I've been hacked !! 3848 malware/virus files placed on my hosting account.

9 replies
Well,

I just spent the last 7 hours going through and deleting 3848 malware/virus flies from my hosting account.

Received a e-mail this morning from my hosting company.

Account deactivated due to violation of my terms of service agreement.

I called them immediately to see what the problem was.

They told me my account was deactivated to due a tremendous amount of malware/virus files on my hosting account.

The part that bothers me the most, is all they did was send me a list of the files and told me it was my problem to get rid of them. I guess I should be happy they did send me the list?

I didn't have a clue where to begin or even how to find them. I know very little about coding or programming.

All I did was stare at the size of the massive list.

Long story short, I got rid of most of them by just deleting the entire domain names that were infected. I blew out 14 web sites that I will have to rebuild, I'm sure that was the hard way, but it was the only way I knew how to handle it.

The rest of the files were just a few lines of code on almost all of my domains. I have 256 of those, I would say 80% of them had the lines of code placed on them.

I changed all of my passwords on my hosting account and FTP accounts.

I noticed most of the sites that were hit hard were either wordpress blog sites, or contained an article or link directory. I'm not sure if that has anything to do with it? The wordpress ones were the worse.

What I want to know, is what else can I do to prevent this from happening again, and have I done enough to prevent future attacks?

How did somebody gain access to my account? Did it have to be through my ftp account, or is there another way in through the wordpress blogs or the directories?

With this many domains attacked, it figure it must have been from one of my FTP accounts? Just guessing.

My hosting company said that with an attack of this size, it must have be done over a few weeks or days, and they only keep their access logs for 48 hours, so using the logs to track it down seems to be of no use.

Of course my next question then was if it took place over weeks or days, why didn't they catch it sooner?

No answer, they just said it was brought to their attention today, and I have 7 days to solve the matter or all of my data would be erased.

Sorry for the long post, but I wanted to provide as much information as I could, maybe this information will help others as well.

Thank you in advance for your suggestions.
#3848 #account #files #hacked #hosting #malware or virus
  • Profile picture of the author sorinv
    I would check my computer for keyloggers if I were you. If they gained access to many different accounts, controlled by many different passwords, and running different pieces of software, the chances are are the vulnerability is not in the scripts, but somewhere where those passwords are stored.
    Signature
    Get free website thumbnails for your site. Paid available too, of course.
    {{ DiscussionBoard.errors[2402317].message }}
  • Profile picture of the author mihir
    Another possible threat is cracked ftp client. Don't use cracked FTP clients, use filzilla rather. It's free and open source. And use STRONG ftp password which contains capital n small aplha, number n symbols if possible. Try to twist some regular pwd in complex like
    simple : ilovemoney
    complex : !lUvm0n3y

    hope this helps
    {{ DiscussionBoard.errors[2403053].message }}
  • Profile picture of the author Abledragon
    Here's an article that describes what happened to a client of mine a few months ago (WordPress site hacked and turned into an attack site) and the steps I took to fix it:

    http://www.wealthydragon.com/blog/20...ity-wordpress/

    Hope it's helpful,

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[2403827].message }}
  • Profile picture of the author feysal
    Same with me... My first problem is being spam by lot ads and url. I think they are usinh xrumer.. A few months later, there's nothing in my blog. It only said something like "<error........" I feel so frustated since i build the link for the site consistently.. I realize that i also need to concern about security part... :-(
    {{ DiscussionBoard.errors[2403875].message }}
  • Profile picture of the author ipwperia
    The hosting should work together with you to fight this. As I know, how strong your security are, there's still another way (backdoor) from others FTP account to break in, so the same house (hosting) still have another fragile door, rite? so we have to work together to keep each other door save. just my humble opinion
    Signature

    Best Free iphone wallpaper on the web. Daily updates.

    {{ DiscussionBoard.errors[2407582].message }}
  • Profile picture of the author nini92220
    Originally Posted by Digital Traffic View Post

    Well,

    I just spent the last 7 hours going through and deleting 3848 malware/virus flies from my hosting account.

    Received a e-mail this morning from my hosting company.

    Account deactivated due to violation of my terms of service agreement.

    I called them immediately to see what the problem was.

    They told me my account was deactivated to due a tremendous amount of malware/virus files on my hosting account.

    The part that bothers me the most, is all they did was send me a list of the files and told me it was my problem to get rid of them. I guess I should be happy they did send me the list?

