Help with sites being hacked

9 replies
Hi
My sites are being hacked and directories added plus I am getting lots of direct traffic from one point Stevenson Ranch California which might suggest that my IP address is possibly being used as an anonomous proxy address ( may be completely wrong) I have had to go into my DB to change passwords on my sites server and ftp and used an ftp program to remove the offending directories and files however this seems to be to no avail so would appreciate some help and advice.

For info a php file which I have removed three times seems to be some sort of stand alone hacking software
#hacked #sites
  • Profile picture of the author Holiday Car Hire
    The problem still persists any advice at all would be helpful
    {{ DiscussionBoard.errors[5556977].message }}
  • Profile picture of the author Fernando Veloso
    Get in touch with your hosting company.
    Signature
    People make good money selling to the rich. But the rich got rich selling to the masses.
    {{ DiscussionBoard.errors[5556984].message }}
  • Profile picture of the author faysal969
    I also think you should contact with your hosting company. Possibly they will give you good solution of this problem.
    Signature
    Learn SEO, Affiliate Marketing, CPA, and Make Money Online !!!!!!!

    Keep your house pest free and be healthy, wealthy, and happy. Get Rid of House Insects. :)
    {{ DiscussionBoard.errors[5557021].message }}
  • Profile picture of the author spearce000
    This happened to me a couple of years ago, and the only way I could solve it was to move hosting companies. If you're on shared hosting, it could well be that the hacker is getting into your site via a script on another site hosted on the same server. That's what was happening to me. The fact that you've had to delete a php script 3 times and it keeps coming back would point you having the same problem.

    As others have said, get in touch with your hosting company. If they have a backup of your site from before the first hack took place, download it to your hard drive and keep it safe. If there is a rogue script on you site, and it's been backed up, you've got real trouble, so best to act fast.

    In the meantime, go through your php scripts and change any permissions that are set to 777 to 755 or 644. This will stop them from being executed remotely. Also, go through your access log, find the IP address that is accessing the rogue script (you'll probably find the hacker is just running that script and nothing else), and block them out in cpanel. This won't stop the hacker forever, but it will buy you some time.

    If your hosting company doesn't solve the problem (or tries to heap the blame on you), then your only recourse is to move to another server, I'm afraid.
    {{ DiscussionBoard.errors[5563312].message }}
  • Profile picture of the author thetrafficguy
    Happened to me last year.

    The answer is it really depends how sophisticated the hacker is and how motivated.

    I had to change everything. Hosting included.
    Signature
    "SUPER AFFILIATE EXPOSES Highly Profitable Traffic Source!"

    "Use This Trick To Make An Extra $50 - $500 Per DAY!"
    Click Here To Check It Out Before The Price Jumps Up AGAIN!
    {{ DiscussionBoard.errors[5563444].message }}
  • Profile picture of the author cameron palte
    Banned
    Get in touch with your hosting company about things... depending on your control you may be able to ask you and your company too ban that IP address from visiting your site which can make things harder for them... talking with customer support with your hosting and work from their.
    {{ DiscussionBoard.errors[5563762].message }}
    • Profile picture of the author Holiday Car Hire
      Thank you for your replies and tips. I have found the intial cause of the hacking and this relates to a file thumb.php or timthumb.php as quoted in the following "The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised."

      I have removed this file and hopefully that will be an end of it having renamed my passwords etc
      {{ DiscussionBoard.errors[5564889].message }}
  • Profile picture of the author Ron Killian
    Changing permissions on script files is often a very good idea. Gotta be careful though, some files might not work properly on lower permission settings. I actually moved hosts because I could lower permissions on certain files.

    Just didn't want people changing to much and their sites stop working.

    Another huge tip, don't leave your passwords on your computer. They get into your home computer and could gain everything you have. Removable flash drives come in handy.
    Signature
    PLR Affiliate Program Has Launched! Easily Promote Over 5,000 PLR and MRR Products.

    Largest Selection of PLR Articles on the Planet! PLR Ebooks, PLR Video, PLR Websites and more with Private Label Rights
    {{ DiscussionBoard.errors[5564994].message }}
  • Profile picture of the author Damz
    download all of your files to your computer via FTP and scan all of them using your antivirus program... probably there should be a vulnerable Backdoor script which is using for gaining access to your server..
    {{ DiscussionBoard.errors[5616809].message }}

Trending Topics