My hosting is hacked

I think you should contact your hosting manager for more information,

Congratulation!!



Nah.. Just kidding.

I understand what you're going through. The same happened to my 3 times in 1 week! :O

What I did was get on my hosting provider, speak a little heavily. They ran an exploit scanner for the whole server, and found at least 3k instances of malicious codes. Within hours, they removed each and every piece of sh*t from there.

Hey motley,

The same thing happened to me a couple of months ago and i spent a couple of hours deleting all the crap from my .php files. I don't see the benefit of contacting your host provider as i don't think there is any anything they can do on their part. Of course i may be wrong though :rolleyes: (obviously don't listen to me as others have had some luck with their providers)

Just make sure all your plugins are up to date and if you have any themes with bad scripts make sure to delete them. I found out in the end that it was a bad theme that caused the problem on my end.

That's all i know mate, but once all the .php files were cleaned up i have had no issues since.

Let me guess, wordpress?

don't contact. My hosting provider suspended my account and all my websites was down after they found out my php files were hacked without notifying me. So I had to contact them to find out the reason and reuploaded the clean files in order for the sites to be back up.

You should have a backup of all your sites at a secondary hosting account with another company. That way if something like this happens, you can just point to the new account.

Sorry to hear about this...had pretty much exactly the same thing happen months ago....caused quite a mess. I would advise changing passwords, not just due to this event, but on a regular basis. I also would tell the host what happened.
_____
Bruce NewMedia

Better immediately contact Hosgator Support for this.. they may give you some good suggestion...

If you contact Host Gator, they should be able to access the server logs and tell you when, where and what files were exploited. It may end up being some script you like, but is not worth the time and aggravation.

Thanks,

John

Guys, thanks for replying.

It's not a Wordpress issue, I guess. I have many wordpress installations as well as many prismotubes, html and script based landing pages. The harmful index.html file was put into every directory of the public_html directory, not into wordpress only. After removing of all that index.html, everything works well. I hope the php files is not affected.

I agree with those who suggest to inform Hostgator. I've done it recently. I have already received this email from hostgator:
No heavy conversation was needed ))

Brian, thank you for the links.

If it is your hostgator account that was got hacked i mean somone had access to your user name and password than its good to scan your Pc with any good antivirus, so to be sure you are not victom of any keylogger or RAT..

First of all you need to know the reason "How you got hacked"
Scan each folder properly, Your Databases as well, many times hackers put some stuff in your DB and your posts will show some text links ( It happens in Wordpress Mostly )
Even Paypal Blog Got such problem and a Text Link of ( Pe**S Enl*******N) was there for over 10 days.

Hostgator offer great support they will do everything on your behalf. Contact them and relax.

If you are using wordpress, and you have installed any premium theme downloaded from warez sites then that's might be the reason !
Or maybe you have used a plugins that has bugs !
Anyway don't forget to update wordpress to the current version which is 3.2.1 right now

I notice a lot of Wordpress sites using woo themes where hack and got a malware.

It is important to always have a backup of site files and database.

motley can you PM me the Javascript code if you still have it (I wont be able to reply but if you don't understand JS I can take a look at what it was trying to do). As G Abbas already said, it might be worth running a reliable malware scanner on your computer in case you're infected with anything malicious. I recommend Malwarebytes Anti Malware (it's free).

If you need help let me know (add Skype). I originally came here from HackForums so if you want me to have a quick look around and see if the perpetrator decided to brag about it I'll need to know the domain name.

That's a bummer man. I never had our server hacked but I would contact HostGator about it. I've had 3 other hosts before I went to HostGator and HostGator has by far been the best I have used. They have excellent support and have always been more then happy to help with any problems I had. I'm sure they will help you out. I'll never use a different host now.

Guys, I'm tired of it!

After I posted the last message here, the HG support team had scanned my account and removed all cr*p. It was three files in the CTR theme at one of my sites. I worked great after that.

But today I was working with one of my sites when I got a 500 server error. I checked other sites and it was the same. I checked all directories at the public_html directory and found two wrong Heal.html and HeaL.html files in each of them. I removed them all and changed a password to my account. I helped a bit, but after a short time I was attacked again. This time ALL index.php files at ALL sites (not WP only) was replaced by hackers's index.php.

I have submitted a ticket to HG support team again. Waiting...

Did you ask, or did they say, where the hacker got in from?

The reason I ask, is when it happened to me way back when, I asked where the exploit was at and they told me it was an outdated theme I was using on one of my sites.

