krazykat

One of our customers has informed us that their site has been hacked. This has been going on for a few days now.

I've already told the customer to change all their passwords, disable anonymous ftp, and uninstall Front Page extensions... and even after changing the passwords and completing these tasks, the hacker still manages to change the website.

We now have a screenshot of the unauthorized ftp session with the hacker's IP address (I've blocked the IP address from accessing the website in the mean time). It is very subtle the changes that the hacker makes to the website, however completely unwelcome and unauthorized.
The customer says that she is the only one with the access to the account/passwords...she has emailed to me the screenshot of the unauthorized ftp session (the hacker had used the main ftp account login) and also copies of the access logs (all forwarded to support).

Is it possible that ftp sessions can be sniffed by hackers? I would like to know if anyone else out there has experienced this and also how we can make our ftp sessions more secure... and what recourse we have at this point, other than just blocking the IP from accessing the site.

I've submitted a ticket to support already ...Ticket ID: XGT-892175

I truly appreciate any advice anyone can give.

DewKnight

It would be more likely that the customer's computer has been infected and the person doing this is using a keylogger to get the login info. Suggest having the customer do a virus scan on their computer using whatever anti virus software they have, as well as an online scan: Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA

Also make sure all scripts on the website are up to date.

JoshD

Hello krazykat,

First off, thank you for hosting with us. I was able to locate your ticket (XGT-892175) and have forwarded it over to our abuse/security department. They will further investigate from there and followup with you as soon as possible. Please await their reply. =)

Twist3d

I agree with dewknight. IT sounds like she may have a keylogger on her pc and the hacker is gaining the information from there.

krazykat

Thanks DewKnight, JoshD, and Twist3d, for responding so quickly!

I've been talking at length with my customer...she is definitely doing virus/trojan scans on a regular basis and nothing like that has come up. Which makes this all the more perplexing! Unfortunately, this seems to be a much deeper issue...

Hopefully, the abuse/security will be able to help us. I also use FTP uploads, just as the rest of my customers do...and so this is naturally quite worrisome to me.

patrickb

I have to agree that this does smell of a keylogger/trojan more than anything else. The link to Trend Micro that DewKnight posted is possibly the best online scanner available and it is free. Another one to look at is Free antivirus - Avira AntiVir I know you said your client is doing virus/trojan scans on a regular basis, however if he/she is using the same program it may just not be able to detect the intrusion. That is why it is good to use alternate programs regularly especially in situations like this where there is reason to suspect a trojan or keylogger.

Packet sniffing is a possibility, but a much more remote one. The "hacker" would need access to one of the networks that the packets transverse. This could be done through a keylogger/trojan from a user on one of those networks, so it is possible. If the keylogger situation can be ruled out, I would recommend that your client make another ftp account in Cpanel and give that account limited access. Change the password for the main FTP account and do not login to that main account for a week or so. Then use the newly created ftp account to upload a few changes here and see if this so called "hacker" logins into the main account or the newly created one.

inthestars

My hostee's site was hacked too a few days ago. =/ Another friend of mine using Surpass was hacked too. Are these all coincidences?

Kayla

inthestars, what kinds of applications are they using on their sites? Any situation will have a specific reason and are all unique to the type of website.

gmax21

Do all these sites reside on the same server?

All it may require is someone with an ill programmed script and people can gain access to the server.

krazykat,

What else does this customer of yours have on the website, only HTML? or are there any forms, server side scripting?

If they do have forms and they are not correctly sanitised in what ever language it's written, then it's entirely possible for script kiddies to get in easily.

There is more than one way to skin a cat. (Not that I skin cats!) .

The question in my mind though, is why would they make subtle changes, most crackers (not hackers depending on your definition), script kidders would stick up a little page telling the world it was them or their alias. Seems strange they would make such minor changes.

And banning an IP won't do to much with so many easily accessible proxy servers available for free, and the type of people that do this to sites will know this and use them.

Sorry I can't offer much in the way of help here.