After some investigations over my websites which have been hacked recently
, I think I now found out how they did it:
- This code downloaded some other .exe which apparently scanned my disk for popular (s)ftp programs and grabbed adresses and passwords from them
Fortunately, this happened during the holidays where not many people visted these websites and I fixed it within a few hours.
I reconstructed all this only with dates of files, registry entries and logs, so it might not be the full story, but I think it is pretty close to it. The bad thing is that this happened to me using the latest (or at least very very recent) versions of most software and all security updates installed. What I learned from this and what you can do to prevent the same happen to you:
- Disable plugins (flash; adobe reader etc) when surfing the web to reduce the security risk.
- Enable the data execution prevention if your CPU supports this. On another PC with which I've tried this, it prevented that security hole to work.
- Don't let (s)ftp programs store your passwords.
- I had antivirus software installed, and it noticed the thread. But it didn't prevent the problem, it just kicked in _after_ the trojan had executed already: "Hey, there is a trojan on your Hard Disk! But too late. Just wanted to let you know. You are fucked now.". So don't count on anti virus software at all.
- Do backups (I had plenty of those, fortunately)
It's easy to be wise after the event... :)