The day after the hacking...?
April 21, 2012 7:04 AM Subscribe
My website was hacked. What now?
posted by anonymous to technology (7 answers total) 1 user marked this as a favorite
I have a small ASP project website that I run on a shared server using a third-party hosting provider. Upon visiting the other day, I find that the front page content had been replaced by a lovely hacked-by-so-and-so message. Based on file timestamps, it looks like this happened about March 23rd and I discovered it Wednesday (the 18th).
There appear to have been about eight files uploaded to the main site directory and the content of index.asp was changed. The new files appear to be all manner of ASP scripts designed to glean information about the other pages on the site, access to system files, etc. I can restore the original content, and I'm not as worried about the changes that were actually made. So far, it looks like none of the files in any of the important subdirectories were modified. I've already changed my password.
My questions are about the following;
1) Should my hosting provider be expected to help out or bear some responsibility for this? I called as soon as a noticed what had happened and was told to write an e-mail to technical support. The reply came the following day and basically said that I had waited too long to report the issue, that they don't have any logs remaining that would show what had happened, that they couldn't provide me with any details about whether the attacker had somehow gotten my password, and that I should change my password immediately — in other words, nothing of any use.
Is it reasonable for them to take any more responsibility or do any more to help me investigate the issue? Without more cooperation from them I can't determine what happened, so it's possible that they're at fault here. Should I demand that they look into it in more detail? Ask for my money back? Badmouth them to all my friends and clients? Or is this just the way it goes with third-party hosting?
2) Without the help of my hosting provider, how do I determine what happened?. The front page runs on ASP and AJAX — one ASP page uses AJAX to call static content from another ASP page based on the contents of a GET request. Where can I read up on AJAX vulnerabilities? What sorts of things should I look at to prevent this from happening again — if, indeed, it was my fault? With only those technologies in use, how, conceptually, might one have hacked the page? Anyone care to speculate?