Re: [Toledoh] CMSB install hacked
Hi Tim,
We've seen this a number of times and can also offer security auditing services through consulting.
The entry point is typically an outdated open-source script installed on the site (wordpress, email forms, galleries, etc). Even if the script isn't being used, or installed by default by the host, hackers use automated scanners to find known paths to old vulnerable software. Check for anything like that.
Another possibility is that the hackers have compromised another account on the shared hosting server and are attacking the client's site after gaining access through another shared hosting account. If this is the case, there's nothing you can do but switch hosting.
One of the ways we detect entry points when we do security audits is to check the web server logs to see who accessed the exploited files. Once we determine the IP of the attacker we can then check the logs to see what other files that user accessed, check modified timestamps on files, etc.
So, the short and simple answer is to go through all the folders on FTP and remove any software you don't need, upgrade any other software in use, then if it happens again switch hosts.
Also, I have a scanner in development which might help. If you email me direct I can tell you more about that.
Hope that helps!
Dave Edis - Senior Developer
interactivetools.com