Page 1 of 1

I got hacked

Posted: Tue Mar 27, 2012 8:38 am
by eric5014
Last Tuesday something got into my webspace (home.exetel.com.au/eric5014) and changed every HTML and PHP file to include a dodgy iframe.

I've removed the changes and changed the password. But I'd like to know how it happened.

Is it possible to see what activity is logged for Tuesday? HTTP calls, FTP activity, anything else?

If someone got in through a leaky form (now removed), I don't have to worry about a repeat performance.

If they got in with my FTP password, then does that mean my all my saved passwords in Filezilla have been snooped (I work on several), or if I had a keylogger then any number of passwords could have been scaped...

So it would be handy to see HTTP log for /eric5014 on 20th March.

Re: I got hacked

Posted: Tue Mar 27, 2012 9:54 am
by Dazzled
Unless something has changed recently, Filezilla stores FTP passwords in plain text in an XML file. If you are running Windows you might have a check for malware that dials home. You could reinstall Filezilla in an encrypted space. Some keyring apps can store passwords encrypted and execute Filezilla.

gFTP runs on Linux systems and has passwords encrypted. (Only a halfway solution, since the algorithm is known, but on the other hand the computer is much more secure). This is available on most mini-Linux utility distros that run easily from a removable thumb drive in RAM and that solves most problems. The actual transmission of the password over the net is plain text, so wireless security comes into consideration.

Re: I got hacked

Posted: Tue Mar 27, 2012 10:06 am
by udara
eric5014 wrote:Last Tuesday something got into my webspace (home.exetel.com.au/eric5014) and changed every HTML and PHP file to include a dodgy iframe.

I've removed the changes and changed the password. But I'd like to know how it happened.

Is it possible to see what activity is logged for Tuesday? HTTP calls, FTP activity, anything else?

If someone got in through a leaky form (now removed), I don't have to worry about a repeat performance.

If they got in with my FTP password, then does that mean my all my saved passwords in Filezilla have been snooped (I work on several), or if I had a keylogger then any number of passwords could have been scaped...

So it would be handy to see HTTP log for /eric5014 on 20th March.
Hi eric5014,

this is being investigated under Ticket ID: 5010358 , we will get back to you with an update soon :)

Re: I got hacked

Posted: Tue Mar 27, 2012 1:20 pm
by Dazzled
Eric, you had better look at this nasty - http://en.wikipedia.org/wiki/Gumblar. No doubt there are others.