    I didn't have a clue where to begin or even how to find them. I know very little about coding or programming.

    All I did was stare at the size of the massive list.

    Long story short, I got rid of most of them by just deleting the entire domain names that were infected. I blew out 14 web sites that I will have to rebuild, I'm sure that was the hard way, but it was the only way I knew how to handle it.

    The rest of the files were just a few lines of code on almost all of my domains. I have 256 of those, I would say 80% of them had the lines of code placed on them.

    I changed all of my passwords on my hosting account and FTP accounts.

    I noticed most of the sites that were hit hard were either wordpress blog sites, or contained an article or link directory. I'm not sure if that has anything to do with it? The wordpress ones were the worse.

    What I want to know, is what else can I do to prevent this from happening again, and have I done enough to prevent future attacks?

    How did somebody gain access to my account? Did it have to be through my ftp account, or is there another way in through the wordpress blogs or the directories?

    With this many domains attacked, it figure it must have been from one of my FTP accounts? Just guessing.

    My hosting company said that with an attack of this size, it must have be done over a few weeks or days, and they only keep their access logs for 48 hours, so using the logs to track it down seems to be of no use.

    Of course my next question then was if it took place over weeks or days, why didn't they catch it sooner?

    No answer, they just said it was brought to their attention today, and I have 7 days to solve the matter or all of my data would be erased.

    Sorry for the long post, but I wanted to provide as much information as I could, maybe this information will help others as well.

    Thank you in advance for your suggestions.
    Hi Digital,

    Sorry for what happened. Hostgator should have told you a little more about this i think because just changing the ftp may not be enough.

    I've been working on my site's security for 2 weeks now and all I can tell you is that you have to do a lot more than just change your FTP access.

    First thing you have to know is that Wordpress sites are a piece of cake for hackers. They are SO EASY to hack. I learned this a few weeks ago.

    You have to protect all the access to your blogs inside the wordpress platform ( don't know if it makes sense to you: a little techy....) but to be more precise, you have to protect the admin folder, your files and so on

    your FTP access keys : where do you keep them? If someone can get them easily on your pc then they're not safe

    you have to scan your pc with a strong antivirus ( in addition to the one that you already have) to see on a regular basis if you don't have any virus that was not detected by your antivirus.
    I use HouseCall - Free Online Virus Scan - Trend Micro USA to scan my pc on a regular basis and i have an anti virus too.

    In short, you must be a little paranoid and never think that it won't happen again ....

    And be sure that if they managed to do this to you then they may try again sooner or later.

    I check my main site's stats every day several times a day and I can see that each time I noticed weird things.
    2 weeks ago, someone tried to do something (no time to give you all the details..) but i immediately called Hostgator so they could check.
    At first, they told me that they didn't see....
    I insisted and took screenshots of my statcounter account so they have evidence and the support guy left a message to the security department.
    They came back to me and told me that I had to protect all my wordpress blogs more.....and they did something for me (can't tell neither) and the problem was solved the next day.

    After this, I started doing some serious research on the net about security and i learned a lot.
    Last week i bought Blog Lock Down by Craig Desorcy and when I realized all I was doing wrong i was like "Oh my...."

    First thing that you'll learn in this security tutorial is that the famous Filezilla that we all use IS NOT SECURE AT ALL and all your info can be read by all hackers....
    and this is just the start....

    I spent last 5 days implementing all the security measures and i can already notice some things that stopped happening....;

    Try to do a search in google for "Best wordpress security plugins" then choose and install the ones that you find useful.

    Other preventing measures :
    -do a back up of all your sites once a week or a month
    -change your passwords every month or so
    -never use the same passwords for your ftp accounts, paypal, email accounts...
    -when you give access to someone (outsourcing team...) ALWAYS check the files after and make sure that they don't have any virus
    -secure seriously your wordpress blogs
    and much more


    Don't get me wrong, I 'm not trying to sell anything here : it's just that I was so frustrated when i learned how weak security was on my site ...

    Wordpress sites are easy to set up and manage but what we don't realize is that they are really easy to hack too!

    I'm not a security expert. I'm just someone who decided to seriously consider security issues after some bad experiences.
    And i'm still doing a lot of things wrong....

    This does not mean that someone won't try something but i don't want to make the job too easy for them anymore.

