Website hacked, how do I update the ROOT mysql password?

[Fabrice]

Hello

Someone managed to enter my account somehow and put invisible links at the bottom of my pages (the edited a php template file). Can this happen due to a weak password ? It was 5 letters and 3 digits.

I've updated passwords on CPANEL and protected directories to much stronger ones, but I can't find how to update the MYSQL password, any ideas?


(CPanel doesn't let me use a passphrase by the way it says "password too short" if I try to use spaces).

[Pazeh]

what do you mean by ROOT mysql password... as far as I know shared accounts do not have ROOT mysql user.

If you changed your Cpanel pass you need to change the pass for every mysql user that you have. I can't see a way to do it in Cpanel; so I guess you should delete the current user, then create a new one with the same name n assign it to the database!

Be sure that the "hacker" has not uploaded a file that will read your db's passes from your config files. another way to do this is to put your config files out of the public_html folder.

hope this helps
Pazeh

[gwyneth]

Have you alerted HG support? This kind of thing can be critical on shared servers.

[Fabrice]

Pazeh : thanks! I didn't realise I could remove the user and create a new one, I said "root" because my default user on the database was called "root" (plus my account so something like xxxxxx_root).

gwyneth : No, I figured this is common unfortunately, I read about people having this problem before. If that was my password being too weak, this shouldn't affect anybody else on the shared server.

I looked at the FTP logs for January and there it was. I found an IP that accessed FTP on 15 January uploading 5 html files directing to a "incest" porn site, and they uploaded a modified template for the footer of my site where they inserted just one line with invisible links to the 5 html pages that they stored on a subfolder somewhere on my shared server space.

Why do they do this? I figured this is to get Google Page Rank?

But I wonder if this could be a kind of attack to try and get Google to blacklist you due to the links to "unacceptable" content? Is this possible?

Also I realised that if the person accessed FTP, the password is the same for CPanel, that means even the IP restriction with "Hosts" that is set on the database is pointless as they can go and change everything. Basically a few days ago this person could have destroyed my site!

In other words, I updated the database password, but it seems to me it was pointless in this situation.

I used a longer more complex password for CPanel/FTP but I don't understand how can you protect your site when Cpanel itself and MySQL won't let you use decent pass phrases! I couldn't even use a single quote "'" for my database password, and I couldn't use a simple space character in CPanel, it said "password too short"!

How on earth am I supposed to know what characters are available in CPanel to make "secure" enough passwords?

I'm aware of the obvious php sql injections, global vars problems etc., if someone got into the site the only clue I have so far is that they would have cracked the password. Fair enough, I didn't change it for a long time. But if CPanel doesnt let me use decent passwords and passphrases how am I supposed to protect my content ?

[Fabrice]

Quote:

Originally Posted by Pazeh

Be sure that the "hacker" has not uploaded a file that will read your db's passes from your config files. another way to do this is to put your config files out of the public_html folder.

Thanks for the tip. My include files were in the public_html folder, in a password protected directory. Even if you enter the password, you then get "forbidden access" due to the directory listing being disabled.

Either way, if the intruder had the login and password to access via FTP, and it's the same for CPanel, it wouldn't make any difference, they can go and read any file they want from FTP, or am I missing something ?

[ghpk]

from my 7 yrs. experience in hosting biz, i've seen this happen mostly when a customer is having a trojan or password/info stealer infection on his home/office computer.

most likely password is first grabbed via any infected software/computer you have your password saved on, then a bot connects to your account searching for files like index.* main.* default.* config.*

if iam correct on this, you better need to run a updated virus scanner on the system which had your password saved.

also look for other folders for such included scripts, tmp folder and other folders your ftp account was having access too must have also been affected.

lastly, even if you protect a folder with a password, main FTP user will still have access to all the files under this folder, password protection will only work from public view and not the ftp one.

[Fabrice]

Hmm, well I'm 99.99% sure I don't have a trojan. I'd like to think I'm fairly computer savvy. I know what a virus is or how a trojan works, heck, I've disassembled some viruses that were on boot sectors of my floppy's way back when I first learned programming on Amiga..

