by cjt
38 replies
Hi Warriors
I have had my first experience of being hacked and it's not a nice one. Though it hasn't affected me financially (I hope?) it has p...ed me off.

These are the ...ers 'HACKed By jago-dz ALGEria ATTACKED'

Now, I did not use Fantastico, I installed it myself with video help changing data in the config file etc.

I have removed an access host from my "Remote Mysql"

What do I do now?
  • I can get into the backend where everything looks intact but not sure if I trust it's safe?
  • do I just restore a backup and continue playing..?
Any help appreciated
#hacked
  • Profile picture of the author Subsonic
    First things to do in the situations like this would be to contact support and see if they can do anything (it may have been a failure on the hosting side but most probably not). Then you should of course change all the passwords. Actually that password thing should be done first and quickly!

    It really sucks to see your own website hacked... :/
    Signature
    Beta testers needed for a new SEO Software. PM me for more information!

    SEOHades Domain Name Research Studio
    {{ DiscussionBoard.errors[4339481].message }}
    • Profile picture of the author John Maddy
      Originally Posted by Subsonic View Post

      First things to do in the situations like this would be to contact support and see if they can do anything (it may have been a failure on the hosting side but most probably not). Then you should of course change all the passwords. Actually that password thing should be done first and quickly!

      It really sucks to see your own website hacked... :/
      Nice info man. You really help me a lot
      {{ DiscussionBoard.errors[4374229].message }}
  • Profile picture of the author mywebwork
    So sorry to hear you were attacked.

    You have the right idea - change all your passwords and restore from a known-good backup.

    Make sure you have your file permissions set correctly, and create new WordPress security keys from http://api.wordpress.org/secret-key/1.1/ and edit your wp-config file to use them.

    You may even wish to re-install using a different MySQL table prefix, if you do you'll need to edit your MySQL backup file to reflect this.

    It does indeed suck, but it could have been much worse - at least you were smart enough to have a backup (its amazing how many people don't!).

    Best of luck with your site.

    Bill
    {{ DiscussionBoard.errors[4339670].message }}
    • Profile picture of the author cjt
      Thanks Subsonic & mywebwork
      {{ DiscussionBoard.errors[4344611].message }}
  • Profile picture of the author Jake Gray
    Be sure to keep all 3rd party applications UP-TO-DATE!

    It's vitally important to keep all software to their newest versions.

    It's quite simple to understand actually - Let your host manage your
    hosting account while you manage the simplest thing of all - Your things
    that you use (such as WordPress, PHPBB, etc).
    {{ DiscussionBoard.errors[4344788].message }}
  • Profile picture of the author Monitium
    To avoid this in the future it is good to have your admin files not named "admin." Also, I have found that most hosts will not do anything about the recent security issues so talking to them has always been a waste of time for me but it I suppose if you have the time, it is worth a shout to them.

    Also, if you are talking about wordpress sites, check out a plugin called bulletproof security. It has been helpful to our team.

    Sorry this happened - it is never fun.
    Signature
    Monitium
    The Ultimate Wealth Creation System
    {{ DiscussionBoard.errors[4344818].message }}
  • Profile picture of the author JustFelix
    That is pretty scary, you didn't download any freebies on the internet right? A free wordress theme or anything?
    {{ DiscussionBoard.errors[4344870].message }}
    • Profile picture of the author cjt
      Originally Posted by JustFelix View Post

      That is pretty scary, you didn't download any freebies on the internet right? A free wordress theme or anything?
      No justfelix, I'm using a premium theme.
      {{ DiscussionBoard.errors[4366294].message }}
  • Profile picture of the author Abledragon
    Very sorry to hear that, and I can understand how you feel.

    In addition to the tips people have given above, also make sure that your machine hasn't been compromised and use SFTP rather than FTP.

    More details (and some other tips) here:

    http://www.wealthydragon.com/2010/01...ity-wordpress/

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[4345659].message }}
  • Profile picture of the author mr141wp
    It is a major security concern these days as hackers trying to access websites based on wordpress, joomla and other community platforms.

    If you are using WordPress, Joomla, Drupal etc, keep the software package updated all the time and give proper access to the the directories so that they are not open to attack.
    {{ DiscussionBoard.errors[4346339].message }}
  • Profile picture of the author espe
    Im sorry to hear that!

    I know how they do it its pretty dumb, I guess you have an old script or you installed it really bad.

    they may have found php,asp or aspx files in your server that has /something.php?some_variable=something

    they got access to your mySQL server they got the admin MD5 hash, they decrypted it..password is now in their hands and they uploaded a shell (php file with admin permission) and from that point they did whatever they wanted with your website.

    check every line in your SQL syntax find possible errors and fix them.
    {{ DiscussionBoard.errors[4358810].message }}
    • Profile picture of the author cjt
      Originally Posted by espe View Post

      Im sorry to hear that!

