I have had my second server space compromise in less than a year.  This is one of the less fun aspects of operating websites! My sites are (unfortunately) not high traffic sites, so the value to the hackers is somewhat limited.

The first break-in happened on my main hosting space right at the end of last year. A visitor informed me and I cleaned up the major portion of the damage over the next couple of days. The first action that I took was to change and strengthen the password to the account space. There were a few nooks and crannies that I missed and about six months later someone ran across one of those and reported it to the hosting company.

The hosting company locked the space and informed me. I called support and they provided me a scan of my space with a list of infected files, over 200, that I had missed when I was going through my original clean-up. Many of the files I just deleted because they were unnecessary. The remainder I cleaned up. I reported back to the hosting company and the space was promptly unlocked. In all my sites were unavailable for about two hours.

On the First of September my ISP informed me that the hosting space provided with my account had been compromised. I was not even aware that the space was still active. I seem to recall a communication from them a few months ago that unless I took specified action my space there would be terminated. I took no action and did not really care about the space.

When I checked the space all of the html files had been tampered with. I deleted all of the files and changed the password for the space. The dates on the affected files were the 29th of August. The ISP stated that they had received complaints about the space, and that is even more amazing than the break-in. I do not recall having any pointers to that space anywhere on the web. Considering the construction of what was there it is almost embarrassing that anyone had seen it at all.

I will probably put up a link directory on the space pointing to some of my real sites. Any bots that happen by would probably like that! This would provide some off site backlinks to some of my real sites, and that could not hurt. Maybe I will check some of the other free spaces that I had set up and do something similar there if they are still available. This could be the start of something big.

The hackers place infected files on the server when they gain access. Most are probably working for bot herders looking to compromise additional computers to add to their bot networks.

The take away from this is to use strong passwords everywhere. Most password protected spaces are protected for a reason. It is also important to use different passwords on your accounts. That way if a password is compromised on one space you don’t have to worry about what other spaces may be at risk.