2

A little while ago I got this email:

hi there,
i am [name], security expert.

your website is not secured. you use a weak password. and you didnt install security to     prevent hacking/malware attacks.
as proof, i upload a file: http://[site]/1337[name].html
dont worry. i didnt edit/change/delete anything of your wesbite. feel free to contact with me to fix security issue. 

cheers
[name]

I checked and the file is there with the content:

hi, i upload this file to proof that your website is not secure. please check your email. 
cheers

This reeks of scam and phishing (particularly the bad english), but I am spooked that this file I didn't create is up on my server.

For reference, I am using a GoDaddy shared hosting server with SSH enabled, and running a Wordpress site with a bunch of subdirectories which have various website personal projects I've worked on, a number using PHP for database (and old Facebook SDK) connections. The file appears to be created by my FTP user.

How is it possible that this person put a file up on my site? How can I patch this security hole? I have already changed my (S)FTP password.

Esaevian
  • 121
  • 2
  • Have you contacted Godaddy? There is no way to answer your question as asked - not enough info. I suspect it will be closed. – Xavierjazz Feb 04 '14 at 19:05
  • You're saying there are no common security holes for the setup I posted? If that's the case I'll close it myself. – Esaevian Feb 04 '14 at 19:06
  • 1
    @Esaevian - There are tons of security issues with your current setup. You don't indicate how long the password was. You didn't indicate if your running the curren version of Wordpress. The person clearly got access to your ftp account. You should consider this to be a real threat. You could always contact the person and have them explain. If they won't tell you for free then disregard anything they ahve to say and handle the problem yourself. – Ramhound Feb 04 '14 at 19:14
  • Definitely looks like a phishing scam to me. Often an attacker will do something like this in order to phish more data from you. The fact that it states you use a weak password could indicate that they already know what it is, and they uploaded a file normally. GoDaddy has really bad security and their customer service agents give out privileged information to clever phishers. ["How I lost my $50,000 twitter account."](https://medium.com/p/24eb09e026dd) – malfy Feb 04 '14 at 19:14
  • @malfy - GoDaddy's account web security itself is fine. They support 2-factor authentication for instance. The fact an employee was tricked into doing something is a slightly different kind of problem. – Ramhound Feb 04 '14 at 19:16
  • @Ramhound Fair enough. I'll close the question and deal with this myself. – Esaevian Feb 04 '14 at 19:29
  • Whatever this isn't a discussion board to argue about GoDaddy's services. The fact still remains that they have poor security. Maybe not at the software level, but as far as training their employees, they have failed. – malfy Feb 04 '14 at 19:31
  • @Esaevian - The important thing to note is the following. DO NOT GIVE UP ANY INFORMATION. You are either dealing with a honest person or you are trying to be scammed. If you ask for more information ( not saying you should ) it should be FREE. – Ramhound Feb 04 '14 at 19:31
  • @malfy - GoDaddy isn't the first huge company to be socially engineered in this way. – Ramhound Feb 04 '14 at 19:32
  • @Ramhound Thanks. I am sort of worried about the information I am giving just by responding, but I guess that's what spam filters are for. – Esaevian Feb 04 '14 at 19:33
  • @Esaevian - He already has your email. What additional information are you giving out? Your domain whois has more information then you might realize out in the public. – Ramhound Feb 04 '14 at 19:35
  • If you have wordpress setup to upload its content via your ftp username, it's likely they exploited a wordpress vulnerability. – malfy Feb 04 '14 at 19:35
  • Is your site set to allow anonymous FTP connections? – Scorpion99 Feb 04 '14 at 19:46
  • @Ramhound, that the email is actually an active email, and not just a black hole. Also the email they contacted me at is not the email on the domain whois, nor on the website itself. – Esaevian Feb 04 '14 at 19:46
  • @Scorpion99 Nope. I don't even have the option. – Esaevian Feb 04 '14 at 19:47
  • 1
    Please don't use comments for chatting or extended discussion. At this point I suggest you better take this to [chat]. Thanks – slhck Feb 04 '14 at 19:47
  • You should post this question on security.stackexchange; they may have useful insight and suggestions. Include WP versions and info on whether your php userids are distinct from your ftp userid. – mgkrebbs Feb 04 '14 at 19:49
  • @mgkrebbs If at all, the OP should have the question migrated there, and not post again. – slhck Feb 04 '14 at 20:08
  • @slhck, that might be true, especially to preserve this wonderful sequence of comments, but it would require that someone with the power to migrate the question would recognize that this web server security question doesn't fit Superuser and does fit Security, and actually take action to migrate it. – mgkrebbs Feb 04 '14 at 20:19

1 Answers1

2

Someone can change files on your server without having any of your passwords. Injection attacks like this are very popular.

Make sure your Wordpress and PHP installations are up to date.It is also possible that you have a vulnerability in a plugin or theme. Make sure they are up to date as well, and be sure to disable any plugins/themes you don't need.

Alex McKenzie
  • 1,595
  • 10
  • 17