How Could My Website Be Hacked

I wonder how this could happen. Someone deleted my index.php files from all my domains and puts his own index.php files with the next message:

Hacked by Z4i0n - Fatal Error - 2009
[Fatal Error Group Br]
Site desfigurado por Z4i0n
Somos: Elemento_pcx - s4r4d0 - Z4i0n - Belive
Gr33tz: W4n73d - M4v3rick - Observing - MLK - l3nd4 - Soul_Fly
2009

My domain has many subdomains, but only the subdomains that can be accessed with an specific user were hacked, the rest weren't affected.

I assumed that someone entered through SSH, because some of these subdomains are empty and Google doesn't know about them. But I checked the access log using the last command, but this didn't show any activity through SSH or FTP the day of the attack, neither seven days before.

I already changed my passwords. What do you recommend me to do?

UPDATE

My website is hosted at Dreamhost. I suppose they have the latest patches installed. But, while I was looking how they entered to my server, I found weird things. In one of my subdomains, there were many scripts for execute commands on the server, upload files, send mass emails and display compromising information. These files had been created since last December!!

I have deleted those files and I'm looking for more malicious files.

Maybe the security hold is an old and forgotten PHP application. This application has a file upload form protected by a password system based on sessions. One of the malicious scripts was in the uploads directory. This doesn't seem like an SQL injection attack.


Solution 1:

Restore from known-good backups. Otherwise, you may have to wipe and reinstall. A good rule of thumb is to NEVER trust a system once it's been compromised. There's too much chance that binaries have been replaced to hide a payload or backdoor.

As for the how, it may have been an SQL injection attack. Or some other way in. You were running everything with the latest patches?

This link is from a cache of an apparent hack into twit.tv (I think it's This Week In Tech). If you google the phrase you'll get a bunch of hits. Any time there's a scripted mass attack out there you're going to find chatter on different forums discussing it.

Again...DON'T TRUST THE SYSTEM. You probably should wipe and reinstall then restore database information from a previous backup...that's the safest route.

Solution 2:

It's fairly likely that this was an automated attack against some third-party script or module you're using that has a vulnerability. The same thing has happened to friends of mine using poorly-written third-party uploader scripts.

Solution 3:

It's quite easy to get hacked. Were you doing all of the following:

  • kept systems patched
  • had complex passwords for all accounts (8+ characters including Unicode)
  • had all ports locked down on network
  • hardened servers
  • disabled unnecessary/unused accounts
  • not downloaded updates/patches for anything other than from official vendor?
  • ensured all applications are script/SQL injection proof

If you haven't been doing at least all the above, you are asking to be hacked - it's just a matter of time.

Also, if you were running Apache... I just read an article about an Apache server being hacked. The implication is that all downloads from Apache could have been compromised. I just skimmed the article as I don't use Apache, but still the potential implication is HUGE... Just in case you didn't believe me - here is the link.

And, as a final note, I would assume your entire network is compromised. Not only is the machine compromised, any machines that the compromised machine had access to are compromised. I would wipe and reinstall everything that has been compromised or touched by the compromised machine...

Solution 4:

If you google "Hacked by Z4i0n" you will see a lot of sites that have been hacked by these people (perhaps one of them is yours...). In any event, it's very likely that your network has been converted into zombie machines. This guy has a lot of machines converted. At some point in the future, either based on time or based on signal, your servers will be used to attack other systems and machines.

Congratulations - your post is on the first page of Google results!

This is not a SQL injection attack. The hacker has a script to sniff your setup (OS and web server) and is attacking sites that have a vulernability that he is able to take advantage of. Most likely this vulnerability exists because you have not followed standard procedures for hardening an externally facing server.

My recommendation to you is to have your sites hosted by a group that is security conscious. If you do want to be self-sufficient, learn about security measures and hardening, and try again after you feel you are better equipped (at least 2-3 months of learning ahead of you). BTW - even after you learn about security and do follow all the suggested guidelines, you will still be vulnerable - it will just take a lot more effort on the hackers part...