My client sites are getting HACKED!! Help!!!

by Phobia
15 replies
OMG, so this is a disaster. I have a reseller account with a 'repuatable' hosting company and a few days ago one of my clients says he couldn't send emails. Long story short, I find out that my main domain is blacklisted and it has now snowballed into one of my other clients sites being redirected to porn sites!!!!

Is anyone knowledgeable in this area? I need this fixed asap!!!!!

*edit. There has been no unusual activity from my part that I can recall to result in this - and their 'support' is futile so far in only an escalation ticket to which I don't know when they can resolve.
#client #hacked #sites
  • Profile picture of the author Chris Lee
    Similar thing happened at the agency I worked at. To stop a hacker, you have to know how to hack and none of us knew how to do that.

    Try contacting your host. Depending on the company, they might go in and look at your files and do a scan and clean up for your files.

    If not, you'll have to hire somebody. We ended up hiring somebody off of odesk to go in. Almost always, there's a hidden file with malicious code. And you need someone experienced with fixing and build hacks and viruses to identify it and make sure it doesn't happen again.
    {{ DiscussionBoard.errors[9805346].message }}
  • Profile picture of the author spearce000
    It sounds like the hacker has managed to access the server root, so you need to get onto your hosting company immediately. Chances are you're not the only account being affected, which may be why your hosting company is taking so long to respond..

    As far as the redirect is concerned: there's probably a rogue php script replacing index.php or index.html. Go through the site and look for any files which have been modified. If possible restore the site from backup. Then check the server logs. If you find a php script that's being triggered remotely, that's probably the hackers at work. Delete the script and blacklist the IP address.

    The mail backlisting is more tricky as it's beyond your control. Perhaps others here can advise you better than I can, but you may have to consider using a variant of your domain for sending mail (yourdomain.net instead of yourdomain.com for example).
    {{ DiscussionBoard.errors[9805476].message }}
  • Profile picture of the author MikeTX
    Your webhosting has couple of voulnerable backdoor wide open. Happened also to me couple years ago and all I can tell you - move to a new host asap. Before more damage is done.
    {{ DiscussionBoard.errors[9806382].message }}
  • Profile picture of the author Valdor Kiebach
    I had this, some script was uploaded to a domain on the server and because of crap security this script allowed the hacker to view all web root folders of every domain on that server.

    Wordpress was the backdoor in my case.

    Check all your hosted sites folders for a php script with an unusual name, mine was in a theme folder.

    As mentioned this redirect is most likely a replaced index.htm / php page or .htaccess file.
    {{ DiscussionBoard.errors[9806409].message }}
  • Profile picture of the author gesman
    I run hosting server for my clients and attempts to hack, guess passwords and exploit vulnerabilities within hosting platforms, such as wordpress happens every *second* (not even every minute).

    Here's a picture of a snapshot of security stats for the last 24 hours showing attempts to login (guess passwords) to all sites across my hosting server as well as attempts to exploit Wordpress xmlrpc vulnerability. All IP addresses listed are hackers and servers where hackers are operating from:



    The problem here is actually knowing whats actually going on and knowing measures and countermeasures to remedy situation.

    Your solution depends on how severe is infection:
    - How many sites are affected?
    - Do you run WHM/Cpanel or all sites are sharing the same file system space?

    From my experience - it could be quite hard to "cleanup". Infected and backdoor-ed files could be everywhere and not all scanners will pick them up.
    In my cases - I keep clients websites separate and isolated from each other to prevent cross pollution and cross infection.
    In last case of client's infection due to hacked wordpress site I had to write custom script to detect and eliminate infections as no other software would pick them up.

    More reliable solution would be to switch to new, more secure hosting space and do your best to restore website contents without copying scripts from old sites to new.

    This way you'll be starting afresh with all garbage behind and hopefully more security to serve you.

    Gleb
    {{ DiscussionBoard.errors[9806608].message }}
  • Profile picture of the author DubDubDubDot
    WordPress?

    Plugins?
    {{ DiscussionBoard.errors[9806639].message }}
  • Profile picture of the author travlinguy
    This happened to me last year. My hosting company suggested I delete the affected sites from their server and re-establish them. Of course, you need to have everything backed up in advance of doing that. Luckily, I did.
    {{ DiscussionBoard.errors[9806646].message }}
    • Profile picture of the author JohnMcCabe
      Originally Posted by travlinguy View Post

      This happened to me last year. My hosting company suggested I delete the affected sites from their server and re-establish them. Of course, you need to have everything backed up in advance of doing that. Luckily, I did.
      The trick is making sure the backup is clean, else the cycle just starts over again.

      Yet another argument for not using the one-button install for WP and avoiding using plugins whenever possible.

      If you haven't been hacked yet, it just means that you haven't been hacked yet. Make things as secure as possible so that hackers go looking for easier prey. This is especially so if you are selling hosting - to your clients, YOU are the host.
      {{ DiscussionBoard.errors[9806822].message }}
  • Profile picture of the author ianeire
    A client of mine got hacked yesterday, however all site files are still there so just looking for the root cause of problem.

    Thankfully no other sites affected but it really is an inconvenience. I am hoping the site can be restored with no major issues.

    Hope it works out well for you man.
    Signature
    Forget 'Special Offers', All You Need Is Here!
    {{ DiscussionBoard.errors[9806941].message }}
  • Profile picture of the author Shirllin
    [DELETED]
    {{ DiscussionBoard.errors[9807701].message }}
  • Profile picture of the author carlo_sim
    Happened to me a few months back.

    Cleaned all files... But the my client's sites were hacked again

    The best solution?

    Change your server!

    Get a reputable one. Look for reviews in the forum.

    Remember these are your client's sites and their businesses
    depend on you.
    {{ DiscussionBoard.errors[9807769].message }}
  • Profile picture of the author ajmalkhan
    i am an ethical hacker according to me it is easier to get into hosting with an hour of training and those who use wordpress on your should remove the cms try to find shell script on your server which causing this try to hire a good security expert to fix this issue and nex time install firewall on your servers
    {{ DiscussionBoard.errors[9807797].message }}
    • Profile picture of the author Devilfish168
      Originally Posted by ajmalkhan View Post

      i am an ethical hacker according to me it is easier to get into hosting with an hour of training and those who use wordpress on your should remove the cms try to find shell script on your server which causing this try to hire a good security expert to fix this issue and nex time install firewall on your servers
      actually my host provide " check on maleware etc "

      will it helps
      {{ DiscussionBoard.errors[9807819].message }}
  • Profile picture of the author RJuy66
    What type of server is it? Linux? Windows?
    Maybe there is a form without a captcha (or with a not good captcha) that can easily be used by a crawler? You need to see the logs of the outgoing emails. If the logs are not turned on, turn it on now.
    {{ DiscussionBoard.errors[9810055].message }}

Trending Topics