Security Message from Website Host...
THE TOUCH
Registered Users Posts: 535 Major grins
I just got this email from my Website Host -
This message is to inform you of a recent security vulnerability regarding
your hosting account. One or more of your website files has been edited to
include JavaScript code that launches malware from a remote IP address. This
may cause an AntiVirus alert for visitors simply by viewing your website(s).
The cause for this vulnerability is due to the fact that one of your web
applications contains login information to the MySQL server. Because you have
chosen the same MySQL database password as your FTP login password, the
attacker was able to establish an FTP session and modify the website file to
include the malicious code.
It appears that the affected file, the-touch.biz/index.htm was modified on
8/25/2006 and therefore the malicous JavaScript is no longer intact.
However, you may want to double-check that your site is working properly and
that the page(s) are displaying correctly. It may be necessary for you to
re-upload your website content if the site is not working as you expect.
You will need to change your Control Panel password as soon as possible to
prevent further malicious activity. We would also like to point out that you
should always use different passwords for your MySQL database connection and
FTP login. Doing so will greatly reduce the ability for attackers to modify
your website files.
Please reply with any additional questions or problems regarding this issue.
If we do not receive a reply with 24 hours of this message, we will be
changing the FTP password to prevent the attacker from regaining entry. You
will then need to use the "Forgot Password" link on the Control Panel login
page or contact support.
I've gone through and changed all my passwords but I'm not sure I understand HOW this happened. Can anyone help me out? Is there anything specific I should look for besides changes to the website?
Thanks!
This message is to inform you of a recent security vulnerability regarding
your hosting account. One or more of your website files has been edited to
include JavaScript code that launches malware from a remote IP address. This
may cause an AntiVirus alert for visitors simply by viewing your website(s).
The cause for this vulnerability is due to the fact that one of your web
applications contains login information to the MySQL server. Because you have
chosen the same MySQL database password as your FTP login password, the
attacker was able to establish an FTP session and modify the website file to
include the malicious code.
It appears that the affected file, the-touch.biz/index.htm was modified on
8/25/2006 and therefore the malicous JavaScript is no longer intact.
However, you may want to double-check that your site is working properly and
that the page(s) are displaying correctly. It may be necessary for you to
re-upload your website content if the site is not working as you expect.
You will need to change your Control Panel password as soon as possible to
prevent further malicious activity. We would also like to point out that you
should always use different passwords for your MySQL database connection and
FTP login. Doing so will greatly reduce the ability for attackers to modify
your website files.
Please reply with any additional questions or problems regarding this issue.
If we do not receive a reply with 24 hours of this message, we will be
changing the FTP password to prevent the attacker from regaining entry. You
will then need to use the "Forgot Password" link on the Control Panel login
page or contact support.
I've gone through and changed all my passwords but I'm not sure I understand HOW this happened. Can anyone help me out? Is there anything specific I should look for besides changes to the website?
Thanks!
Insanity: Doing the same thing over and over again and expecting different results. - Albert Einstein :bash
- Kevin
- Kevin
0
Comments
Obviously I don't know the details of your web application that uses MySQL but I'd ask your hosting company how the attacker found out what your MySQL password was and then make sure that no-one else can get hold of it.
I can only think of two ways off the top of my head:
1) The MySQL DB installation was compromised, in which case you'll want to make sure that it is secure now. Presumably this is down to your hosting company and the fact that they know the password was used suggests to me that this is most likely.
2) The attacker could somehow work out your password from looking at the source of your web pages. If this is the case you'll need to fix it.
If you have an up to date backup copy of your website on your home machine or elsewhere I would use it to replace all the files on the live site so that you can be sure you haven't missed anything.
As I said I'm not an expert on these things but that's what I'd do.
Kevin , I am looking at your site and for the life of me I cannot see where you use a Database, did you modify your site after the event ? I'm assuming your host gave you a DB included in the price. Why and or how they used that password to nab your FTP password is uncertain to me as well - are there any files on the site that contain that password ?
Seeing that all your pages are static I would turn and reload from a trusted source all files that make up the site.
--
Jon
Sometime ago, I was trying to setup a database but didn't have a clue what I was doing. While screwing around, I tried to setup an SQL Database on the server and never deleted it.
How they got the password...I don't know.
I'll go ahead and upload the website again just to be safe.
Thanks again!
- Kevin
I can say one thing... you have a great website host if they will go through the trouble of composing that email to you! Many hosts just don't give a poop.
jamie
Yeah! I was shocked! Over the years they're service has been worse and worse so I was very surprised to get this. Maybe I will stick with them!?
- Kevin