Access via Domain/~(USER)

[jandal]

Hi

A site I did for a charity was compromised today.

~ray/results/jpg/88.html started to appear at the end of the domain. They have now been trawled by the search engines also.

I thought the site had been hacked and contacted my host who said it had NOT been hacked but that:

this is actually due to a configuration error on the server and not due to any issues on your account.

I didn't understand this after all how could this urls be created from outside of my account?
When I questioned further they said:

your site was accessed was via the apache mod_dir module.

They asked me would I like this disabled for my account and I have said yes.

Now...I just don't understand what has happened here, was I hacked? Has disabling the apache mod_dir module fixed this issue?

Also, although I've submitted page removal requests to Google and disallowed the pathway in robots.txt - is there anyway to get rid of these pages permanently - I just don't understand how someone else can control my url like this.

Your advice would be appreciated.
thanks
nick

[MysteryFCM]

What they're telling you is that it wasn't the site itself that was compromised directly, but the server itself that was compromised, which gave the attackers access to all sites located on that server.

The first thing I'd suggest you do, is pull down a copy of ALL files and folders on the site, then either restore a backup if available, or go through each and every file (and nope, this can't be skipped if a backup is not available), and ensure no additional code has been added to the files, and no additional files were added by the attackers.

[jandal]

Thanks for the info. Should I be very unhappy with my hosting service for this kind of compromise? When I asked them to expalin what happened all they would state was the site was not hacked? They also said they ran a malware test on the site and found nothing, should I trust this?

This site now has compromised urls in the search engine results e.g.

www. charity.com/~ray/results/jpg/88.html

I really don't understand how this can happen without the site getting hacked. I have requested removal of these urls from Google results but is there anything else I should do to get rid of these urls.

As for going though all the files, well, I really don't know what to look for - is there any software or scanner that can help with this?

Sorry for all the questions and thanks for your help.

[MysteryFCM]

Thanks for the info. Should I be very unhappy with my hosting service for this kind of compromise? When I asked them to expalin what happened all they would state was the site was not hacked? They also said they ran a malware test on the site and found nothing, should I trust this?

I'd certainly be unhappy with them, and personally suggest moving to a different host (especially given they don't exactly seem forthcoming with regard to information).

This site now has compromised urls in the search engine results e.g.

www. charity.com/~ray/results/jpg/88.html

I really don't understand how this can happen without the site getting hacked. I have requested removal of these urls from Google results but is there anything else I should do to get rid of these urls.

Because the server was compromised, it gave the attackers full access to your site, which is how they put the content there.

As for going though all the files, well, I really don't know what to look for - is there any software or scanner that can help with this?

Sorry for all the questions and thanks for your help.

No apologies necessary.

If you're not adept at checking the code in the files, I'd urge you to re-create the site from scratch if possible. If this isn't possible, feel free to drop me a PM with a copy of the sites files attached (this MUST contain a copy of every file and folder that is currently on the website) and I'll take a look for you.