Mystic Charms Forum

I have just spent most of the afternoon having a major panic as my website was hacked and injected with malware. LBC website that is.

Thank fully Tony came to rescue

But it got me thinking, what kind of protection do you all have for our websites?

just tried to look at your site and I'm getting:

Safe Browsing
Diagnostic page for http://www.littleblackcauldron.com

What is the current listing status for http://www.littleblackcauldron.com?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2008-11-04, and the last time suspicious content was found on this site was on 2008-11-03.

Malicious software is hosted on 2 domain(s), including 81dns.ru, berjke.ru.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including 81dns.ru.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, http://www.littleblackcauldron.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

was it a proper hack or did you have writeable attributes (such as 777) on your files/folders?

It was a proper hack I think. Tony has cleaned it all up and I have just asked Google to verify the website again so that it removes the warning.

I only noticed something was wrong as I got errors when loading up my website, and I phoned my host who is excellant (Phil@Openmind hosting) and he confirmed it had been hacked but his computer wouldn't let him anywhere near the website. He looked at the files and then said it needed to be cleaned up by a web designer.

Then Tony found teh stuff and removed it.

Well at least you got it sorted

I would suspect the CHMOD on the files has probably been 777 or something similar.

It was quite a widespread hack - all php files were injected with a few lines of code... And the CHMOD on all these files was 644 so fairly secure...
There are obviously lot's of ways to gain access to a php website including brute force, sql injection etc etc etc...

I have a sneaking feeling that it was either an insecure FTP password or something similar...

The biggest PITA was the fact that without root access to the server i had to manually edit all the files - normally I would write a php script to sweep through the web root and search / remove the code.

So what does all that mean? Does taht mean someone was in my website who knew my password? It is pretty secure I think and not many people would have it, or they shouldnt

might mean it was an easy password to guess ?

Hey i think my stuff is set to 777 or is it 555? What should it be?

Nicole how unlucky. Do you think it was your old web designer lady?

I have no idea, maybe I was just unlucky I think