A Fresh Start

My lovely web hosts wrote to me to say:

we were recently informed, that your website “http://xxxxxxx” has been compromised by attackers.

Well spotted. Will I getting other mails about the other sites or did you miss those?

This is commonly being referred to as a “defacement”: The creation or modification of web pages through security flaws in web applications like PHP scripts, that allow third parties to gain control over an existing web server account. A real life example for some kind of defacement would be a graffiti on a wall, publicly displaying pictures or tags on foreign premises.

Nice theory, but not all the sites were using PHP scripts - or any scripts at all, in one case!

Web archives such as www.archive.org or the Google cache often contain modified version of compromised web sites.

Now that was handy - I got back my HTML from the one site I hadn’t backed up recently from this site.

Please modify your scripts so that they can no longer be used to gain unauthorized access to your account. Outdated versions of public forum software such as phpBB or PhpNuke are also often the “culprit” in these cases.

You can gather further information about the nature of the attack from your web space access logs (access.log.*, to be found in the ~/logs directory).

Can anyone offer any pointers on how to interpret log files because I’m buggered if I can see the attacks in mine? I think I’ve plugged all the gaps now but, as I’m still unclear how the little sod got in, may have left a gaping hole somewhere so any pointers would be very much appreciated.