Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Identifying hacked code

Monday, February 9th, 2009 by Servage

matrixFrom time to time we are seeing that customers’ websites are being hacked. This is very unfortunate and extremely frustrating because it often involves big hassles for the webmaster to repair the damage. Such intrusions are seen coming from different points of entry, which for instance could be via FTP after sniffing a password or via installed scripts like a CMS, forum, blog or similar. The main plot of the stories is commonly the same, while the scenes and actors vary. Often the goal of the intruder is to drive traffic from your website to the hacker’s own page or network of pages – for instance to gain a financial benefit from add revenues or similar, by exposing you and your websites’ visitors to such, and/or gaining better search-engine-rankings by the increased amount of cross-linkings by placing links to the intruders pages on your website.

Intruders with this type of content manipulation on their agenda mostly scan an accessed account for HTML, PHP and .htaccess files, identify specific tags in them, and add their own custom code fragment. These fragments can be disguised so they wont be seen by the regular website user. This could for instance be achieved by hiding the code within the HTML “comment” tag like <!– Unwanted content which the browser won’t reveal because it is hidden in a comment code fragment –> or making the code visible to search-engines only (by utilizing a script that identifies the visitor as a search-engine before deciding to display certain code fragments or not).

Unfortunately there is no general cure against intrusions, but you can avoid many problems by using secure passwords (at least 8 characters long, using big letters, small letters, numbers and special signs where possible) and by keeping your software up to date. Many open source software products are used by numerous users. Therefore known security issues in them can become a serious threat to your website if you do not update your software when the developers release it.

For those of you who want more: Read an interesting article about a WordPress blog being hacked.

Identifying hacked code, 3.5 out of 5 based on 33 ratings
Categories: Guides & Tutorials

Keywords: , ,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

31 comments (leave a comment)

Wow… happy to see that you made a post about my problem, but I guess I wasn’t the only one!

That is really sad since I now need to rebuild all of my websites (4 at the moment)!

Well… hope to have a luck in the future, and no more problems like these!

– Tousiger

I had a password 8 characters long.
Didn’t help.
Now it’s 20 characters long.
So go for the longest password possible.

Prevention is better than cure but you got to have both. MySQL databases are also a target for hackers.
So, now we have to secure all our assets with strong passwords AND backup snapshots of files and data. An automated backup solution for the server-side is very much needed.
If you have 35+ websites like me, the manual way is a pain.

That’s right, a secure password is only a part of the game-plan. Creating backups on a regular basis is a the best way of ensuring that any incident can be resolved as smoothly as possible.

I had a randomly generated password 15chars long but a site still got ‘hacked’ with invisible (CSS) links to spam sites.

It’s funny that you recommend using recent open source releases because the reason I got caught is because I *was* using a recent version of FileZilla that couldn’t connect to Servage via FTPES :( Thankfully Servage (i think) has fixed this because it works now.

Always keep one or more offsite backups of your websites!

Animal farm :-)

Would be nice, if the wiki had a section where examples of the code inserted into hacked web page was displayed.
(Maybe even combined with a google search, searching for keywoards in a given site, indicating that there could be a problem)

The way I was hacked was a manipulated .htaccess that rewrote index.htm to contain hidden links below /html

It made use of files placed in a folder called sovereign.

I’m not certain, how it was manipulated, but it seems that my control panel access was hacked.

Good to see Servage posting a remark about the latest bout of hacks coming through but I dont think it quite covers the main point.

In early November, it was noticed that ALL of my websites have been hacked (even ones that were NOT running scripts). The hack seemed to come through Servage itself and even created its own FTP account in my control pannel.

I doubt that this would be possible to do and from searches online, I noticed several people commenting about the same thing so I am left with the impression that it was a Servage wide problem.

Both before and after the hacks I made sure I had backups of all of my sites and databases and took measures to ensure that the passwords used for control pannel, websites, email accounts etc are all different.

There has been a problem due to security issues with the used server software at that time. We deeply regret that incident and our admins have worked hard in the meantime to switch our systems to other, better software solutions. One of them is the Servage OS introduced by the end of last year.

