as was it developed using an open source software such as wordpress and so on.. You have so many content open source programs to use and readily available but as always the ones that do not update regularly or even provide a more secure code usually become exploited. The best thing to do is, research more on securing your content since, even simple HTML can be injected and exploited. I would highly suggest reviewing any security information you can find depending on the type of coding used. It is normal for any software or content to be eventually exploited. As keeping a regular maintenance on your account is always going to be your best bet. I know it is hard to do this regularly due to other things we have to do in our lives. So, you may want to also look into recruiting some help if this persistently occurs. |
|
|
|
|
Logged
|
Forum Lurker and Former Galactic Tekkie, mostly a jack of trades and master of none! Mark H. Cale
|
|
|
Troy L
Support
Galactic Royalty
 Offline
Posts: 405
Darkwolf
|
|
« Reply #3 on: November 06, 2009, 10:06:18 PM » |
|
If you do decide to wipe all the current content:
You are best to only delete folders and files inside the public_html (or httpdocs in plesk) folder but please make sure not to delete the cgi-bin folder inside the public_html folder. Before doing the deletions, if you have done any Fantastico installs, uninstall the apps using the Fantastico menu so as to ensure that your Fantastico information regarding mySQL database usage is kept up to date.
Please leave the following folders intact - do not delete them :
etc folder : This is not to upload to, this folder is for the system.
mail folder : This folder is for the system in regards to the email accounts for your site. You should not make any changes to this folder.
public_ftp : This folder is for accounts that setup anonymous FTP
public_html : This is the folder you will upload your files to.
cgi-bin: This folder is for CGI scripts.
tmp : This is a folder for the sytem.
www : is a copy of the files in the public_html folder. You do not want to delete files in this folder. It will delete them from public_html folder.
|
|
|
|
|
Logged
|
|
|
|
|
chinooka
|
|
« Reply #4 on: November 07, 2009, 11:30:50 AM » |
|
Thanks for the responses and help. I am currently backing up all info on the site to my local system and then plan to wipe the server as directed. It was time for a site update anyway and it will be a good opportunity to get rid of redundant files. Lots of work but lesson learned.
Thanks again!!!!!
|
|
|
|
|
Logged
|
|
|
|
|
TedDeSantaFe
|
|
« Reply #5 on: November 07, 2009, 11:37:20 AM » |
|
You should also scan your personal PC for viruses. There is one that'll add iframes to every html page it finds on a local PC, which webmasters (mistresses) then upload. Symantec was, at least in the past, unable to detect this virus.
|
|
|
|
« Last Edit: November 07, 2009, 12:08:58 PM by TedDeSantaFe »
|
Logged
|
|
|
|
|
chinooka
|
|
« Reply #6 on: November 07, 2009, 11:25:25 PM » |
|
I have cleaned out pretty much all of the files related to my website. I have the following left up on the sever, do all of these appear normal/safe:
.cpaddons 755
.cpanel 755
.entropybanner 755
.fantasticodata 755
.htpasswds 750
.spamassassin 700
.sqmaildata 700
.trash 700
etc 755
mail 770
public_ftp 750
public_html 750
tmp 700
www 750
Create New File
.bash_logout 0 k 0644
.bash_profile 0 k 0644
.bashrc 0 k 0644
.contactemail 0 k 0600
.cpanel-ducache 113 k 0600
.cpanel-logs 0 k 0600
.emacs 0 k 0644
.ftpquota 0 k 0600
.htaccess 0 k 0644
.lastlogin 0 k 0600
.mailboxlist 0 k 0644
.spamassassinenable 0 k 0644
.spamkey
Also, I am hosting a friends website as a subdomain inside my public_html folder. I have currently left it intact, is there any measures I should take regarding her small site?
|
|
|
|
|
Logged
|
|
|
|
|
MrPhil
|
|
« Reply #7 on: November 08, 2009, 07:37:50 AM » |
|
Also, I am hosting a friends website as a subdomain inside my public_html folder.
Not a good thing to admit in public. That violates the Terms of Service/Acceptable Use Policy. Don't be surprised to hear from LP soon about this. Other than that, most of your directories and files match what's on an uninfected system. Some of the stuff you have on yours that's not on mine may be the result of a different cPanel level or other system software. |
|
|
|
|
Logged
|
|
|
|
|
chinooka
|
|
« Reply #8 on: November 08, 2009, 05:26:44 PM » |
|
I don't think I have violated the terms of use. I maintain sole access to the site and it is not released or resold to anyone, it is just a couple pages of horse pics I put up for a friend. If LP has an issue with it I would pull it down to keep everyone happy.
Thanks for the help through this issue, everything is back to normal again!
Bob
|
|
|
|
|
Logged
|
|
|
|
|
Mitch
|
|
« Reply #9 on: November 09, 2009, 05:21:07 AM » |
|
As MrPhil said, we don't allow for any clients to resell or give away space on their hosting accounts to others. Via the Acceptable Use Policy: You agree that the Lunarpages servers including the space occupied by your account is and remains the property of Lunarpages. Your limited license to use the service is not subject to lease, sublease or any other sharing or transfer without the specific, express consent of Lunarpages. You may not make your account (including but not limited to web space, email accounts, bandwidth, storage space, or reseller rights) available to any third party in any way, including but not limited to the use of Sub Domains, Add-on Domains, Sub Directories, or by any other means. Thanks!  |
|
|
|
|
Logged
|
|
|
|
|
