Help! My website was hacked!

backlund

Hey guys, any help you can provide will be greatly appreciated.

I put together a site for my dad's company about a year ago, and all has been fine with it until recently. He called me today saying there was something wrong with it. I pulled it up only to find a page that says"

ErroR.404 Ownz you!!!!

Obviously it was hacked. I called the hosting company (1and1.com) and they said that their systems were fine. I'm pretty sure the FTP wasn't hacked because no other files were messed with other than index.htm and index.php. 1and1 insists that no one compromised their systems unless they got the FTP password from me. I'm going to doubt this, because I'm the only one with the FTP password and have never given it out to anyone.

Anyway, 1and1 tech support said that it probably was a script run against my php code that has a vulnerability that was exploited. I'm pretty new to PHP, so I have no idea how to plug these holes, or where to start. If anyone is willing to help me with this, I'd really appreciated it. I really have no idea where to even begin...

TIA!
Corey Backlund

Drakla

Have you been running any of those lovely "Come and Get Me, BOyz" type things like phpBB or other CMS things?

backlund

Not sure what a cms thing is, but I don't have any phpbb or any other type of message board installed.

Here's the address:
www.clrsalex.com

Please be nice to it, if you find something wrong!! :-)

Also, here's the page that came up before I restored the site:
http://www.clrsalex.com/index.php.old

Drakla

I just ran the most simple mysql injection attack on it and it buckled like a snake on a frying pan. Your input needs validating and filtering, look around for stuff on it as I haven't got time to take you through that right now.

dalecosp

CMS is "content management system". I don't see any at the site you mention.

dalecosp

Drakla's ahead of me. I'm not much of a "cracker".

However, it's quite noticeable from the get go that's he's right. If I put "http://yoursite.com/index.php?page=foo" in the address, it really ought to tell me that this is invalid input.

backlund

OK, so we're getting somewhere.

First, does anyone have any good articles, advice, etc. on filtering and validating? I'm not quite 100% sure what I'm looking for

Second, would hiding the url help my problem? Maybe like masking the url portion of the site?

drew010

i see how the guy hacked this site, if you wanna pm me or something, go ahead, since i wont post it here.

backlund

Drew, your private messaging and emailing is turned off. Do you want to just email me? coreybacklund@cableone.net

Thanks for the help, I really appreciate it.

drew010

oops sorry I forgot about that, I'm sending an email now.