"Drive By Downloads" on NOF site files

[Hope43]

Has anyone else had their NOF websites hosted on 1and1 experience what they describe as a "drive by download"? They indicate that the website has been attacked by a third party: Malicious code inserted into the files which aims to infect the computer of every visitor to the website. But then go on further to say the creating/publishing PC hs a malware installed that allows a third party to access your data. I am confused. I am creating and hosting nine other sites, two of which are on 1and1 and the rest on godaddy. I have had zip trouble with any other sites and it would seem that they too would be expriencing issues. Anyone with this type of experience. I use Webroot Secureanywhere v 8 which continually scans my computer for viruses, etc. I have had not files reported as suspicious or malicious.

They indicate that a SFTP must be used. Is NOF's built in FTP not secure?

They also indicated I will have to give the file(s) proper, 644 permissions once the malicious code has been removed. I don't know anything about the 644 permissions either.

Thanks for any insight into understanding this situation.

[Joe Rotello]

On 2/4/2013 6:44 PM, Hope43 wrote:
> Has anyone else had their NOF websites hosted on 1and1 experience what
> they describe as a "drive by download"? They indicate that the website
> has been attacked by a third party: Malicious code inserted into the
> files which aims to infect the computer of every visitor to the website.
> But then go on further to say the creating/publishing PC hs a malware
> installed that allows a third party to access your data. I am confused.
> I am creating and hosting nine other sites, two of which are on 1and1
> and the rest on godaddy. I have had zip trouble with any other sites
> and it would seem that they too would be expriencing issues. Anyone
> with this type of experience. I use Webroot Secureanywhere v 8 which
> continually scans my computer for viruses, etc. I have had not files
> reported as suspicious or malicious.
>
> They indicate that a SFTP must be used. Is NOF's built in FTP not
> secure?
>
> They also indicated I will have to give the file(s) proper, 644
> permissions once the malicious code has been removed. I don't know
> anything about the 644 permissions either.
>
> Thanks for any insight into understanding this situation.
>
>
As a web-host myself, hosting our own websites and others on our 1and1
server, not sure what you are asking.

If you are asking if we see any "drive by" hijacked websites on our
1and1 server, no, none that I have seen in the past 8 years of 1and1
hosting.

Also, IF 1and1 has had their servers compromised, OR, if a web-host --
that's you or I with our 1and1 hosted web-sites -- has been compromised,
they will email their customers that host with them, and sometimes they
have even phone called customers.

I presume the above information is what you are referring to ?

Joe
WindowGroup / Knoxville, TN / USA

[gotFusion]

Most of the time this is caused by the user (you) having insecure passwords.

All passwords, including your hosting control panel and all FTP accounts need to have passwords that are made up of random alpha/numeric characters interspersed with numbers consisting of between 10 and 14 characters in length. Something like kU5b*r9nQ%gT8v is going to be harder to hack than "admin" or "mysite" or I have seen some people use "password" for their password. Also delete all FTP accounts but one in your hosting control panel.

Change all of your passwords and DO NOT reuse a password anywhere. Use a different password on every long in on every site, forum, and application.

[Hope43]

Tk U for your time and response. Yes, they notified me, even showed infected code. I still have these questions and would appreciate input here to clarify.
Other questions not answered yet: Is NOF's built in FTP not secure?

They also indicated I will have to give the file(s) proper, 644
permissions once the malicious code has been removed. I don't know
anything about the 644 permissions either.

[gotFusion]

Are you using the retail version of Fusion or the free 1and1 version that they give away?

[Twayne]

In news:Hope43.5qaqtz@no-mx.forums.netobjects.com,
Hope43 <Hope43.5qaqtz@no-mx.forums.netobjects.com> typed:
> Tk U for your time and response. Yes, they notified me,
> even showed infected code. I still have these questions
> and would appreciate input here to clarify.
> Other questions not answered yet: Is NOF's built in FTP
> not secure?
>
> They also indicated I will have to give the file(s)
> proper, 644 permissions once the malicious code has been
> removed. I don't know anything about the 644 permissions
> either.

Personally, I'd suspect you may not be the creator of the bad code, but
rather someone else has compromised one or more of your online forms. It
could be anything from code injection to plain old lack of sanitizing and
cleaning ALL input from ANY source for anywhere you accept any kind of
external input, knowingly or not.
Of course, I'm sure you never use a mailto: link anywhere, right? Input
MUST come in thru a form where the data can be closely scrutinzed before
it's allowed to be used in any way.

If your ISP sent you code, find the page it's on and scrutinize it with a
fine tooth comb to find any nitches that might let a person in.

There are many resources on the web about how to secure web pages from the
very sort of thing you're experiencing. Most all of them use PHP and
server-side scripting; do you?

Oh, 644 permissions;
It's the permitions 444 just read only.
644 just read and write

If I recall correctly:
4 is read
5 is read/execute (execute is always needed for directories)
6 is read/write
7 is read, write, and execute

This link might make things clearer:
http://www.zzee.com/solutions/unix-permissions.shtml
or this one:
http://www.maenad.net/geek/di8k-debian/node30.html
or this one:
http://www.centos.org/docs/2/rhl-gsg...-chmodnum.html

Those are all settings made on your remote server, not your local machine
unless you run a local server.

HTH,

Twayne`

[Hope43]

Retail - I have purchased it evolving all the way from Ver 8 I actually do as little as possible with 1and1 so no, not using free version.

[Hope43]

Tk U for your interest in educating me further. I have reviewed all of my local backup code and it is clean. I am trying to republishing and now having problems. I am getting the NOF message "connection failed, Pls make sure you have entered the correct attributes and that you are connected to the internet. I changed all my password info with 1and1. I have not deleted any of my files on the host server. Figured I'd just rewrite over them with "clean" website files. I somehow feel that while my ftp password is changed and has had time to populate, 1and1 is not letting me publish there. Any ideas?

[gotFusion]

Is 1and1 requiring you to connect using one of the secure formats such as SSH/SFTP or SSL/TLS?

These are questions you need to ask your host as they are the ones with the answers to your problem

[Hope43]

Thank you Mike. I don't think so as I am using the regular FTP built into NOF. I feel like I need to use the SFTP but don't know what the attributes need to be for using NOF or what parameters 1and1 has for receiving a SFTP.