I don't use IE much, never execute anything from my emails or accept to install anything from a website popup. I regularly go through my Task Manager to look for suspicious processes. There's nothing there.

I don't have much experience with servers and online security though, so I'm all ears open. I just want to understand why or how it happened.

The FTP logs show me what files were modified (unless the intruder tampered with the logs and left some of his changes in it, and removed others, and re-gzipped it, that sounds a bit far fetched). Also by checking the last modify time when using my FTP program I saw that the files he changed were pretty much only the 5 HTML files he uploaded and the FOOTER template where he inserted extra links, nothing else changed.

I'll go again through the FTP folders just in case..

I sent a mail to HG support but if they tell me the same things I'll be disappointed :/

Is it that easy to crack a 8 character password?

Also if a hacker makes attempt to break a password, can I see that in the raw access logs?

[ghpk]

Quote:

Originally Posted by Fabrice

Is it that easy to crack a 8 character password?

Also if a hacker makes attempt to break a password, can I see that in the raw access logs?

depends on how complex those 8 characters were.

as a shared user you won't have access to see if it was a password attempts or a login with one single attempt, in case it was a case of stolen password( ftp user logged in with single attempt), i would still think its related to local computer exploit rather than server.

[Fabrice]

Ah, thanks, so that means that HG support should be able to see that.

I did a full virus database update and all drives scan with aVast. Nothing detected.

I wish that was true though, because then updating the password and getting rid of the trojan would have solved the problem.

That leaves the possibility of a trojan on my work PC for example, from which I accessed my site a few times. But them, I haven't seen anything irregular on my VISA, PC banking, or email accounts...

[gwyneth]

What versions of what web-based applications are you running? Were any installed via Fantastico? IMO, it is a lot more likely you were the victim of an exploit rather than a "hacker" specifically targeting your site.

[Fabrice]

Hello,

well HG support said it's frequent and it's most likely the password being cracked.

I've seen mentions of "Fantastico" etc, "joomla"(?) I have no idea what those are, the only package I've installed which is not my own code is the lightweight forum package "punbb".

I'm going to go and use even longer passwords, 18 chars if I can, and call it a day. If it happens again I'll know there's something else ;P

[GvilleRick]

What version of PunBB are you running? I see several examples of exploits of 1.2.2 and 1.2.4 and there could be others in later versions. The latest version seems to be 1.2.16.

[Fabrice]

Thanks,

it's 1.2.16 (latest version), punbb is on another subdomain as well, it was my main site which was tampered with.

[vtrain]

Quote:

Originally Posted by Fabrice

Hello,

well HG support said it's frequent and it's most likely the password being cracked.
[snip]

Yes, when one uses a word from a dictionary or a password that is the same as the username.

Vtrain

[Fabrice]

My password was "kinja"+ 3 random digits. That is "kanji" with 2 letters swapped. Maybe letter order doesn't matter when using words.

I changed it to a 18+ character password with no words in it.

If I go to change password in Google account and try the one I had, it says "Strong"... go figure!

[Fabrice]

I've emailed support again with more details, I wanna get to the bottom of this. I have a website that grows by the day and I want my users data to be secure!

I want to know whether this is my responsibility or HostGator's. Yes, it's likely mine, but so far I have no good answer. HG support said it's just frequent so now I asked them clearly to check their logs and tell me whether it's a brute force attack or not.

If it's not, according toa friend, it could be "sniffing". If it's sniffing and its that easy, I'm afraid that can happen to anybody else on the same server no?

Regardless of my password choice, my friend said even a 3 digit passowrd is not that easy to crack, you'd have to do repeated attempts on the server, so surely there must be a trace somewhere.

[Fabrice]

Hello,

Should these files be there ? What are they ?

/public_html/cgi-bin/cgiecho
/public_html/cgi-bin/cgiemail
/public_html/cgi-bin/entropybanner.cgi
/public_html/cgi-bin/randhtml.cgi

Thanks

[Sam]

Quote:

Originally Posted by Fabrice

Hello,

Should these files be there ? What are they ?

