View Full Version : Why was my site hacked?

July 2nd, 2010, 11:09 PM
One of the most common vulnerabilities that can be exploited by a hacker is an unprotected upload form on a web site. A form like that can be exploited by a hacker to:

1) Change the content of your pages.
2) Add scripts to your site's files so when they are accessed a viewer is redirected to a site that is hosting spyware/adware/trojans.
3) Delete your site files.
4) Upload malicious files to your site.

An unprotected form would be a form that is NOT protected by username and password, does NOT use CAPTCHA, does NOT check if referrer is the same site, does NOT filter what file types can be uploaded and does NOT change file names on upload. Usually an upload form would be named "upload.asp" or "upload.php" which is extremely easy to guess and is uploading files to "uploads" folder.

To keep your upload form secure please follow steps below.

1) Password protect the form (if form is to be used only by site owners and registered users).
2) Do not use easy-to-guess names for the form or upload folder.
3) Check that upload request is coming from your site.
4) Use CAPTCHA (if form is public).
5) Filter and restrict file types that can be uploaded (for example if you only want images to be uploaded only allow jpg, gif, etc.)
6) Change permission on the folder so that files within it are not executable.
7) Change file name on upload, so uploader can not run a script they just uploaded to your site.

Another common vulnerability is out of date CMS version. If you run a version of Joomla, Wordpress, Drupal, Ecommerce Templates, OsCommerce that is out of date that will place you at risk of getting hacked. Make sure to update your content management system / shopping cart as soon as new version is available.

How do I clean-up my site?

When hackers exploit a vulnerability in your site they will often upload a plethora of files with random file names into as many folders on your site as they can. Most of those files will have built-in file uploaders so when file is ran via browser it gives hacker an ability to upload or edit files on your site.
You will need to go through your site files and delete any files that do not belong there. If any of those files are left alone that will give hacker easy access to your site even if initial vulnerability is already fixed.