My web site is being hacked, what can I do?
October 27, 2007 7:18 PM   Subscribe

What do I do if a web site I maintain has been hacked? I've inherited maintenance of a web site, but I am mostly a front-end person, design and front end coding, so I am completely out of my depth here. Someone is using a user's identity to post hundreds of spam posts on the message board... really disgusting ones. The user has changed her password multiple times so I'm guessing they have another in. When I look at the database since they are both posting often (the real user and the spammers) I can't tell what IP address the spammers are posting from to block it. After that I'm lost... any suggestions?
posted by semidivine to Computers & Internet (14 answers total) 1 user marked this as a favorite
 
What is the software and version of the message board? there have been a couple of security holes in popular forum apps -- since patched, but maybe your install isn't up-to-date?
posted by misterbrandt at 7:41 PM on October 27, 2007


There are literally thousands of explanations for the problem...without knowing any more it's hard to tell what the problem is.

My first suspicion is the user is really posting the messages and lying about being hacked.

Other than that, it depends on the forum. If it was custom made it probably has some security holes such as only using cookies as a method of determining the user's identity. If it's pre-made, make sure it's up to date.
posted by jesirose at 7:45 PM on October 27, 2007


install a captcha on post forms, maybe you can hack something together so that only that particular user has to fill it in.. in the mean time, tell the user to run a virus scan and consider suspending their account.
posted by Dillonlikescookies at 8:13 PM on October 27, 2007


There are a lot of automated forum hacks, esp. for popular packages like phpBB and its variants. Basically someone has programmed a bot to sign up and post garbage spam links to their scams and you need to do something like a captcha to block that automated behavior.
posted by mathowie at 8:50 PM on October 27, 2007


I'm not sure why you say you can't track the IP of the spammer. It doesn't seem difficult to ask the legitimate poster what their IP is, or tell the user to stop posting for a few days, or to just create a new account and ban the old one.
posted by sophist at 8:55 PM on October 27, 2007


Talk with that user, and then disable their account for a few days. If these spamming posts continue (or happen under a different user), then they have another way in; if they don't continue, then set this user up with a brand new account. After that, if the spamming posts return, then it's either the person with the account lying to you, or someone else who has access to their computer (perhaps s/he saves their password to auto-login and a roommate or coworker leverages that.)

If it turns out to be something specific to that person, you can always just cut that person off. If it turns out not to be specific to that person, you can pursue security fixes knowing that you aren't wasting your time going in that direction.
posted by davejay at 11:12 PM on October 27, 2007


One other possibility you might consider is that the user has some kind of keystroke logger or other spyware on their computer.

That would explain why they change their password but the problem continues.
posted by AmbroseChapel at 12:20 AM on October 28, 2007


If your system allows HTML, Unicode, or spaces in usernames it's possible that those are actually two separate accounts: the original and a spoof account (either by chance or to discredit the original person). Are accounts uniquely identified by number or by text?

I'm not sure how likely this is, really, but it's a possibility.
posted by Tuwa at 4:39 AM on October 28, 2007


If the site uses PHPBB it may be relatively easy to find out the IP address or use a mod to find out the IP. Unfortunately if the user is using a dynamic IP you are SOL unless you want to take the chance and ban a whole block of IPs.

The problem is most likely on the user's end. Someone has access to their email or is using a keylogger on their computer. I'd say ban the user for a month until you get it straightened out.
posted by JJ86 at 6:26 AM on October 28, 2007


Response by poster: Wow, thanks for all the replies... to answer a few of the points: the message board is a custom job, built about 7 years ago and then renovated by my developer in 2003; the message board is pretty close-knit, and the poster who's account was hijacked been posting for years so I'm almost 100% sure it's not her posting the spam.

I'm going to email her and suggest she run an anti-spywear program on her computer. But here's the final thing, I disabled the user from posting yesterday and we're still getting posts on her account. At least this might tell me the IP of the spammer! Also, I'm going to install a captcha asap. Thanks all.
posted by semidivine at 3:33 PM on October 28, 2007


If you disabled the user and they can still post, there is a HUGE security flaw there. If they can get around password changes and being disabled, I'm sure it won't take long to get around a Captcha :)

Sorry
posted by jesirose at 7:05 PM on October 28, 2007


If you disabled the user and they can still post, it sounds to me like somebody has admin-level access to your message board's underlying database. If you haven't changed your admin password lately, that would be a good start.
posted by flabdablet at 12:54 AM on October 29, 2007


Sounds like their is exploitable code on a page somewhere on site... could be anything though... one of the more common issues is SQL injection so that could be a place to start...
posted by vitrum at 10:38 AM on October 29, 2007


" the message board is a custom job, built about 7 years ago and then renovated by my developer in 2003;"

Start there. Sounds like there are gaping security holes in your software package.
posted by drstein at 11:58 AM on October 29, 2007 [1 favorite]


« Older I only eat the brains of MBAs...why am I always...   |   must meet kangaroos as cheaply as possible Newer »
This thread is closed to new comments.