My site went down a couple days ago for several hours. :( After submitting a help ticket to my host, I noticed that right before it kaboom’d I had gotten about a hundred 404 notifications for a specific directory. I quickly deleted the directory, with a feeling it may have something to do with the downtime.
I was right. A few hours later, my host informed me that a phishing site had somehow become hosted on that directory. O_o I had just so happened to check the default “catch all” email on my account (my site’s email is actually hosted by Google) and saw that there were thousands of emails that had been sent (some even returned because of the phishing) through my own account!
The directory that had been compromised had housed a script called GreyBox, which is a “light box” script that pops up larger images. Apparently there is a vulnerability in the script that allowed the phishing site to insert itself into the script’s directory and begin illegally sending those emails.
Apologies to anyone who received an unauthorized email like that from my domain. Also a word of caution to everyone else who has a site: please make 100% sure you are being secure on every little script and page. You may think you are, but if someone like me (who is overly cautious and paranoid about web security already) can get “hacked” like this, then anyone can.
I want to quickly toss this out there, as a personal suggestion, in response to what I’ve seen a lot of website owners doing lately: please do not put the login links to your site’s administration/control panels actually on your site! You’re practically inviting sketchy people to “drop in”. :P
This includes your email, CMS login area, anything. Bookmark them on your browser instead. Those links aren’t really content that any visitors need to see and saying “omgz don’t click here!!!” around the links isn’t going to keep any hacker out. :P
A support tech from my host, the wonderful Site5, was kind enough to send me a long list of advice (a document that I know is given to many people but is still quite informative) about keeping your website (and online life in general) secure:
Most account compromises are initiated by using a remote command inclusion vulnerability within an existing web application. This issue was likely the result of poor or lack of security on the part of one or more user accounts, including shared or weak passwords, insecure permissions on important configuration files ( allowing full read access globally ), and other factors. Please be sure that the following steps are taken to assist in preventing further intrusions:
If you have trouble keeping track of your passwords, you may want to look into using a solution such as the following, which I personally find to be quite useful in both generating passwords and securely saving these details: http://keepass.sourceforge.net/
He also offered these tips:
- Perform a complete audit of your account and applications. Ensure that all content available was made available only by yourself and that any information, including applications login credentials that don’t match up are removed.
- Any PHP scripts should be chmod 600 at the very least. Any PHP scripts that contain important information, such as MySQL database connection information should be chmod 400. By Default these files are likely permissioned to 644 which will allow global read access to the file by any user on the system.
- Any applications that are connecting to MySQL database should be doing so with their own individual MySQL database login credentials. Never should a set of credentials be recycled or used elsewhere. You should also avoid using your system username and password as an authorization point for these applications.
- Passwords should be 16+ characters in length and contain a mixed case of letters and numbers and should be modified on a regular basis ( twice monthly at the very least ). A password should never be used for more than one service or provider, ever!
- Any 3rd party or custom PHP, Perl and other web applications should be kept up to date at all times. Subscribe to the software vendors security or update notifications mailing list. If an application is no longer required or in use, remove it completely. Disabling the application is not always a sure fire means of disallowing intrusion attempts.