Hacked site.

[Alhazred De Sane]

I'm wondering if anyone here can help me with a recurring hacking problem. One of my clients sites has been targeted several times over the last 6 months. The hacker somehow adds hundreds of hidden links to the very bottom of the home page of Barcelona Apartments | Barcelona Apartment Rentals | Rental Apartments Barcelona | Barcelona Self Catering Flats to Rent . The links placed on the page appear to be unrelated.

We have reset the passwords for the ftp every time it happens, but it doesn't seem to have any effect, other than the site stays clean for a few months before the links appear again. Every time Google indexes the site when it has been hacked, the site plummets through the SERPs, and as the natural search pages are the biggest source of visits to the site, and as the business relies heavily on the site for its income, this is very costly.

Is this a problem with the host? Hostrocket is where the site is hosted.

 

[garycocs]

What sw are you using to build the site is it custom built or out of a box?

What probably happened is that on the first hack the site probably got injected with a script, that script is probably still on the account somewhere.

You'll have to strip the content of the site and find the script.

//Gary

 

[Alhazred De Sane]

Cheers Gary.

The site was custom built, although not by us. I think it was built in asp, but it might be php. I'll tell the programmer to search for an unwanted script - sounds like a lot of ****in' work!

 

[mneylon]

The other thing is to make sure that ALL devices / computers are scanned for viruses - just to be 100% sure.

 

[Alhazred De Sane]

Hi Michele,

I've made that point a few times to the client. Part of the problem is that he accesses his ftp from three different machines in three different locations - Barcelona, Sitges, and his home - plus, his programmer accesses it from Austria and from Germany, and I have access here in Ireland. And that's just the ones I know about! It looks like one of the machines might be infected with some program to record keystrokes, and identify passwords.

Can poor server security have anything to do with it? If we can find the bad script and remove it, would shifting the site to another host make any difference?

 

[mneylon]

If it's a virus, such as Gumblar ( Gumblar Like Attacks Continue - Blacknight Hosting Network Status ) then changing the host won't make much difference.

If it is Gumblar or similar, then the problem is due to the people who use ftp having their machines compromised.

There isn't an easy solution unless you can both restrict FTP access and ensure that the FTP details aren't shared electronically ie. not shared or stored electronically

 

[Alhazred De Sane]

Update

Thanks again, Michele.

As of this morning, we have found another site hacked. This one is huge, and located in NYC. The virus, don't know the name, has been placed in ALL the javascript files on the server, and directs its nastiness at the index file, adding reams and reams of bad links to the page.

I was talking with a programmer on Saturday evening, and the same thing had been a problem in Argentina before Xmas.