Well, my old website, ChrisCMooney.com, has been hacked. I have no idea how to deal with it. I meant to set the old URL up to redirect here, but I have been way too busy to set that up...and now the problems are compounded. Will someone please email me if they can help out with this?
- Log in to post comments
I'm no webmaster genius, but all the other links (for instance, http://www.chriscmooney.com/about.asp) seem to work. It seems to me you simply need to replace your index file (index.htm or index.php or index.asp or whatever you use) on your server with a backup of the original.
Er...it's hard to know what to do without knowing a bit more about the old site. I am assuming that it's not on your own server (I assume you'd have taken down the hack by now, even if it meant being off the air). Since you own the registration to the URL, you should be able to point it to a diferent IP and redirect from there. I'm guessing that the ScienceBlogs people could happily have it point to one of their IPs and redirect it here from there...that's what I'd do if you were on my tiny academic server (which was also hacked into earlier this year, but not as blatantly as what you've got).
If you're in trouble regarding the index.asp, Google has it cached:
http://72.14.203.104/search?q=cache:http%3A//www.chriscmooney.com/
so you can reconstruct it from there! All the other pages are still there - the link above has a trailing ")" accidentally included. Shouldn't be hard for you to get it back.
If you haven't already, notify your ISP and change your account and FTP passwords.
Redirecting from your domain registrar will solve this too -- that will bypass the hacked files altogether.
Replacing the index file addresses the symptom but not the underlying problem--the web server has been compromised by someone who has most likely installed a rootkit or other backdoor mechanisms for future exploitation. If you don't have the ability to verify the contents of the server (including the kernel and all binaries), the best bet is to make sure you've got the web content backed up, then reinstall the operating system and make sure it's fully patched, and reload the web content.
And if you're short on backups, there's a copy of one version of the index file here. May need some formatting.
Of course, the problem is that, if they can hack it once, they can do so again. I note that you're currently running MS-IIS 5.0, which means there probably ain't much you can do to improve the security. IIRC, 6.0 was the first version that was even vaguely script-kiddie-proof. You might want to have a word with your hosting service about that - apart from anything else, it suggests they're running a version of Windows older than Win2003. On (very) cursory examination it appears well-firewalled, but still.
Chris,
You also need to let your ISP/host know since they have a security hole.
Good luck.
Cheers,
Jeb
My (direct) experience with system administration security issues is a good 5 years out of date, but back then, many of the easily available tools could install multiple backdoors into a system, enabling the attacker to retain control of the system until a full replacement of the operating system and all executables was performed. Replacing the index file won't address this problem. In those days, the first step, was for the administrator of the site to unplug the box from the internet - a sure and simple way of denying the attacker further access to the machine. I've paid only peripheral attention to the issues (combined with close attention to security issues germane to software I worked on) since then, but since articles like this continue to pop up regularly, I don't think things have changed much.
Might want to change the password too! But they probably did that too, so you are going to have to contact your hosting provider to have it reset. Alternatively, if you just want to point it to your new site, you can do that where you registered the domain. They should have a forwarding option. Then just cancel your hosting account.
My site was hacked a year or so ago. Like the commentor above indicated was the case with your site, they only replaced the index.html file.
They got into mine b/c I apparently had anonymous ftp enabled, and had a world-writable directory as part of a Gallery/MovableType installation. They dumped their script into one of those directories, and next thing you know my site was unrecognizable. I shut off anonymous ftp, wiped everything out and restored from backup, good as new.
Thanks for all the comments and emails. I have set up a redirect, hopefully it will work soon and this nightmare will be over. It would have to happen that my site would be hacked right when I went away to stay in a cabin with no internet access.....