HELP I've been hacked!

[pszilard]

Pls help! I know this isn't a WB problem, but my WB site had been hacked, and where else can I go for expert help than here?

My site shows a blank page, i.e. it doesn't display any code/content. If I connect via FTP, I can see all files seemingly unchanged! If I access via Plesk site control, I see that a number of files and folders had changed ownership to Apache, whereas before they were my domain id. This includes most (but not all) of the WB template folders.

If I log in to WB, and change the site template to one which has my id as owner, then the site shows up again. If I change it back to the template I want to use (now owned by Apache) than the site disappears!

I cannot uninstall the templates or reinstall them.

I would be grateful for any assistance. You can also PM me or email me at remektek-at-gmail-dot-com

Thanks in advance,

[Ruud]

I assume you cannot set the files to your domain id again, so you will need the help of your hoster.

Just ask them to reset all your files to your id.
Also notify them about what happened, it might very well be their main site (Apache user) that was hacked.

Ruud

[doc]

Hello,

have you tried to delete the specific template folder via FTP (remember to back up files first)? If this works, use the Admin Tool Reload Addons and then install the template again via the WB backend? If this does not work, you need to contact your hoster to set the right permissions.

Regards Christian

[pszilard]

I have opened an Emergency Help Desk Ticket with the hosting people, but it is still before their opening time.

I cannot delete or change or even access the contents of the folders and cannot remove or reinstall templates.

Could someone point me to instructions on how to secure a WB site? I do not understand .htaccess well, and would like a summary of the correct "hardened" file permissions. Is this described somewhere for WB?

Thanks.

[ruebenwurzel]

Hello,

The question is not how to secure WB, the question must be how to secure the server. On all known hacked pages it was not a WB security hole it was hacke due to server security misskonfigurations.

The first step must be to get the logs from your hoster. Only there you can see when and how your page was hacked.

If you use WB 2.7 and the latest FCKEditor WB should be secure. If you use an older version of WB or an older VErsion FCKEditor or another Editor maybe this could be the hole where a hacker could intrude a WB page.

Matthias

[pszilard]

Hi Matthias,

Yes, you are absolutely right that it is the server that needs securing. However as I am a novice in this (and many other) area, I would like a checklist on what the correct access settings are for WB files. e.g. should config.php be set to 644, or 444? etc.

Also how to use .htaccess properly - I would expect this to be a non-WB guideline, so I just ask for guidance here as I have great respect for the skills of people like you and others.

Thanks again...

[ruebenwurzel]

Hello,

the answer of your question depends from your server config. Runs Apache as modul or as cgi, wich php settings are made, is the wwwrun-user the same as the ftp user .....

Basically the lowest permissions with wich WB works are the best. So Files and folders wich needs to be written needs write permissions (this could be 644 until 755 or even 777 depending on your server config).

All Files wich needs not to be changed only needs read permissions. A good idea is to set config.php and all index.php (except templartes index.php) to chmod 444.

Also you can double secure the admin folder (the admin backend) by using .htaccess with a password (if htaccess is allowed on your server). And a simple renaming the admin folder in the WB options and with ftp to another name is also a possibility to make hackers the life not easy.

But always remember, if a hacker can hack your server because of a unsecure server konfiguration, all these steps doesn't matter. As soon as a hacker has access to the server itself, he change whatever he want. So again, the best is to secure the server and running WB with default permissions.

Matthias

[pszilard]

Thanks Mathias.

The good news is that it was determined that my problems were the result of upgrading PHP from 4 to 5, and the hoster's sys admin had to reset accesses. So that's a big relief!

I will try to implement your suggestions, however.

Appreciate your help.

Thanks a million (or 1E6)