Friday, June 30, 2006

My site was hijacked by spammers

I've had this terrible thing happen to me twice this week. Somebody gaine access to my site directories and was sending out spam and were using it as a redirect to some russian bosing site and had me hosting a fake eBay site - i ony discovered the ebay one because they emailed me about it.

I think they gained access through a photogallery called coppermine I installed when I was hosting DMBLGIT the other month and now have removed it (I'll get the pictures back up some other way).

On my blogs I'm using the latest MT3.2 and Wordpress and have changed all my passwords. And I think I've removed all the offending files.

Has anybody any advice on:
1. tracking down any other files that these people may have uploaded
2. Preventing this happen again
3. Are there any security flaws in Movable type/Wordpress I need to do anything about?
4. Is there anything else I should know?

Also now I have noticed when I leave comments on sites they are not appearing - presumably because my domain is nw designated as a spammer. How do I remove this designation and get my reputation back?


Anonymous said...

Not the kind of thing you want to hear about!
You can find out if you are blacklisted by checking the sites listed there:

In my experience, ORDB is a good place to start.

If you are, most of these sites have a procedure you can follow to get removed. If you have an explanation that makes sense, they will remove you (although it can take some time).

As far as protecting you, change your passwords, update the gallery application if there is an update, or better yet, remove it.
It is important to check that no file remain (especially a php file that can execute things on your server). If they were not too clever, check the dates of all your files and check any recently modified file. If you have access to a default installation, you could compare files by files.

Good luck!

Elise said...

I once had someone hack into my system because I hadn't used CGIWrap and the permissions on my files were too weak. See CGIWrap and suEXEC - an article I wrote about these security features.

I completely agree with Pascal's advice to compare, file by file, all the files in your MT or WP install. If you come across a PHP file that you don't think should be there, make a copy of the file contents to a text document locally, and then delete the file from your web server. If something breaks, you have a back-up. It's tedious, but if there is a rogue PHP file sitting on your server, the spammers can do it again.

Kalyn Denny said...

Ed, very sorry to hear about it, and I only wish I was half as smart about this stuff as Pascal and Elise!

Ed said...

Pascal, Elise thanks. That's great advice. I hope I've caught them all now and I'll check that article Elise. I really think it was the Coppermine photogallery that let them in as they specifically were in my tomatom folder and the one for Does My Blog Look Good in this. I'm keeping an eye on it. I don't think my host has CGIWap but i might see if I can get them to do it.
Thanks very much again.

RadiationWatch said...

In addition to looking at CGIWrap, if you have shell access to your site check to see if your /tmp directory is world-writable...the default for control panel apps like CPanel is to make it so. This introduces a huge (and well-known amongst script kiddies) security hole. Look in your /tmp to see if you see any odd files there... then, if possible, ask your hosting provider to make /tmp more secure.