Hacked Site Information
The information in this article applies to:
Hacked Site
SQL Injection
FTP Compromise
Google Warning
FTP Compromise
Re-invent has seen an increase in the number of customer sites compromised via legitimate FTP access. This issue has nothing to do with us or our services or our security but was caused by a worm or virus installing a keylogger or other username/password harvesting program onto
your home or office computer of you or one of your users. Once a hacker has your login information, they can alter your site files to deliver malware to visitors, or redirect your visitors to another infected site. This is usually done by adding a single line of <iframe> code to a page.
What you should do to clean up the issue:
1) Perform a thorough virus and anti-malware scan of every computer you use to access your site and remove any malicious programs.
2) Once you are certain that all of the computers you use to access your site are free from malicious software, delete all the files from your site.
3) Change all of your account passwords - including FTP, database and email account passwords - and the passwords of any users that have FTP access in our Control Panel.
4) Re-upload your site files
If you clear out files and change passwords without being certain that your computer(s) are free from malicious software, it is likely that your login information (and your site) will be compromised again.
SQL, Javascript and XSS Injection Attacks
Mass injection attacks have ramped up that are targeting SQL Injection vulnerabilities within application code, with some of these attacks specifically targeted at ASP and .NET applications in particular. Some of these attacks are even fully automated and are being launched via botnets and other infected systems. The source of these attacks and the attack code being used changes so fast that it is impossible to block at the network level.
SQL Injection and Cross site scripting (XSS) attacks are nothing new. For several years now Computer Security professionals have been warning of massive attacks such as these disrupting normal business operations on the Public Internet. It looks as though this new wave of attacks and new method of infecting clients with malicious code has started.
If your web application does not check, validate, filter or otherwise sanitize any data sent to your database, an SQL injection is possible either through a web-based input form or via an altered URL string. The SQL injection is used to perform database queries that your application generally would not perform (such as updating text fields that are displayed on a web page to include malicious links). For Help on SQL Injection please visit
http://msdn.microsoft.com/en-us/library/ms161953.aspx
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
If a site visitor has notified you that they receive a warning from their antivirus software, or get
Google's "Reported Attack Site!" warning in Firefox, your site may have been exploited.
NOTE 1: Please do not post information that our services are unsecure if you encounter these issues. Our services ARE secure and this problem
has nothing to do with our services, servers or our security in anyway!
NOTE 2: If you site remains compromised after being notified of the problem, Re-invent can at its sole discretion suspend services to your site in accordance with our Acceptable Use Policy. Suspended and terminated sites would not be eligible for refunds.