8 {{ upvoteCount | shortNum }}
8 {{ upvoteCount | shortNum }}

HELP, my sites has been hacked: "Backdoor By CyBeSteR"

by olavlind
6 replies
There has been two attacks on my server the last two days. Both times my hosting account has been deactivated. The intruder has both times put phishing sites on my server.

When poking around I find some suspect php script or function in another legit php script that has been modified saying "Backdoor By CyBeSteR".

Does anyone know about this?

I can provide the code inside the function if that would help. The code allows someone to upload something to the server.

If you google the term "Backdoor By CyBeSteR" you will find many sites that has had the same problem, but very little talk about it in forums etc.

Does someone have any suggestion as to what I can do about this?

~Olav
#backdoor by cybester #hacked #sites
  • Profile picture of the author CanuckWarrior
    Contact your host provider support immediately to let them know it's a hacker and not you. Then ask their advise on how to correct the problem. If it's Hostgator, they're pretty good when it comes to sound advise, imo.

    You may have to restore a backup and double-check your security settings and make strong passwords.

    Also, double check to see if the machine you are using to connect to your host has been compromised. The may have gained access to your account by using a trojan on your machine.
    Signature

    Internet marketing is not rocket science ... unsubscribe from every guru spam list you're currently on ... they just want to rape your wallet and make you co-dependent.

    {{ DiscussionBoard.errors[2170515].message }}
  • Profile picture of the author NoGimmicks
    Olav

    Best thing is to speak to your hosting company to get their assistance as whoever has hacked in may have compromised other sites that aren't yours so it's best that they know too (plus they should be able to advise on remedies etc)

    Martin
    Signature
    Sick of your products ending up on warez sites?
    Keep an eye out for StealthMarker...
    {{ DiscussionBoard.errors[2170517].message }}
  • Profile picture of the author NoGimmicks
    A word of caution about restoring any backups - unless you know when your site was compromised then don't restore backups otherwise you may not be getting rid of the issue.

    Martin
    Signature
    Sick of your products ending up on warez sites?
    Keep an eye out for StealthMarker...
    {{ DiscussionBoard.errors[2170523].message }}
  • Profile picture of the author olavlind
    I have already talked to my hosting provider (HostMonster). They deactivated my account from web access. That's ok, and I have access via webdisk, FTP and CPanel. They will not cancel my account. They will reactivate my hosting account when I can tell them that my account has been secured.

    CPanel file manager is how I found out about the 2.31 kbyte PHP files. They are all the same and spread all over my subdirectories and domains.

    I am seriously considering deleting everything, and going back to basics. None of my sites made me any money anyway, and have been a great learning experience setting things up and learning from that.

    I might take this opportunity to start with a clean slate, delete everything, and start focusing on one thing at a time.

    Thanks to everyone who answered. This have been a great learning experience :-)

    ~Olav
    {{ DiscussionBoard.errors[2170613].message }}
  • Profile picture of the author NoGimmicks
    If a wipe-clean is an option for you then yes, go for that.

    Dumb reminder I know, but worth making - don't forget to check your own pc for infection too as already suggested + change your passwords too

    Martin
    Signature
    Sick of your products ending up on warez sites?
    Keep an eye out for StealthMarker...
    {{ DiscussionBoard.errors[2170676].message }}
  • Profile picture of the author egetnow
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[2171466].message }}
    • Profile picture of the author Aj Wilson
      Go into your cPanel > Anonymous FTP > you should see 2 check boxes.

      Allow anonymous access to ftp://ftp.yourdomain.com
      Allow anonymous uploads to ftp://ftp.yourdomain.com/incoming

      Make sure both are UNCHECKED.

      If one was checked (usually made default by hosting providers)
      that's how your "hacker" may have accessed your account, so close the security hole.

      They usually use software to scan vulnerable accounts,
      then automatically inject their code/files etc.

      Usually one would have local copies of your website.

      I'd create a new hosting account,
      transfer everything back up (as long as your sure your local copies arent infected).

      Then secure that hole in the new cPanel and start again.

      Pain in the arse, but oh well.
      All the best mate.

      - aj
      Signature
      {{ DiscussionBoard.errors[2171956].message }}

Trending Topics