A Tale of Valentica

I was in my village for Eid vacation and out of internet. After a one week leave, I came to the capital and have found my site had been hacked. I was surprised to see that. Below the picture of my hacked site.

MyHackedSite

First I thought, my htaccess file was made changed. But I noticed only the index file was changed. I have opened a supporting ticket to my hosting site and got the following reply, which I think may be helpful for others:

Here’s some information you can use to help to identify what may have happened and how to rectify it and possibly prevent it from happening again.

The two most common entry points for a compromised website are (1) vulnerable, typically out-of-date web scripts (blogs, forums, CMS, etc.) or (2) a compromised FTP/SSH user password.
1) All web scripts you have installed under your domain should always be kept up-to-date with the most recent version available from the vendors’ website, as these often contain security patches for known issues. Older versions of well-known and popular web software (including Wordpress, phpBB, PHPNuke, PostNuke, etc.) are known to have vulnerabilities that can allow injection and execution of arbitrary code. Also make sure not to store ‘archive’ versions of old software in an open web directory — if you intend to keep these they should be stored under your FTP user’s home directory, not under a domain directory. Finally, some plugins for popular software (such as Expose for Joomla) have been found to introduce similar vulnerabilities. It’s a good idea to search the internet for information about a plugin and ensure it doesn’t have any known issues before installing.

After updating your software, it is imperative that you go through all files under all directories for the user which has been compromised and ensure that any files which have been written to / modified have been removed. It is common for ‘hackers’ that exploit web scripts to upload nocuously-named scripts which they can use to further compromise the site more easily, even after the initial vulnerability is closed — including scripts to send spam mail or execute arbitrary shell commands under your account via a simple web page interface. A helpful tip for finding files of this nature is to look for files or directories that have timestamps that occurred since you last modified your site, or that occurred around the time that the ‘hack’ took place; still it is best to examine all files as even a single missed file can allow the site to be re-compromised.

2) A bit less frequently, FTPs password can be compromised and used to modify files. The most important part of securing your account in this case is to change your FTP user’s password via the (USERS > MANAGE USERS) -> “Edit” area of the control panel. Passwords should not contain dictionary words and should be a string of at least 8 mixed-case alpha characters, numbers, and symbols. The best option for selecting a new password is to use our “Pick a password for me” feature. Check that box near the bottom of the page then click on the “Save Changes” button. The system will generate a very strong random password for this account. It will be displayed on the next page. It is recommended to always use Secure FTP (SFTP) or SSH rather than regular FTP, which sends passwords over the internet in plaintext. You should not use any passwords that you’ve used with other services, and ideally you should never use the same password for email, control panel, and FTP/SSH. Finally, you should always ensure that you’ve got up-to-date virus/malware screening on your computer to ensure that it is not compromised itself.

I have updated my webscripts to latest version and thus found my site got back. Still now, I don’t know how my site had been hacked. Have you any idea?