1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My Entire Hosting Account is Hacked! Look out!

Discussion in 'Black Hat SEO' started by xxf8xx, Apr 16, 2012.

  1. xxf8xx

    xxf8xx Supreme Member

    Joined:
    Nov 30, 2009
    Messages:
    1,321
    Likes Received:
    596
    Occupation:
    IM
    A couple days ago I noticed my Adsense earnings drop to 0. I got a chance to look into it today and to my surprise, G didn't screw me over, some lame hacker did. Almost every single htaccess file I have is infected with a redirect to a Russian website. They automatically rewrite themselves every hour or so. So far what I have done is downloaded a script which looks for exploits on my server and it found 4 instances of the "WebShell by oRb" exploit. I have since deleted them and started changing all of my htaccess files back to normal. Hopefully they won't be hacked again.

    Anyway, just wanted to give a heads up to everybody to UPDATE everything. Wordpress, themes, plugins, everything. Also, don't forget to do virus scans every now and then, and change your passwords frequently. I was very close to nuking my entire server and reinstalling all of my sites from scratch. Hopefully I won't have to do that.

    Cheers,
    xxf8xx
     
  2. CloneX

    CloneX Power Member

    Joined:
    Mar 31, 2012
    Messages:
    597
    Likes Received:
    228
    Happened to a LOT of people, not me. Just change your file permissions to 444, or ask your host provider to lock the file permissions, and prevent any further changes to them. Obviously you wouldn't want to do this to the files that need to be changed, modified, edited in order for your website to run.
     
  3. hurn

    hurn Power Member

    Joined:
    Jan 21, 2009
    Messages:
    692
    Likes Received:
    191
    There are free plugins with viruses and they can hack your hosting.
     
  4. RMX

    RMX Power Member

    Joined:
    Nov 16, 2009
    Messages:
    726
    Likes Received:
    389
    Occupation:
    Network Security Admin
    Location:
    London, UK
    Home Page:
    If you're using Wordpress, get WP Security Scan. This has helped many people I know that had the same problem. I assume you have a VPS or dedicated server, as you said "nuking my entire server". If so, install ClamAV on it. This antivirus is capable of scanning for the most popular script infections.
     
  5. Impulse

    Impulse BANNED BANNED

    Joined:
    Feb 6, 2010
    Messages:
    377
    Likes Received:
    193
    Maintain regular backups. A great philosopher, possibly Confucius, once said 99% of a website lies in the databases. Backup MySQL!
     
    • Thanks Thanks x 4
  6. CloneX

    CloneX Power Member

    Joined:
    Mar 31, 2012
    Messages:
    597
    Likes Received:
    228
    That was Socrates, I think.
     
    • Thanks Thanks x 1
  7. derpbuz

    derpbuz Registered Member

    Joined:
    Mar 29, 2012
    Messages:
    89
    Likes Received:
    17
    My site recently got hacked too, displaying a virus alert when visiting my site.

    WP security scan is a must. Also change wp_ to some other things, follow wp security scan instruction.
    Install wordpress firewall.
    Put htaccess file also in your admin folder allowing only your ip to access.

    Please share anything else to prevent your site from being hacked.
     
    Last edited: Apr 16, 2012
  8. jamunkala

    jamunkala Regular Member

    Joined:
    Aug 14, 2010
    Messages:
    284
    Likes Received:
    55
    Location:
    India
    Home Page:
    Regular Backup and Downloading it best option, all others follow later, also keep old backups, not all but when you did major changes for past 6 months on harddrive and pendrive.
     
  9. CloneX

    CloneX Power Member

    Joined:
    Mar 31, 2012
    Messages:
    597
    Likes Received:
    228
    I keep backups of the previous 7 days at least.. That's the safest way to go..
     
