Nip hacking in the bud with Purebasic

[netmaestro]

Yesterday a friend from this forum let me know that google was reporting my website as a host for dangerous malware. When I pulled it up in Firefox, sure enough a big red screen warned me that I shouldn't proceed because the site was known to host viruses and worms. So I downloaded my entire site to a folder and scanned it. Two obfuscated scripts were found in my index.htm file. I compared it with the file I had uploaded some months ago and my version was clean. So someone hacked my service provider and planted malware in my index, the dirty rotten scoundrels. I reupped the clean version of my index, submitted my site to google for a review, and after the six hours or so it took them to get to it, I got the all clear.

This kind of thing is going to happen from time to time, how to defend against it? Why, aim some Purebasic at it of course:

Code: Select all

InitNetwork()
Repeat
  If ReceiveHTTPFile("http://www.<mywebsite>.com/index.htm", "d:\index.htm")
    a$ = MD5FileFingerprint("d:\index.htm")          ; Downloaded index
    b$ = MD5FileFingerprint("d:\_website\index.htm") ; Original index
    If a$<>b$
      If CreateMail(0, "<myemail>@<myhost>.com", "Emergency!")
        SetMailBody(0, "Website index has been attacked !")
        AddMailRecipient(0, "<myemail>@<myhost>.com", #PB_Mail_To)
        Result = SendMail(0, "smtp.<mysmtpserver>.com", 25, 1)
        Repeat
          Progress = MailProgress(0)
          Delay(300)
        Until Progress = #PB_Mail_Finished Or Progress = #PB_Mail_Error
        If Progress = #PB_Mail_Finished
          MessageRequester("Emergency!", "Website index has been attacked! Emails sent.")
        Else
          MessageRequester("Emergency", "Website index has been attacked! Unable to send emails.")
        EndIf
      EndIf
    EndIf
  EndIf
  Delay(1000*60*10) ; 10 minutes
ForEver

This runs continuously (actually a more sophisticated version with a systray icon and health check infos but this is the basic idea) on my system and now if someone hacks me again I'll know it in 10 minutes, even if I'm not home.

[MachineCode]

Instead of a warning email, couldn't you just make an app to upload the clean file every 12 hours? So you know it's always going to be clean at least twice a day, every day.

[netmaestro]

My current version checks every 10 minutes, if tampering is found it saves the bad one and uploads the good one. This way I can examine the script(s) and possibly get a line on who may have done this.

[RASHAD]

Too bad
Where is your Service Provider in all of this?

[netmaestro]

Where is your Service Provider in all of this?

Good question. My provider sent me an email telling me that my site was reported as distributing badware and gave me 24 hours to prove that I've cleaned it up or they would suspend it under the terms of my service agreement. I replied to them explaining what happened and that I took immediate action (thanks to DarkDragon's early warning) and that all is clean now. They checked, found it to be true and told me I'm in the clear. The problem appears to be that I had a reasonably weak password on my ftp account, just 3 numbers and 6 lowercase letters making up a word that can be found in a dictionary. A bot probably broke it. I changed it to something much stronger and it's unlikely I'll be compromised again anytime soon. And if I am, it'll be for ten minutes tops. Purebasic, the titanium shield

[Blood]

1. Who is your provider?
2. Move to a proper provider!

[MachineCode]

This runs continuously

How can it run continuously when there's 2 x MessageRequesters in there? Were you testing us?

[DarkDragon]

This runs continuously

How can it run continuously when there's 2 x MessageRequesters in there? Were you testing us?

Nitpicker. It runs continuously until a special situation has been reached.

[Zach]

Absolutely move to a new host, if your account was compromised and they in turn threatened to suspend you for distributing malware..

[MachineCode]

Absolutely move to a new host

+1, I wouldn't put up with a rude host like that.

[IdeasVacuum]

Absolutely move to a new host, if your account was compromised and they in turn threatened to suspend you for distributing malware..

They are all pretty much the same - looking after their own back, a few customers not being important.

[Zach]

Maybe so, but I would not put up with that kind of treatment simply on the face of principle.

[jmcbride]

Can I have a copy of your corrupted index.html file???

[netmaestro]

Sorry it's long gone.

[c4s]

Offtopic:
I'm not sure if that jmcbride guy is spamming or at least a spam account in preparation. I mean come on... 5 posts in just under 30 mins to either outdated or completely random topics?!