My client sites are getting HACKED!! Help!!!

Similar thing happened at the agency I worked at. To stop a hacker, you have to know how to hack and none of us knew how to do that.

Try contacting your host. Depending on the company, they might go in and look at your files and do a scan and clean up for your files.

If not, you'll have to hire somebody. We ended up hiring somebody off of odesk to go in. Almost always, there's a hidden file with malicious code. And you need someone experienced with fixing and build hacks and viruses to identify it and make sure it doesn't happen again.

It sounds like the hacker has managed to access the server root, so you need to get onto your hosting company immediately. Chances are you're not the only account being affected, which may be why your hosting company is taking so long to respond..

As far as the redirect is concerned: there's probably a rogue php script replacing index.php or index.html. Go through the site and look for any files which have been modified. If possible restore the site from backup. Then check the server logs. If you find a php script that's being triggered remotely, that's probably the hackers at work. Delete the script and blacklist the IP address.

The mail backlisting is more tricky as it's beyond your control. Perhaps others here can advise you better than I can, but you may have to consider using a variant of your domain for sending mail (yourdomain.net instead of yourdomain.com for example).

Your webhosting has couple of voulnerable backdoor wide open. Happened also to me couple years ago and all I can tell you - move to a new host asap. Before more damage is done.

I had this, some script was uploaded to a domain on the server and because of crap security this script allowed the hacker to view all web root folders of every domain on that server.

Wordpress was the backdoor in my case.

Check all your hosted sites folders for a php script with an unusual name, mine was in a theme folder.

As mentioned this redirect is most likely a replaced index.htm / php page or .htaccess file.

I run hosting server for my clients and attempts to hack, guess passwords and exploit vulnerabilities within hosting platforms, such as wordpress happens every *second* (not even every minute).

Here's a picture of a snapshot of security stats for the last 24 hours showing attempts to login (guess passwords) to all sites across my hosting server as well as attempts to exploit Wordpress xmlrpc vulnerability. All IP addresses listed are hackers and servers where hackers are operating from:



The problem here is actually knowing whats actually going on and knowing measures and countermeasures to remedy situation.

Your solution depends on how severe is infection:
- How many sites are affected?
- Do you run WHM/Cpanel or all sites are sharing the same file system space?

From my experience - it could be quite hard to "cleanup". Infected and backdoor-ed files could be everywhere and not all scanners will pick them up.
In my cases - I keep clients websites separate and isolated from each other to prevent cross pollution and cross infection.
In last case of client's infection due to hacked wordpress site I had to write custom script to detect and eliminate infections as no other software would pick them up.

More reliable solution would be to switch to new, more secure hosting space and do your best to restore website contents without copying scripts from old sites to new.

This way you'll be starting afresh with all garbage behind and hopefully more security to serve you.

Gleb

WordPress?

Plugins?

This happened to me last year. My hosting company suggested I delete the affected sites from their server and re-establish them. Of course, you need to have everything backed up in advance of doing that. Luckily, I did.

A client of mine got hacked yesterday, however all site files are still there so just looking for the root cause of problem.

Thankfully no other sites affected but it really is an inconvenience. I am hoping the site can be restored with no major issues.

Hope it works out well for you man.

Happened to me a few months back.

Cleaned all files... But the my client's sites were hacked again

The best solution?

Change your server!

Get a reputable one. Look for reviews in the forum.

Remember these are your client's sites and their businesses
depend on you.

i am an ethical hacker according to me it is easier to get into hosting with an hour of training and those who use wordpress on your should remove the cms try to find shell script on your server which causing this try to hire a good security expert to fix this issue and nex time install firewall on your servers

What type of server is it? Linux? Windows?
Maybe there is a form without a captcha (or with a not good captcha) that can easily be used by a crawler? You need to see the logs of the outgoing emails. If the logs are not turned on, turn it on now.