If FTP write access restricted, then how did they get in?
First time WebHostingTalk.com forum user. We are a web developer in NYC and for the sites we do for clients, we make sure the third-party web host restricts write access to our IP address and the client's IP address. However, last week, two of our sites were hacked with a "louis-vuitton-purses-03.html" hack.
But how did they upload? Even if we had the worst SQL-injection rich code, and they could reach the server, how did they upload if they weren't on one of those IP addresses?
Apologies in advance for obvious naivete and thanks in advance for any help. Server security not our forte.
and for the sites we do for clients, we make sure the third-party web host restricts write access to our IP address and the client's IP address.
I don't really trust this too much, it will be more important to control anything is uploaded to your account, but being in shared environment you don't have access to server to control this. So if your web hosting company doesn't have a high security deployed, to react in real time, it is useless any action from you ...
We did the site in .aspx, not .php. Does that matter or same kind of shell?
Similar. Whether it's a PHP, ASP, .NET, Cold Fusion, CGI or other web application, if there is any part of the site that is designed to allow uploading of data/files or modification of content via a web browser, then you have to be careful. Although youv'e restricted FTP access, the world still has access to the sections used for uploading files/images / modifying web content unless you have locked down who can access those areas as well by IP address and/or some sort of authentication.
I doubt it's a permission issue, but as stated already, it could be that the hackers have control of a computer that does have a whitelisted IP address. We've seen this frequently with ASP based sites. I'm not certain why we see it more with ASP sites, but that is how it is - for us.
Do you have access to the access logs? If so, check those to see when those files were uploaded and look in the log files at those same times to see what activity there was at that time. That might lead you to the point of entry.
Yes, our content management tool (in asp or aspx) allows them to change code and upload new pictures of management or products. When we get malware, I see a bunch of php files on there. Does this point to a php shell (though, again we're asp)? Went into the log files and saw that most of this was done on 10/9. Even on sites where we had restricted to our computers (5) and one computer at our clients'. How could we check to see (on our shared server) as soon as this malware goes on?