    Hope it helps a little

    Stephanie
    {{ DiscussionBoard.errors[2412131].message }}
  • Profile picture of the author burton247
    It could have been from any number of things. Again, as all of your sites were done (more or less) this helps narrow the issue (only slightly though) If you use the same FTP details for all your sites then someone may have got hold of your password and attacked them all. If you use different ones you can probably find you've been using a bad public network or have a keylogger or even rootkit on your PC.

    However, I think the most likely would be they gained access to your hosting account because from here they would only need a couple of scripts to infect everything. Possibly FTP, possible your normal login for the host or even SSH if it is enabled. It could also be a security exploit on the hosts side

    [Edit]
    I don't mean to sound like a nagging school teacher but backing up is really advised, especially if you're running so many sites
    {{ DiscussionBoard.errors[2421175].message }}
  • Profile picture of the author lefty359
    I just came across this thread. About a month ago I had 2 sites hacked. One was WP but other was built with a diff sitebuilder. My host company fixed things for me as I didn't know how. I only found out when I looked my site up in google and it had a "site is dangerous" warning.
    {{ DiscussionBoard.errors[2663371].message }}
  • Profile picture of the author SmartWeb
    Originally Posted by Digital Traffic View Post

    Well,

    I just spent the last 7 hours going through and deleting 3848 malware/virus flies from my hosting account.

    Received a e-mail this morning from my hosting company.

    Account deactivated due to violation of my terms of service agreement.

    I called them immediately to see what the problem was.

    They told me my account was deactivated to due a tremendous amount of malware/virus files on my hosting account.

    The part that bothers me the most, is all they did was send me a list of the files and told me it was my problem to get rid of them. I guess I should be happy they did send me the list?

    I didn't have a clue where to begin or even how to find them. I know very little about coding or programming.

    All I did was stare at the size of the massive list.

    Long story short, I got rid of most of them by just deleting the entire domain names that were infected. I blew out 14 web sites that I will have to rebuild, I'm sure that was the hard way, but it was the only way I knew how to handle it.

    The rest of the files were just a few lines of code on almost all of my domains. I have 256 of those, I would say 80% of them had the lines of code placed on them.

    I changed all of my passwords on my hosting account and FTP accounts.

    I noticed most of the sites that were hit hard were either wordpress blog sites, or contained an article or link directory. I'm not sure if that has anything to do with it? The wordpress ones were the worse.

    What I want to know, is what else can I do to prevent this from happening again, and have I done enough to prevent future attacks?

    How did somebody gain access to my account? Did it have to be through my ftp account, or is there another way in through the wordpress blogs or the directories?

    With this many domains attacked, it figure it must have been from one of my FTP accounts? Just guessing.

    My hosting company said that with an attack of this size, it must have be done over a few weeks or days, and they only keep their access logs for 48 hours, so using the logs to track it down seems to be of no use.

    Of course my next question then was if it took place over weeks or days, why didn't they catch it sooner?

    No answer, they just said it was brought to their attention today, and I have 7 days to solve the matter or all of my data would be erased.

    Sorry for the long post, but I wanted to provide as much information as I could, maybe this information will help others as well.

    Thank you in advance for your suggestions.
    Its very tough time, but you have been strong and taken good steps.
    Its hard to say that these steps would prevent from same thing happening again.
    I have regular client having these kind of issues.
    To get any account hacked, the hacker needs your website access either via FTP or via wordpress.
    Normally if you use good FTP client (like filezilla), you are in good direction.

    Most of people don't know that even FTP is not secure, the login details can be cracked if you using normal FTP mode.

    Let me tell there is SFTP mode. SFTP stands for SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol) .filezilla supports this and even major hosting companies support this.

    Just like you have http and https , same way you have ftp and sftp.
    you login details completely safe if you using sftp.
    just call your hosting company and ask them to enable sftp and help in configure it. (if they dont respond, let me know, i can do that).

    I use sftp for all my ftp needs.


    Another major reason of these kind of malwares coming is weak plugins,
    since you may find lots of new plugins for wordpress those seems so attracting, you get those installed. but many of those plugins are not build to aviod any kind of hacking attacks, so sql injecting things might take place via these weak plugins.
    solution -> Always go for well known plugins or get it checked by some developer for its weakness. (if you don't find developer, just send me message).

    hope this information helps.
    {{ DiscussionBoard.errors[2665434].message }}

Trending Topics