Advice on Hacking

Discussion in 'H-Sphere Reseller Hosting' started by Randyo35, Aug 10, 2009.

  1. Randyo35

    Randyo35 Guppy

    I had three domains hacked..All three domains are on the same user account (cp) and they are the only domains on the account. All three domains are Wordpress blogs on a Linux box. The hackers changed the index.php page (only) with their trophy page of success.

    Now I need to figure out how they got in....via the account or via Wordpress. Has anyone else experienced this recently...and any worldly advice on keeping them from doing it again.
  2. nzkiwi

    nzkiwi Perch

    If WP is up to date, then most likely through a compromised PC with Control Panel and/or FTP access to the accounts. A recent method of compromising PCs has been through some Adobe product. See Stephen's post. However it's not the only method of attack

    Do a full virus scan on any PC that has FTP or Control Panel access to the affected accounts.
  3. Randyo35

    Randyo35 Guppy

    OK I’m a believer. I’m pretty sure they got in through my laptop because the domains affected where ftps on my computer and clients that I didn’t need ftp connection to where not affected. The hack replaced only the index page on 12 websites (html and php)

    I run updated adobe suite, I have the whole CS3 Suite and update Flash as needed. AVG (not a free edition) runs on the computer every night. I bore you with this because I need some ideas on how to find the compromise on my laptop..maybe another virus scan software suggestion, a script someone might know of, etc. I have deleted the ftp connections for now. Any help would be appreciated.
  4. Stephen

    Stephen US Operations Staff Member

    Change te FTP password from the control panel if you haven't done that yet. If you have updated the adobe softwares you should be safe from it happening again.

    Here's one thing I've noticed about these defacements, they are storing the password for a while. I found one account defaced that had initialy been 'scanned' by a botnet a month before an action happened, so they sat on the password for quite a long time and it made it to a 'verified good' password list, then to a botnet that defaced the pages thoroughly from many IPs.

    Now this is only an example, but one that has been common in the last 4-5 months.
  5. Randyo35

    Randyo35 Guppy

    Thanks Stephen..

    I did change all passwords...CP and FTP, I'm next working on changing database passwords...I little bit more work because of settings and config. php files.

    I have no clue on how to find any hidden script in any other files on the server so I will start to upgrade or reload the sites with fresh scripts. If you think of anything else helpful....I'm listening.
  6. nzkiwi

    nzkiwi Perch

  7. mohit

    mohit Guppy

    I would recommend also to check the version of wordpress or which ever content management softwares you are using might be that your cms package is having some flaws or bugs due to this hackers have gained the admin privliges on the website and changed the index page of your website

    update your cms package and scan your laptop with a good updated antivirus and change all the passwords of your mail accouts even gmail yahoo,hotmail,and all your website control panel and ftp password

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services