/public_html/cgi-bin/cgiecho
/public_html/cgi-bin/cgiemail
/public_html/cgi-bin/entropybanner.cgi
/public_html/cgi-bin/randhtml.cgi

Thanks

They look like the scripts that you can make from the CGI-Center in cPanel

[codesight]

3 digits? Yeah, that's secure. No. At work here, we are required to have 16+ and it must contain at least one UPPERCASE, one special character like !@#$%^&*()_-. and at least two numbers. It runs through a dictionary as well to ensure there are no dictionary words contained in the password.

Something like these are good passwords:

=4tEpr6S3_ph3vUf
huPH=tubREh!Sw=*
RuGe3u79Es4s*Phe
t#&hubreharey#q7
+*m-wejEx4craR-k
*2Deq&8ub=egufr?
Cayacrabas8azav&
-Ec7ucraje$e!hud
PheY7s*_@RuNaxet
b_-mE?U2AwrECHaF
R_jAy9_A+radu@um
6U*h+p&AcrEC#4us
t-eS@Uc87drurAjE
sw-2@vuxeTawR36R
haswu4Tata+a5h5t
wuq#$ra3*f2a?u6u
w=$spUch!2revex@
dRufRUT6usupeP&e
PH=3TebRa-aCR&s#
quB8_r$Waxu-egud

There are many password generators out there, here is one, for example: http://www.pctools.com/guides/password/

hth.

[codesight]

According to this site: http://www.securitystats.com/tools/password.php

His password is 3/4 of the way from weak-strong.

It's probably "ok" and it's very likely there were other methods of gathering the password.

At any rate, for passwords you don't need to use all the time, make them long and complicated.

Hope you get this solved soon.

[codesight]

the don't need all the time was referring more to: cpanel/whm type...

i wouldn't necessarily have too crazy of a password for email, though, since it's me, i do

i can remember 16+ passwords, some people can't... we are forced to change ours every 30 days and it can't be the same one or even a variation of one we used in the last two years

strong passwords are essential, especially in areas of complete control over your sites/server/etc...

[Fabrice]

I tend to agree with Serra. In any case my friend meant that to be cracked over the network, as opposed to cracking it locally where you can do that in much less time, in that context my password seemed strong enough.

Best answer I got from HG support after insisting :

"I see no repeated attempts in the logs".

But then he seemed content with his first reply that "FTP is actually the most common method for hacking into an account.".

So I still don't have a clear answer either way.

I DIDNT write my Cpanel/FTP pass anywhere.

So I asked if it could be sniffing and they said "... usually refers to sniffing for an open port which is not the case in this situation.".

Quote:

Its far more likely the password was disclosed in an unsecured connection, was captured by a keylogger or was FOUND lying on your physical desk or taped to your monitor.

Like I said, I scanned my whole harddrive, and aVast didn't find anything. That and I have a DBOULE FIREWALL, the one from XP which admittedly could be affected by a smart trojan, and the HARDWARE firewall in my "modified" Alcatlel Router/Modem onto which the only ports I've MANUALLY opened are 10 ones for BitTorrent.

Do you really seriously think someone in my relations makes money on porn sites and medicinal drugs?

That's the same problem with support, they always assume you're a complete retard and so it's impossible to get a good answer.

Don't matter, if this happens again I'm out of here. I guess with the traffic I'm getting I should start thinking about using a better setup anyway.

Still, really frustrating. It's supposed to be a security issue, but support doesn't seem to care to try and help me find what the leak is.

[Fabrice]

unsecured connection :

That's the problem here, if somebody can easily listen on the traffic and get my password easily why couldn't they do the same for anyother HG client on the same server ? It would be likely that the person was already well prepared to do exactly the same on other HG clients no ?

If it was hard to get the password why would they waste time on my site, obviously they did it eyes closed cause if they were smart they'd have figured my site is very active and "parasiting" my server space wouldn't have gone unnoticed for long.

So it seems logical that the person who did this did so easily or had a program that found out the password easily WITHOUT A TROJAN on my PC or any exploit on my site that I know of since I already said I only use the latest update of PunBB other than my code, and I already confirmed that this was logged on the FTP and the FTP password is nowhere in my files!

Thus we go full circle, and maybe HG just won't admit that their FTP line is a big sieve.

[Fabrice]

Anyway, I do appreciate the answers here, so thanks.