DSF

4pm yesterday, all our email accounts simply stopped working. Then I discovered our website had been suspended! The 24hrs following have been horrid!

Website had been hacked by someone placing a file java.php into the Public folder. The code produced a login page for an Italian bank and passed details of anyone attempting to login to the attacker!

The upshot is that it trashed the website by creating 1,000's of emails.

And I thought it was secure!!!

John

Jeez John - hopefully they never got any of the customers 'private' details (i.e credit/debt card details etc).

Not had much luck lately mate have you - what with the DTG problems and now this ................. I won't say it comes in threes!

Well, it's perhaps what I needed to get rid of a crap website - it's trashed now. It didn't work anyway and had no sales through it so no chance of anyone's details going elsewhere!

DTG is up and running now - my BIG problem is time, just not enough of it.

John

Hi John, good to hear the DTG is up and running again - i've got plenty of spare time so if you fancy you can install your machine at my premises FOC

Blimey John, sorry to hear about your bad luck, were the hosting company good when it happened ??

JustHost have been brilliant - nearly immediate help.

thats good to hear, its only when the sh*t hits the fan that you tend to know if the hosting company are any good - and you are never in the mood for hold music or "eloo mister i may help you i am sam from engerland"

Do you know how they put this php file into your webspace? It might be helpful to others to know if it was an insecure script or something that gave them access to your space.

@JSR
As I had my site designed by a 3rd party, I can only guess that it's security wasn't great! I had a problem a year ago and got someone from the OSCommerce forums who specialised in securing sites, to sort it out and 'lock the site down' - his words not mine. I paid him to do it.

So your guess is as good as mine!

The way it works from what I understand is:
1. A bogus email is sent purporting to come from the recipient's bank.
2. The email informs them of a security breach on their account and asks them to login to rectify it - a link is provided.
3. They click the link and it takes them to a fake bank login page. This page, in my case java.php, had been placed on my hosting service!
4. They type in their login details on the java.php page and the login details are sent to the attacker.

That's about it - a very common occurence I'm told.

Anyway, my whole site, coding and everything has now been removed.

John

Stitch Up;26795 wrote:@JSR
As I had my site designed by a 3rd party, I can only guess that it's security wasn't great! I had a problem a year ago and got someone from the OSCommerce forums who specialised in securing sites, to sort it out and 'lock the site down' - his words not mine. I paid him to do it.

So your guess is as good as mine!

The way it works from what I understand is:
1. A bogus email is sent purporting to come from the recipient's bank.
2. The email informs them of a security breach on their account and asks them to login to rectify it - a link is provided.
3. They click the link and it takes them to a fake bank login page. This page, in my case java.php, had been placed on my hosting service!
4. They type in their login details on the java.php page and the login details are sent to the attacker.

That's about it - a very common occurence I'm told.

Anyway, my whole site, coding and everything has now been removed.

John

It's a pity you can't find out how the file got on there in the first place, so that you can be wary of it in the future.

It's quite possible that your website was "locked down". It's typical to have many websites run on the same server or virtual server. If the server isn't sufficiently secure, one website can affect another - so it could have been an insecure script on someone else's website (or even a malicious user who's purposefully uploading dodgy scripts to their own website).

So I wouldn't immediately blame the OScommerce forum guy - who, I'm sure, secured the oscommerce scripts as much as he was able. Without knowing how the file got there, it's difficult to know how to prevent it in the future. It's particularly scary to be told that it's a "very common occurrence" without knowing how it happened.