| Posted by cdutoit, 10-12-2013, 04:26 PM | | Hi -
My site was hacked today. Fortunately, I had a backup take place about 6 hours prior to the hack so was able to do a restore. However, I need some advice and suggestions.
All the sites on that server were hacked by someone called Dasher Hacker. One of my sites is still hacked...I haven't restored it. You can see the hackers page at http://transfer.ly. When I google this hacker, I can see a ton of sites hacked by the same person so he is exploiting some sort of vulnerability.
The Databases were left intact. It looks like ALL the files were deleted and replaced with one index.php
Can you please provide me with some ideas of how someone would be able to do this? Fortunately WHM was still there as was my backups. It looks like they got into the sites indvidually and deleted the files.
Finally, if anyone has any suggested/recommended firms I can engage for "server hardening" please share.
Thanks
|
| Posted by benj114, 10-12-2013, 04:33 PM | | I would contact Steven at Rack911.com right away for help to get this resolved.
Simply restoring the backups will not solve the problem, as they can just do it all over again.
|
| Posted by kevincheri, 10-12-2013, 04:52 PM | | Yes, you would need some experts to identify how they managed to get into in first time, not just clear the hack. Check your FTP logs, or the POST requests to see if they managed to hack through your vulnerable codes etc.
|
| Posted by vincent_g, 10-12-2013, 04:53 PM | | To help you depends on what happend.
How did the hacker get in?
First do you have FTP access to all those sites?
To make this clear - are you using an FTP app and have each site setup in that app?
If this is true the problem maybe your Office PC has been infected with Spyware.
Clean out your PC of all Spyware and your done.
If not
Then you have had a security problem with your server.
Since all sites have been damaged and from what you say all files erased on each then do a full re-install of your OS and control panel.
After that you need to beef up your security.
|
| Posted by Genius Guard, 10-12-2013, 04:58 PM | | Change your ftp and control panel password. Check log files to find the source of attack, it can be a ftp password brute force or a bug in your script or cms. if you are newbie, you can get an expert to fo that. If you are on shared server, it is possible of your shared server security is not enough, try change you host to another secure.
|
| Posted by UnfinishedSentenc, 10-12-2013, 05:18 PM | | No they do not need to pay some 'experts' who are being shilled on this site. 99% of the time these are script kiddies using publicly known exploits which are almost always fairly simple hacks. Not hard to figure out what they are doing with only minimal knowledge and a bit of googling.
|
| Posted by kevincheri, 10-12-2013, 05:38 PM | | Agree.. but the OP doesn't seems that knowledgeable and really need someone to get his site back up and secure.
|
| Posted by MikeDVB, 10-12-2013, 05:50 PM | | I wouldn't suggest changing hosts unless you are sure the issue was with the host and they're not handling it well.
Compromises can happen - we all do our best to prevent it - but nothing is 100%. Any provider that hasn't seen some sort of compromise hasn't been in business very long or doesn't have many customers.
|
| Posted by khunj, 10-13-2013, 10:51 AM | | According to Google's cache, your site allows files to be uploaded to the server. I would recommend to have a closer look at your upload script
|
| Posted by fshagan, 10-13-2013, 12:25 PM | | Is this a dedicated server? Were all of your sites, managed as separate accounts in WHM, hacked? Were there other accounts, managed by other people, also hacked?
The reason I ask is that some very common FTP programs like FileZilla store site passwords in plain text on your computer, and malware can steal the passwords and distribute them. When I see multiple accounts that all have different passwords compromised, this is often the cause.
If you are using FileZilla, for example, and saving passwords in the "Site Manager", all the account details could have been stolen. If you change the passwords and update FileZilla with them, and don't clean the malware out, it will happen again. I've found that because the malware doesn't do anything weird, many antivirus programs don't catch it.
I guess the guy who complained about someone giving you a recommendation didn't see this part of your post. There are a couple of options. Steven at Rack911 seems to be active here and is well regarded. I use CSF (ConfigSErver.com's Firewall) and their paid CXS (ConfigServer eXploit Scanner) for daily scans. ConfigServer provides a basic server hardening service that may also work for you if you don't want to go through and set up CSF and CXS.
|
| Posted by fshagan, 10-13-2013, 12:27 PM | | The OP asked for a recommendation, so you did the right thing.
|
| Posted by kevincheri, 10-13-2013, 02:57 PM | | Thanks for the heads up fshagan, problems surely need expert hands, IMO it need to be investigated and get to the root, not just 'sort' the problem.
|
|
 Add to Favourites
 Print this Article
|
