Page 1 of 2
Nip hacking in the bud with Purebasic
Posted: Thu Dec 29, 2011 7:41 pm
by netmaestro
Yesterday a friend from this forum let me know that google was reporting my website as a host for dangerous malware. When I pulled it up in Firefox, sure enough a big red screen warned me that I shouldn't proceed because the site was known to host viruses and worms. So I downloaded my entire site to a folder and scanned it. Two obfuscated scripts were found in my index.htm file. I compared it with the file I had uploaded some months ago and my version was clean. So someone hacked my service provider and planted malware in my index, the dirty rotten scoundrels. I reupped the clean version of my index, submitted my site to google for a review, and after the six hours or so it took them to get to it, I got the all clear.
This kind of thing is going to happen from time to time, how to defend against it? Why, aim some Purebasic at it of course:
Code: Select all
InitNetwork()
Repeat
If ReceiveHTTPFile("http://www.<mywebsite>.com/index.htm", "d:\index.htm")
a$ = MD5FileFingerprint("d:\index.htm") ; Downloaded index
b$ = MD5FileFingerprint("d:\_website\index.htm") ; Original index
If a$<>b$
If CreateMail(0, "<myemail>@<myhost>.com", "Emergency!")
SetMailBody(0, "Website index has been attacked !")
AddMailRecipient(0, "<myemail>@<myhost>.com", #PB_Mail_To)
Result = SendMail(0, "smtp.<mysmtpserver>.com", 25, 1)
Repeat
Progress = MailProgress(0)
Delay(300)
Until Progress = #PB_Mail_Finished Or Progress = #PB_Mail_Error
If Progress = #PB_Mail_Finished
MessageRequester("Emergency!", "Website index has been attacked! Emails sent.")
Else
MessageRequester("Emergency", "Website index has been attacked! Unable to send emails.")
EndIf
EndIf
EndIf
EndIf
Delay(1000*60*10) ; 10 minutes
ForEver
This runs continuously (actually a more sophisticated version with a systray icon and health check infos but this is the basic idea) on my system and now if someone hacks me again I'll know it in 10 minutes, even if I'm not home.
Re: Nip hacking in the bud with Purebasic
Posted: Thu Dec 29, 2011 9:40 pm
by MachineCode
Instead of a warning email, couldn't you just make an app to upload the clean file every 12 hours? So you know it's always going to be clean at least twice a day, every day.
Re: Nip hacking in the bud with Purebasic
Posted: Thu Dec 29, 2011 9:46 pm
by netmaestro
My current version checks every 10 minutes, if tampering is found it saves the bad one and uploads the good one. This way I can examine the script(s) and possibly get a line on who may have done this.
Re: Nip hacking in the bud with Purebasic
Posted: Fri Dec 30, 2011 7:04 am
by RASHAD
Too bad
Where is your Service Provider in all of this?
Re: Nip hacking in the bud with Purebasic
Posted: Fri Dec 30, 2011 7:24 am
by netmaestro
RASHAD wrote:Where is your Service Provider in all of this?
Good question. My provider sent me an email telling me that my site was reported as distributing badware and gave me 24 hours to prove that I've cleaned it up or they would suspend it under the terms of my service agreement. I replied to them explaining what happened and that I took immediate action (thanks to DarkDragon's early warning) and that all is clean now. They checked, found it to be true and told me I'm in the clear. The problem appears to be that I had a reasonably weak password on my ftp account, just 3 numbers and 6 lowercase letters making up a word that can be found in a dictionary. A bot probably broke it. I changed it to something much stronger and it's unlikely I'll be compromised again anytime soon. And if I am, it'll be for ten minutes tops. Purebasic, the titanium shield
Re: Nip hacking in the bud with Purebasic
Posted: Fri Dec 30, 2011 12:13 pm
by Blood
1. Who is your provider?
2. Move to a proper provider!
Re: Nip hacking in the bud with Purebasic
Posted: Fri Dec 30, 2011 1:59 pm
by MachineCode
netmaestro wrote:This runs continuously
How can it run continuously when there's 2 x MessageRequesters in there?
Were you testing us?
Re: Nip hacking in the bud with Purebasic
Posted: Fri Dec 30, 2011 2:06 pm
by DarkDragon
MachineCode wrote:netmaestro wrote:This runs continuously
How can it run continuously when there's 2 x MessageRequesters in there?
Were you testing us?
Nitpicker. It runs continuously until a special situation has been reached.
Re: Nip hacking in the bud with Purebasic
Posted: Fri Dec 30, 2011 11:37 pm
by Zach
Absolutely move to a new host, if your account was compromised and they in turn threatened to suspend you for distributing malware..
Re: Nip hacking in the bud with Purebasic
Posted: Sat Dec 31, 2011 12:50 am
by MachineCode
Zach wrote:Absolutely move to a new host
+1, I wouldn't put up with a rude host like that.
Re: Nip hacking in the bud with Purebasic
Posted: Mon Feb 06, 2012 12:55 am
by IdeasVacuum
Absolutely move to a new host, if your account was compromised and they in turn threatened to suspend you for distributing malware..
They are all pretty much the same - looking after their own back, a few customers not being important.
Re: Nip hacking in the bud with Purebasic
Posted: Tue Feb 14, 2012 5:43 pm
by Zach
Maybe so, but I would not put up with that kind of treatment simply on the face of principle.
Re: Nip hacking in the bud with Purebasic
Posted: Sun May 05, 2013 10:15 pm
by jmcbride
Can I have a copy of your corrupted index.html file???
Re: Nip hacking in the bud with Purebasic
Posted: Sun May 05, 2013 10:18 pm
by netmaestro
Sorry it's long gone.
Re: Nip hacking in the bud with Purebasic
Posted: Sun May 05, 2013 10:43 pm
by c4s
Offtopic:
I'm not sure if that jmcbride guy is spamming or at least a spam account in preparation. I mean come on...
5 posts in just under 30 mins to either outdated or completely random topics?!