Hijacking ftp passwords or checking the speed of those. hosting support
So, good Tuesday, comrades!
At the weekend I could not relax, but I spent more than interesting time:
On Sunday, I accidentally found out that one of our client’s sites is down and gives the error “Parse error: syntax error, unexpected '<' in ...”. Well, strangely, I thought, and made the autopsy of index.php on the subject of unauthorized illegal movement of lines of code, what I saw did not surprise me, but upset :
instead of the magical "?>" flaunt the foul-smelling feces of some bot:
Well, Yandex and Google prompted me that it was Mr. Volodya Fedorov who was hitting and that a massive hacking and infection of sites occurred (suddenly o_O).
')
And while the guys wondered on the forums, how did ftp passwords get hijacked (filezilla? Totalcommander? Other?), It became clear that pages like index. *, Footer. *, Header. *, * .Htm, * html were infected, and some popular engine (Joomla, WordPress, phpBB, etc.) is noticed, then the infection will occur according to the architecture of the engine itself.
But the bot is not perfect and on sites with samopisny engine and modx portachil index, actually because of what an error appeared and he revealed himself.
Bringing the main files back to life is very simple, but what to do when there are hundreds of infected files and tens of sites? The output is obvious:
The infection started at night on Sunday, so on Saturday everything was still in order and you just need to restore everything from the backups and change ftp passwords.
The first thing was an explanatory work with computers and employees about the dangers of storing passwords in filezilla, then all the passwords were changed, and the most interesting thing began: recovery.
Since I did not have my own backups at home, and I wanted to deal with everything right now, I decided to shake the hosters on this topic, and I got the following results:
* Yes, yes, this is it.
** Not automatically by request: asked to press the button in the control panel myself, but I was tired of waiting for the damned “Recovery in progress” to disappear and I could be in business.
*** A backup folder appears in which the restored copy will be.
**** Discarded in the archives in the root.
It turned out this is not a planned experiment.
PS: Updated about AGAVA.net, crept into the error in response time to the request, backups restore to the archives.
At the weekend I could not relax, but I spent more than interesting time:
On Sunday, I accidentally found out that one of our client’s sites is down and gives the error “Parse error: syntax error, unexpected '<' in ...”. Well, strangely, I thought, and made the autopsy of index.php on the subject of unauthorized illegal movement of lines of code, what I saw did not surprise me, but upset :
instead of the magical "?>" flaunt the foul-smelling feces of some bot:
Well, Yandex and Google prompted me that it was Mr. Volodya Fedorov who was hitting and that a massive hacking and infection of sites occurred (suddenly o_O).
')
And while the guys wondered on the forums, how did ftp passwords get hijacked (filezilla? Totalcommander? Other?), It became clear that pages like index. *, Footer. *, Header. *, * .Htm, * html were infected, and some popular engine (Joomla, WordPress, phpBB, etc.) is noticed, then the infection will occur according to the architecture of the engine itself.
But the bot is not perfect and on sites with samopisny engine and modx portachil index, actually because of what an error appeared and he revealed himself.
Bringing the main files back to life is very simple, but what to do when there are hundreds of infected files and tens of sites? The output is obvious:
The infection started at night on Sunday, so on Saturday everything was still in order and you just need to restore everything from the backups and change ftp passwords.
The first thing was an explanatory work with computers and employees about the dangers of storing passwords in filezilla, then all the passwords were changed, and the most interesting thing began: recovery.
Since I did not have my own backups at home, and I wanted to deal with everything right now, I decided to shake the hosters on this topic, and I got the following results:
| McHost.ru * | HC.ru | Jino.ru | AGAVA.net | |
| Request response time: | 1 minute. 15 seconds (Online tech support) | 3 h. 1 min. (Application from the site) | 1 h. 23 min. (Application from the site) | 1 h. 26 min. (Application from the site) |
| Application execution time (from response): | 1 h. 9 min. | 1 h 47 min | >> 10 o'clock ** | ? |
| Automatic recovery: | Yes | Not*** | Not*** | Not**** |
| The freshest backup for: | Saturday | Saturday | Thursday | Saturday |
| Information about the end of recovery: | Yes | Yes | Not | Yes |
| Note: | They offered to restore a specific site or rewrite the entire account. | Recommended to get acquainted with the general requirements to ensure the security of the site from hacking and viral infection |
* Yes, yes, this is it.
** Not automatically by request: asked to press the button in the control panel myself, but I was tired of waiting for the damned “Recovery in progress” to disappear and I could be in business.
*** A backup folder appears in which the restored copy will be.
**** Discarded in the archives in the root.
It turned out this is not a planned experiment.
PS: Updated about AGAVA.net, crept into the error in response time to the request, backups restore to the archives.
Source: https://habr.com/ru/post/126404/
All Articles