Good to see it isn’t just me and that Servage have noted the problem. Given that prevention isn’t always possible it’d be good to see improved backup and recovery systems implimented by Servage that would make it easier to undo the changes made by these hackers. I for one would be happy to use some of my space storage space for automatic backups of all my files and databases. Perhaps something similar to the Rollback program in Windows would be good?

I had all of my index.php files altered by someone that hacked my password.
I deleted all files and restored with new downloaded PHP-scripts.
Also I changed all password on the MySQL databases.
Don’t use remote access to databases unless you need to.
I don’t use it.

After finishing building website i get the hash key of the page. this key is storet on an extern server. if i did not work on my homepage a cronjob checks every 30min. the file hashkey and the stored haschkey. if they ar different the script starts a restore of my website, send an message via mail and sms to me and starts to check if the restore is successfully finished. if its not i get an message to. some times i try to edit the indexfile and im happy to say that the litle fileckeck is correctly completet. The negative site of this is that it dos not prevent from hackers. The sms service was also sometimes down so the message only comes to my mailbox. In the future i would like to make a script that checks all filehashes not only the index page.

best regards markus

I agree with onvoippbx, a backup solution from servage is desperately needed, trying keep dayly backups of your sites via ftp is much more painfull than it should.

Long passwords and updating scripts are only two of many factors needed to keep your site secure; despite than Geo IP security is a step on the right direction, we are still lacking this important feature.

I think is not too much to ask, a gzip feature under File Attributes should be enough for most people. (shedule would be nice also).

I agree, a backup solution would be extremely nice, but please remember that we have some customers actually using up to 510 GB of space. Backing that up (even incrementally) on a daily basis is a resource-intensive and storage-expensive thing to do for a budget hosting package like ours, so we have a few challenges that we are dealing with.

How much of this hacking occurs through one ‘entry’ account which then affects the others? I am not running any weak scripts..etc and yet still get hacked? Could it be through someone else’s account on the same server?

This problem has occurred in the past, but with the Servage OS introduced a couple of months ago our admins have removed any known issues like that.

Hi all, i too have had the dreaded intrusion. What i noticed first was that in any of my static sites, there was a .htaccess file located in the root. As there was no need to protect any of those sites, and i knew i hadnt included one, i investigated right away. Burried in an image folder in most of the affected sites was a linkator file which seemed to point to porn sites. I quickly changed my password and began clearing out all the bogus files. That was 2 months ago and so far i havent had any more probs. So just check your root for a .htaccess file that you didnt put there

In my case, I suffered from this problem twice but I found the reason was not a sniffed password, but a 777 permission on that directory, which is typically required when installing PHP scripts that need either webserver ownership or 777 permission; it’s good to scan the directories for a forgotten 777 from time to time to reset it back to 644 or 755. Also the intrussion has only been about intalling an index.html file with silly things, but my index.php files have been left untouched because they have 644 or 755. Congratulations for the new areas of Servage like this Blog. Greetings.

That is right, there are a number of ways hackers can get access to your files. Using wrong permissions on your files is one of them. So I can only agree with you that making sure the permissions are set right is a vital thing to do.

I think this isnt just servage its happening all over,the problem is the passwords people use are
1. To easy..dont just use letters but combine them with numbers and even !!@$@%(#$ or something like that.
2. People never change there passwords,i would say change your password every 30 days or so just to make sure your safe.
3. There are alot of weak scripts out there dont just buy or install any script you find do some research before you actually install it..remember one bad script and people could get acces from that script and maybe take over all your websites from just one bad script!
4. Dont use nulled scripts..i know some scripts might be expensive but trust me its worth investing in them. Also it keeps the buisness alive =)
5. Watch out what you chmod! dont just chmod anything,be very carefull with this.

I have never had any problems with being hacked myself but i do know people that have and they all had some weak spot in there i would say check all the code again after installing and just do a check up on your ftp once a while dont just let it sit there…
Dont use stock passwords because hackers mostly use wordlists and many passwords that people use are on these lists so yeah the hacking wont stop. PICK YOUR PASSWORDS CAREFULLY!

Hope this information helped out a little


I think I may have found a solution which can backup our websites and databases.

It can backup directories as well as SQL Databases (4.0+).

