one of my sites was hacked about a week ago. the index.htm and index.html pages were replaced by the message "SomeLuser"

No big deal, it was easy to replace the index pages but I am concerned about how this was done. I have read elsewhere that site access has been made through the awstats.cgi file, leaving a similar "SomeLuser" message.

I checked to see what webstats were being used on my sites. Out of the half dozen sites I host at powweb, this was the only one using awstats. I've since turned it off.

There's been no mention of this in the forums afaik and I wondered if anyone else has been affected and if there's anything that can be done about this apparent vulnerability.

Haven't ever heard of that lot myself. I always suggest you password protect your stats no matter which type you use. Password Protect tutorials at http://support.powweb.com and http://help.powweb.com

good point, have changed it to something more appropriate

thanks for the passwd tip

Good point keyplyr. I replaced the tag with "SomeLuser" because that's who they are.

[edit] sorry simmo we must have edited at same time. ;)

too slow. must be getting old

Hi,

In most cases these kinda hacks are done via a global variables executed in iframes by simple url passing. The common tip is to check any scripts your running for security upgrades, and tighten up any iframe using by specifying urls to be allowed for access... This you can do by setting up an array of accepted urls and test if the requested url matches any data inside the array.

My site was hacked into two days ago - my index page was removed and this was in its place:

"S.......................i" (edited for above reason - I should ave read it first!)

I am not running any scripts that I know of - and only have the webalizer stats on the site. Could they get in through this?

It worries me that it is too easy to gain access to my site.

Perhaps PowWeb should think about setting up a .htaccess file automatically with the OPS installs of these stats pages - it seems a lot of people just turn them on and leave them totally unprotected.

I am not running any scripts that I know of - and only have the webalizer stats on the site. Could they get in through this?
It certainly won't hurt to password protect your webstats directory.
Tutorial: http://support.powweb.com/index.php?category=htaccess&topic_id=29
Or do it in http://www.yourdoman.com/+sitemanager under the htaccess tab.

there are a few malicious bots/virus like scripts running around these last few weeks. i have done all i can to make various ppl/organizations aware of one such bot. I can't mention the group responsible nor what the bot does. All I can say is that I usually report such findings to: zone-h.org

That site is very useful even if u dont contribute to it. You can go on there (updated almost daily) and see what's running around the internet void nowadays.

Hope that helps some of you.

--Sigh...
Am I really the only one here old enough to remember when "hacker" was an honorable title? Before it degraded to "thief" and "vandal"? :mad: Oh well... on to my question:
Hi,
In most cases these kinda hacks are done via a global variables executed in iframes..
Hey, I've heard of "Frames" (never use them) but not "iframes" - what are those critters...?

iFrames are "inline" frames. Very annoying at times as they're not cross-browser compatable

Hey, I've heard of "Frames" (never use them) but not "iframes" - what are those critters...?Adding to Skunkboy's info this snippet:

An alernate solution of coding an iframe (inline frame) is to use the OBJECT element of HTML to embed an external webpage. The frames and iframes are dropped in the newer xhtml standards in favour of the object element.

iFrame solution <IFRAME src="foo.html" width="400" height="500"
scrolling="auto" frameborder="1">
[Your user agent does not support frames or is currently configured
not to display frames. However, you may visit
<A href="foo.html">the related document.</A>]
</IFRAME>
Object solution<OBJECT data="embed_me.html">
Warning: embed_me.html could not be embedded.
</OBJECT>
Ref's:
http://www.w3.org/TR/REC-html40/present/frames.html#h-16.5
http://www.w3.org/TR/REC-html40/struct/objects.html#h-13.5

I looked at the tutorial about password protecting etc., and thought it is just too complicated, so didnt even try - however now find that my site has once again been hacked - so am now trying to follow the insturctions on the help file - http://support.powweb.com/index.php?category=htaccess&topic_id=29

I have managed to get the two text files uploaded .htaccess and .htpasswd - but now what?

Do I move the web stats file in to the htaccess file? Or do I put the files I have made into the web stats directory!

I really have no idea what I am doing or why I am doing it actually, but do know that I am sick of people playing silly-buggers with my site

I have managed to get the two text files uploaded .htaccess and .htpasswd - but now what?

Do I move the web stats file in to the htaccess file? Or do I put the files I have made into the web stats directory!OK, just to ensure you are on a good way with your files, a few questions, not to be answered by you in writing, just check your results:
- you did get the encrypted passswords from the Powweb's password encoder page ?
- you uploaded the .htpassword file into the root of your account, not into /htdocs ?
- make sure you have uploaded the .htaccess file to the correct directory, eg the one that needs some configuration (passwords are one use among others). To protect your webstats, you put the htaccess file into the directory where the webstats are installed.

And now your question - But now what ?

Your webstats are protected, you know your username and password, and will be allowed to access that website section, others are locked out.

Next rename the defaced page/file, so that you have something at hand to investigate.

Next, you will want to use the SiteManager>FileManager to restore the defaced page from an older version, step back the full seven days if needed.

Next, still in SiteManager>FileManager, look at each entry over those last seven days and note down, at what date/time the file was changed.

Next, use your webstats to locate the activity in that region of time. You will be looking for page requests for a script with a name you wouldn't recognize as valid for your website, eg one that operates possibly out of an /image/ directory.
When you find such a file, use SiteManager or WebFTP to check the date/time it was installed.
Rename this intruder script so that it cannot be executed, the file extension must change. Keep a copy in case you make further research. Then delete the file in the account.

Next, use the installation date/time of the script to look at the log and see what webpage/script was executed at that time. This will reveal the way how the intruder gained access to your site.

Next, and most important, upgrade any open source software you are running to the current version.

Next, and last, sign up to the mailing list of the open source provider, and keep abreast with any updates in future. Check the support boards at the provider for any reported security breaches in the package.

Thank you for your help and detailed reply. I have done as you suggested and hope not to be bothered by this sort of occurrence again.

thanks again for help