August 16, 2011 at 13:37Hijacking ftp passwords or checking the speed of those. hoster support
So good Tuesday comrades!
I couldn’t relax on the weekend, but I spent more than interesting time:
On Sunday, I accidentally found out that one of our client’s sites was not working and gave an error “Parse error: syntax error, unexpected '<' in ...”. Well, strange, I thought, and did an autopsy on index.php for unauthorized illegal movements of lines of code, what I saw didn’t surprise me, but upset:
instead of the magical “?>”, The foul-smelling stool of some bot flaunted:
Well, Yandex and Google told me that it was Mr. Volodya Fedorov who was striking and that there was a massive hacking and infection of sites (suddenly o_O).
And while the guys at the forums were wondering how passwords were hijacked by ftp (filezilla? Totalcommander? Others?), It became clear that pages like index. *, Footer. *, Header. *, * .Htm, * html were infected, and if If some popular engine is noticed (Joomla, WordPress, phpBB, etc.), then the infection will occur according to the architecture of the engine itself.
But the bot is not perfect and on sites with a proprietary engine and modx spoiled index, which is why an error appeared and it revealed itself.
Bringing back the main files to life is very simple, but what to do when there are hundreds of infected files and tens of sites? The solution is obvious: The
infection began at night on Sunday, so on Saturday everything was still in order and you just need to restore everything from backups and change ftp passwords.
First of all, explanatory work was carried out with computers and employees about the dangers of storing passwords in filezilla, then all passwords were changed, and the most interesting thing started: recovery.
Since I didn’t have my own backups, and I wanted to deal with everything right now, I decided to shock the hosts on this topic, and got the following results:
* Yes, yes, he is the one.
** Not automatically upon request: they asked me to press a button in the control panel myself, but I’m tired of waiting for the damned “Recovery is in progress” disappearing and I can get down to business.
*** A backup folder appears in which the restored copy will be.
**** Discarded in the archives to the root.
The result was such an experiment that was not planned.
PS: Updated about AGAVA.net, an error crept in the response time to the application, backups are restored to the archives.
I couldn’t relax on the weekend, but I spent more than interesting time:
On Sunday, I accidentally found out that one of our client’s sites was not working and gave an error “Parse error: syntax error, unexpected '<' in ...”. Well, strange, I thought, and did an autopsy on index.php for unauthorized illegal movements of lines of code, what I saw didn’t surprise me, but upset:
instead of the magical “?>”, The foul-smelling stool of some bot flaunted:
Well, Yandex and Google told me that it was Mr. Volodya Fedorov who was striking and that there was a massive hacking and infection of sites (suddenly o_O).
And while the guys at the forums were wondering how passwords were hijacked by ftp (filezilla? Totalcommander? Others?), It became clear that pages like index. *, Footer. *, Header. *, * .Htm, * html were infected, and if If some popular engine is noticed (Joomla, WordPress, phpBB, etc.), then the infection will occur according to the architecture of the engine itself.
But the bot is not perfect and on sites with a proprietary engine and modx spoiled index, which is why an error appeared and it revealed itself.
Bringing back the main files to life is very simple, but what to do when there are hundreds of infected files and tens of sites? The solution is obvious: The
infection began at night on Sunday, so on Saturday everything was still in order and you just need to restore everything from backups and change ftp passwords.
First of all, explanatory work was carried out with computers and employees about the dangers of storing passwords in filezilla, then all passwords were changed, and the most interesting thing started: recovery.
Since I didn’t have my own backups, and I wanted to deal with everything right now, I decided to shock the hosts on this topic, and got the following results:
| McHost.ru * | HC.ru | Jino.ru | AGAVA.net | |
| Application response time: | 1 minute. 15 sec (Technical support online) | 3 h. 1 min. (Application from the site) | 1 h. 23 min. (Application from the site) | 1 h. 26 min. (Application from the site) |
| Application lead time (from response): | 1 h. 9 min. | 1 h. 47 min. | >> 10 hours ** | ? |
| Auto Recovery: | Yes | Not*** | Not*** | Not**** |
| The latest backup for: | Saturday | Saturday | Thursday | Saturday |
| Information about the completion of recovery: | Yes | Yes | Not | Yes |
| Note: | They offered to restore a specific site or rewrite the entire account | We recommended that you familiarize yourself with the general requirements for ensuring the site’s security against hacking and virus infection. |
* Yes, yes, he is the one.
** Not automatically upon request: they asked me to press a button in the control panel myself, but I’m tired of waiting for the damned “Recovery is in progress” disappearing and I can get down to business.
*** A backup folder appears in which the restored copy will be.
**** Discarded in the archives to the root.
The result was such an experiment that was not planned.
PS: Updated about AGAVA.net, an error crept in the response time to the application, backups are restored to the archives.