I got hacked

Web hosting, FTP/database access, mirror services and hosted blogs
Post Reply
eric5014
Posts: 6
Joined: Fri Jun 13, 2008 3:49 pm
Location: Cheltenham SA

I got hacked

Post by eric5014 » Tue Mar 27, 2012 8:38 am

Last Tuesday something got into my webspace (home.exetel.com.au/eric5014) and changed every HTML and PHP file to include a dodgy iframe.

I've removed the changes and changed the password. But I'd like to know how it happened.

Is it possible to see what activity is logged for Tuesday? HTTP calls, FTP activity, anything else?

If someone got in through a leaky form (now removed), I don't have to worry about a repeat performance.

If they got in with my FTP password, then does that mean my all my saved passwords in Filezilla have been snooped (I work on several), or if I had a keylogger then any number of passwords could have been scaped...

So it would be handy to see HTTP log for /eric5014 on 20th March.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: I got hacked

Post by Dazzled » Tue Mar 27, 2012 9:54 am

Unless something has changed recently, Filezilla stores FTP passwords in plain text in an XML file. If you are running Windows you might have a check for malware that dials home. You could reinstall Filezilla in an encrypted space. Some keyring apps can store passwords encrypted and execute Filezilla.

gFTP runs on Linux systems and has passwords encrypted. (Only a halfway solution, since the algorithm is known, but on the other hand the computer is much more secure). This is available on most mini-Linux utility distros that run easily from a removable thumb drive in RAM and that solves most problems. The actual transmission of the password over the net is plain text, so wireless security comes into consideration.

udara
Exetel Staff
Posts: 362
Joined: Thu Dec 17, 2009 11:06 am

Re: I got hacked

Post by udara » Tue Mar 27, 2012 10:06 am

eric5014 wrote:Last Tuesday something got into my webspace (home.exetel.com.au/eric5014) and changed every HTML and PHP file to include a dodgy iframe.

I've removed the changes and changed the password. But I'd like to know how it happened.

Is it possible to see what activity is logged for Tuesday? HTTP calls, FTP activity, anything else?

If someone got in through a leaky form (now removed), I don't have to worry about a repeat performance.

If they got in with my FTP password, then does that mean my all my saved passwords in Filezilla have been snooped (I work on several), or if I had a keylogger then any number of passwords could have been scaped...

So it would be handy to see HTTP log for /eric5014 on 20th March.
Hi eric5014,

this is being investigated under Ticket ID: 5010358 , we will get back to you with an update soon :)
To Log a fault ticket, please click Here or alternatively call Exetel VOIP numbers (02) 8030 1000 or 1300 788 141 (log faults 24x7)

==============
Exetel Support Portal
==============

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: I got hacked

Post by Dazzled » Tue Mar 27, 2012 1:20 pm

Eric, you had better look at this nasty - http://en.wikipedia.org/wiki/Gumblar. No doubt there are others.

Post Reply