Recently one of my website design clients had her site hacked. It didn’t show on the part that her normal web visitors could see, it was instead a separate bunch of pages buried in her site structure and put up for the purpose of phishing for banking info. The way she found out about it is she received an email from a person who forwarded a spam email that included the link to the phishing page on her website. Needless to say, it was upsetting to her and to me.

In tracking down the problem it turned out that the hacker got into her hosting space through ftp, which means he/she had the username password for the site ftp access. Since up to that point only the site owner and I had access, that meant that a computer that had accessed the hosting space had been infected in some fashion. So I had the site owner run a trojan scan on her machine and I did the same on mine. Hers came up infected with more than one trojan.

Why was her machine infected? She asked me. She had her computer secured with AV and Firewall. I asked which one. She answered– NORTON. Now, in my experience, if you want your box pwned, use Norton. If you want your box to malfunction, use Norton. If you want your box to run as if it’s an 80 year old with terminal arthritis use Norton. Norton lets all kinds of stuff through. Even worse, like kudzu vine, it’s invasive to the max. It’s impossible for all but an expert to remove from the system short of doing a complete reformat of the hard drive. This thread on WebProWorld about Norton says it all.

The solution to this, after deleting those files from her site, was for us to change ftp passwords AS WELL AS ALL OTHER PASSWORDS TO EVERYTHING immediately, then get her box cleaned, then change all the passwords again, since this was most likely a keylogger problem. I also advised her to check in her stats once a week and see what urls people are accessing on her site. A quick scan down the list will immediately point out things that are out of the ordinary, if this type of thing is happening. These pages were buried in /wp-includes/images/ folder in subfolders underneath. There should never be urls showing up in that path if you’re using wordpress!

Now, how do you ensure that this doesn’t happen? Use good AV/firewall such as Kaspersky or GriSoft (free versions of Kaspersky and GriSoft are available) and make sure to be religious about running scans. Run trojan scans weekly, or use reputable anti-trojan software acquired through a trusted download site such as Download.com. Have your box set up so that there’s an admin user who is the only one who can set up software and have that area set up with a secure password, and no, that isn’t your dog’s name or your birthdate. Do NOT surf the web as that user. And don’t use NORTON or IE or any version of Outlook (though in this case she wasn’t using IE, I had already broken her of that bad habit.) Don’t keep your passwords ANYWHERE on your computer (no, those passport or browser save your passwords things are NOT that secure, no matter what anyone tells you.) It’s also a good idea to regularly scan through the site urls people are using to access your site, which will show instantly if there’s something phishy going on.

If you do find you’re infected, follow the advice above. Change all passwords to everything, clean your machine (or have it cleaned) and change your AV/firewall to a more secure type (stay away from McAfee and Norton, the top two, since they’re most often targeted by hackers) then change the passwords AGAIN.

Technorati Tags: Website Security, website hacked, trojan, keylogger, phishing, Norton

This entry was posted on Monday, June 11th, 2007 at 11:09 am and is filed under Web Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.