Thank you for the hint. I have forwarded that to a technician for review.

Nice to be reading about your thoughts and feelings, and a great blog!

Had my sites hacked on a semi regular basis not long ago. Bet advise is check for the latest software releases and also check other peoples point of view on the security of you software (PPH-Nuke is horrible!). Also if you are not going to activy persure a site then remove it. Saves the headache of having to update it all the time to keep on top of security fixes. If it int there they can exploit it! =)

A GREP-like text search function on the Servage file manager would help a lot. If I could search for such things as web sites “http://” or for mail intrusions of the PHP “mail(” function it would make life much easier.

This Windows based program will analyze a website in a most thorough manner. Try it.

It sniffs for links, legitimate or otherwise.


The other day I read an article about WordPress back-upping.
There is a neat and nifty way to have your database daily automated back-upped to your mail. Gmail seems to work real good with it.

It is a plugin

I read it on which by the way has good tips, tutorials and screencasts about WordPress. Article about this

So far I only use WordPress on some small sites as an CMS, because it is easy to use for the posters.

Hope you all have a benefit from my comment.

Gr Corpus

I’m glad these issues are now getting some interest. Not long ago I had my forum hacked, every IP was banned including mine! Being a newcomer to forum install/maintenance I did not know what to do so I deleted the 27,000 posts and eventually the entire database/folders etc.
It was over 13 months old and had gathered some 700 members, all of which had put some work into building the knowledgebase. It really put me back and was seriously thinking of not bothering but realised that there were people out there I could still help with my trade (plasterer). I am grateful to all those who are really educated on the scene for inputting their knowledge, I am sure before long that I will be able to be in a position to at least undertand how to make things more secure.

I like the rest of you recently got hacked too, I had a log of someone from Croatia logging into my account under account security on the website. And around taht time is when my files were hacked. I have now activated GeoIP security for the country and i am considering getting a static IP address again so that only my IP address would be allowed to log in.

As jakob mentioned these hackers tend to look for PHP and HTML files. I don’t know how effective this will be but you know you could create customised file extensions such as (.cb, .do, .go instead of .php and .html) using the .htaccess file which is something i tried last night and it does work.

I am going to look for other ways to enhance security, I haven’t looked into this yet, but is there anyway to ensure only a certain IP address can update, delete or add web pages? It also might be worth a shot.

BACKUP TO SERVAGE NOT FROM – that means you only ever UPLOAD files to the host – if you need to change something change it locally then upload ONLY.

Dont blindly install scripts and change permissions to make them work – ASK servage how to make folders writable by the script but still keep the rest of the world unable to write. 0777 is simply asking for trouble.

hide config files in your ROOT thats the page that says www create a new folder call it something really unusual like “recycler” and pop all your important stuff in there – its still viewable but its much more difficult for the average kid to do.

READ AND SHARE techniques – servage has a wiki – so why not post in there “how to prevent sql injection” – some common little bits of code can stop multiple methods working, if you can stop the method – you have more chance of stopping the attack.

Nothing will ever keep you 100% safe – buy a servage ssl cert if you have customers, it keeps them safer too, these are practical things you can do to reduce risk.

Security is about reduction in risk, and sensible practices – if you only upload files, use ssl, have the config for the db etc in the root – a vast number of problems are solved.

You would still need to program the sites correctly of course, its one thing to protect the sites access – but theres doorways via forms etc – again put it in the wiki – others will adjust it – in the end you have a very valuable resource.

Hey, thanks for the great content. I also have some great content…

I just added my second part of the 36 of the best WordPress plug-in’s for 2009.
Its a followup to my original post:

I also included 2 Notable mentions, one for the PHP Programmers ( or those with basic php knowledge or desire to learn) and one for the Twitter folks…’

Check it out and let me know, I Still have another 18 left to review….

Thanks and hopefully this will help you along your travels:

Works a treat.

I have a “checking” script that I run to verify my files on my computer (local). It creates a hash for each file. Then I upload the files as will as the checking script. The checking script runs every day and checks if the files of my website has changed, if so it send me an email which file was changed and when. I then upload the clean file from my pc. :)

Leave a comment

You must be logged in to post a comment.