  10. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417
    Pls delete
     
    Last edited: Apr 16, 2012
  11. xxf8xx

    xxf8xx Supreme Member

    Joined:
    Nov 30, 2009
    Messages:
    1,321
    Likes Received:
    596
    Occupation:
    IM
    Well I got rid of the hack, but unfortunately G dropped 99% of my sites. I filed a reconsideration on my most important one. Anyone know if the rest will bounce back?
     
  12. Ewan-L

    Ewan-L Regular Member

    Joined:
    Mar 10, 2012
    Messages:
    450
    Likes Received:
    53
    Occupation:
    The web
    Location:
    UK
    Don't Wordpress review all the plug-ins before they are made public? Or are you talking about ones that aren't in the plug-ins store?
     
  13. xxf8xx

    xxf8xx Supreme Member

    Joined:
    Nov 30, 2009
    Messages:
    1,321
    Likes Received:
    596
    Occupation:
    IM
    He's probably referring to "nulled plugins". Or ones that you downloaded "illegally"... heh...

    The way I'm pretty sure I was infected was by a key logger which took my FTP info. The hacker then uploaded his WebShell and could infect pretty much everything automatically.
     
  14. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    Use wordpress firewall 2 and Block Bad Queries. Those are the best security plugs
     
  15. jb007uk

    jb007uk Regular Member

    Joined:
    Nov 28, 2008
    Messages:
    216
    Likes Received:
    15
    Happened to me recently from some hacker from Russia, caused me a lot of trouble and money. They got into my hosting via keyboard. So as mentioned here, regular backups and run malware software on a regular basis. I suspect it was something downloaded. Since this happened I download to sandboxie.com software and run malwarebytes Anti-malware software after download just to sure.

    Hope it helps
     
  16. GETHITS.YOU50

    GETHITS.YOU50 BANNED BANNED

    Joined:
    Apr 10, 2012
    Messages:
    115
    Likes Received:
    25
    I got hacked 3 weeks ago and they changed my public file to a designed "hacked by" page.
     
  17. Ewan-L

    Ewan-L Regular Member

    Joined:
    Mar 10, 2012
    Messages:
    450
    Likes Received:
    53
    Occupation:
    The web
    Location:
    UK
    That's crap mate :(

    Good luck in getting it all fixed.

    I try to stay away from dodgy plug-ins and apps and things because I've also had nasty experiences from applications before.
     
  18. drwhite

    drwhite Regular Member

    Joined:
    Jan 24, 2012
    Messages:
    292
    Likes Received:
    55
    Location:
    paradise
    Be carefull with premium cracked plugins.. ! Good thing you solved it
     
  19. xxf8xx

    xxf8xx Supreme Member

    Joined:
    Nov 30, 2009
    Messages:
    1,321
    Likes Received:
    596
    Occupation:
    IM
    Can someone please let me know if my sites will jump back up in G?

    Cheers,
    xxf8xx
     
  20. no4h~

    no4h~ Regular Member

    Joined:
    Apr 11, 2011
    Messages:
    456
    Likes Received:
    330
    The most anybody here can tell you is 'Maybe'.

    I've seen cases where sites bounce right back from Google after a reconsideration was filed... and I've seen cases where the website ended up being manually reviewed and was found to be using blackhat tactics. Sure, they weren't listed as malicious anymore, but at the cost of being deindexed. lol.

    It's so crazy to hear so many people here that are having their websites hacked into. I had my entire hosting account (and all 26 add-on domains) hacked into. It acted a little differently then all of these other posts. Brilliantly repeatidly went through all of my HTML and PHP files and injected an inline driveby into the body. Anytime I removed it from the file, and uploaded the updated file, it would reinject. I went through like 8 restores with my host to finally get rid of the damn thing.

    Glad you were able to get rid of it though. I'd recommend formatting your computer as well, just in case it infected you with a key-logger or anything stupid like that. Be sure to look through all of your files in all of your directories for any files it may still be able to inject through. I found 3 in multiple folders, some hiding in /images/ and /scripts/. Named things like image0292.png.php, indexx.php, _.php. It was DUMB.
     
    • Thanks Thanks x 1