Removed the theme and never had any more issues.

Thanks,

John

I LOVE HostGator.
They are great.
However -- I differ with them on a few points.
They will say what caused the hack (maybe) -- and send you off doing a lot of things which may or may not help.
They run a script which may modify a ton of files -- and the last time I saw the result of that script -- it actually removed essential lines from a few files.

I guess it's like "water damage" from when the firemen put out the fire in your house.

The FIRST thing you should do when your site has been hacked is TAKE IT OFFLINE.

How do you do that ?

Put up an index.html file in your domain root directory that says something like "Down for maintenance. Thanks for visiting, and please come back!"

I argue with HG that they should be the first to be notified. (but I understand).

Because I'd rather you contact someone like me.

Because HG runs their scripts and are worried about the security of their company, not so much the security of your account.

So they won't necessarily spend the time to find out where your infection really started from.

And, until that's done, your site continues to be vulnerable.

When they run their scripts, however, they destroy evidence -- (they have a similar complaint about what people like me do, when cleaning up sites ... difference is ... I can preserve the evidence for them...)

I haven't read the entire thread, but just wanted to give you a head's up on things.

I've cleaned up many, many hacked sites -- and so has my business partner, Nathan Briggs. Many of them have been on hostgator. You can contact us if you need help. (I respond best to skype IM: nextday-copy -- yes, I also do copywriting...strange mix, I know ... LOL. When requesting a contact, please indicate why you want to establish contact with me, as I regularly do not accept contact requests without that information, and will block people that I have not had contact from within a certain period of time if no relationship has been started.)

Live JoyFully!

Judy

Man that sucks. Try not to use dodgy looking scripts and templates.

If you have shared hosting, hackers could be getting in via another account on the server. Check your file permissions to make sure none are set to 777, then go through your access log to see if any php scripts are being triggered remotely. If so, block the IP address they're using. That's what I did when I had a similar problem a while back. If it happens again, change hosting company.

That's what that "forgot password?" thingie is for.

Llimiting login attempts is a standard security method for all kinds of software. Don't let a minor inconvenience that can be easily overcome stop you from using it. (I can't speak specifically to the particular plugin.)

But use something like RoboForm or LastPass so it will encourage you to use stronger passwords.

@Don Luis -- that's a good start -- but it wouldn't help any of the people who had (or have) vulnerable copies of timthumb.php

Live JoyFully!

Judy

Ask them nicely, sweetly ...

Tell them you don't want it on your conscience that your sites could be distributing malware to your visitors -- and, while you respect their need for you to not touch anything -- is there something that could be done that wouldn't interfere with their investigations that would make it possible for you to sleep well, because you know your visitors won't be infected with malware (to the best of your knowledge?) -- and ... isn't there something they can do ?

(BTW -- another choice would be to use the ipdeny feature in cpanel. Or get someone to create the .htaccess for you. This way the HG sec guys can still work, but other visitors will not be able to access your site for the time being. I used ipdeny with a client recently because he had been infected for so long, I felt that changing the db credentials and wp login were important before opening them up to the world.)

Edited to add:
Incidentally, if you want to use SFTP, you need to have ssh enabled. If you have a reseller account, HG will charge you $10 (I think per year) per subaccount to enable ssh on your subaccounts. I personally recommend that people with many domains consider getting vps or dedicated -- prices have come down quite a bit.

Live JoyFully!

Judy

Sorry to hear about the trouble! I would definitely take it offline immediately and post a "Down for Maint." page. You don't want to have your customers/followers checking out your page and seeing that. That may spook some people. And definitely heed Judy's words, she is spot on from what my past experience is with HG/hacked sites.

Hostgator was recently hacked, at least some of their servers.

I agree with changing your password on a regular basis.
Also using letters, numbers and even using a least one
capital letter in your password.

The same thing happened to my Hostgator account previously. My main site index file was replaced with some terror__t related materials. Contacted HG and they were fast to recover a backup to put things back in order.

Too be fair, the responsibility shouldn't be put onto HG. In fact, any account on a shared server might path the way for the hacker to enter. Or it can be just entry via the root access etc.

Important thing here is - always backup your files.

When your host is secure again, take a look at http://www.websitedefender.com as it seems like a good free service. They also offer a free Secure Wordpress Plugin.

Just have your host company run a sweep. Problem solved. Worked for me at hostgator anyway!

What would prevent this from happening in the future?