      I know how they do it its pretty dumb, I guess you have an old script or you installed it really bad.

      they may have found php,asp or aspx files in your server that has /something.php?code=number

      they got access to your mySQL server they got the admin MD5 hash, they decrypted it..password is now in their hands and they uploaded a shell (php file with admin permission) and from that point they did whatever they wanted with your website.

      check every line in your mySQL syntax find possible errors and fix them.
      Hi espe
      If I delete the database and restore a backup from way before the hack on a new database, would this fix what you are talking about?:confused:
      {{ DiscussionBoard.errors[4366310].message }}
      • Profile picture of the author espe
        Originally Posted by cjt View Post

        Hi espe
        If I delete the database and restore a backup from way before the hack on a new database, would this fix what you are talking about?:confused:
        the problem is not in the database is in the script you are using to handle the information between the user and the database, update it.
        {{ DiscussionBoard.errors[4373047].message }}
  • Profile picture of the author pmcgrath
    hi
    just to join in this discussion .i have the utmost sympathy having just discovered that 4 of my sites have been hacked 2 amazon blogs and two affiliate sites these two both domains are due to expire in a few days so cant be bothered to keep them up .
    I contacted my host in India and they have been really good restoring the blogs to there former selves.That means when there URL is typed into googles search bar they at least show up ,also have to change the cpannen passwords and the wordpress admin passwords
    However it seems like various files on the two blogs where set at 777 which allows access to anyone (i got them built for me) have been told how to change them theres a good gig on fiverr where he fixes the loopholes and restores and gets you a backup file of your site I havelearned the hard way many security lessons but the fact remains that my home schooling site was turned into aporno site by a Turkish hacker and the rest wher hacked by a group of hackers in Asia
    regards peter mcgrath
    Signature

    pmcgrath

    {{ DiscussionBoard.errors[4359691].message }}
    • Profile picture of the author figgity
      That happened to me too on one of my Wordpress sites. I feel your pain. Luckily, they only altered my index.php file. I think they must've gotten in through some WP backdoor because I am usu. kinda slow to do the updates. :p
      {{ DiscussionBoard.errors[4359757].message }}
  • Profile picture of the author ussher
    * do you ever upload stuff via wifi?
    * Ever login to your account on a http:// (not https:// ) connection in a public place like starbucks or a hotel lobby?
    * do you use FTP or SFTP to upload stuff?

    If the answer is yes you could be broadcasting your login details to anyone listening.

    might not be a hole in your server at all. The user could have logged in with the details you gave out over an insecure connection.
    Signature

    "Jamroom is a Profile Centric CMS system suitable as a development framework for building entire communities. Highly modular in concept. Suitable for enterprise level development teams or solo freelancers."

    - jamroom.net
    Download Jamroom free: Download
    {{ DiscussionBoard.errors[4360570].message }}
  • Profile picture of the author nordend
    When the index page has been hacked and changed how do you fix this?
    Signature

    Discover the secret marketing links and discover genuine marketing genius ! click here for secret marketing links

    {{ DiscussionBoard.errors[4361163].message }}
  • Profile picture of the author viscoa
    Sorry about the attack. Hope you recover from it and keep moving forward!
    {{ DiscussionBoard.errors[4361183].message }}
    • Profile picture of the author davidstar
      You do not trying to fix the existing page. Only use your backup copy and tighten the belt, especially on backdoor access. Use only core FTP program. Start over if you do not have backup.
      Signature
      Link Building Service at SEOdigy
      Link Buiding Service

      {{ DiscussionBoard.errors[4362139].message }}
  • Profile picture of the author upendraets
    Just go to your webmaster tool and remove your URL with URL removal tool . refresh your all content. and resubmit.
    {{ DiscussionBoard.errors[4366864].message }}
    • Profile picture of the author Workman
      Originally Posted by upendraets View Post

      Just go to your webmaster tool and remove your URL with URL removal tool . refresh your all content. and resubmit.
      I do not suggest doing this. It will not stop Google from crawling your site and it'll will take longer for your content to refresh.

      If you don't want Google or other search engines to see your content while your site and you can fix the problem quickly, I would throw this into your robots.txt in the root of your web directory:
      User-agent: *
      Disallow: /
      This asks search engines NOT to index your pages. I know it's bad enough to ask not to be indexed, but if your site is compromised and a malicious javascript file was uploaded or linked this is an even worse fate and can take much longer to get removed from that blacklist. Not to mention it will scare off any customers you might have once you fix the problem.

      If you check the source of your page and see a .js file included somewhere that doesn't look legitimate, I definitely suggest closing it down to search engines until you can rectify the problem.

      Be sure to remove those lines from robots.txt once you're confident that the issue has been resolved.

      Good luck
      {{ DiscussionBoard.errors[4367707].message }}
      • Profile picture of the author Sea1c
        I was in the same boat, some jacka** called jago-dz, wish I could find him and have a quiet little word. I guess it is better he did this and advertised it rather than quietly place a malicious code in there some where.(which I guess he may have done as well).

        On the of chance he did I completely deleted my sites and re installed everything from my backups on my home server. I changed every password I could find. If you are interested there are a number of password progs out there that will generate a crazy complicated password and store it for you on your PC. A free one is called Keepass. Of course non of that matters if you are broadcasting your password for all to see.

        Originally Posted by espe View Post

        they got access to your mySQL server they got the admin MD5 hash, they decrypted it..password is now in their hands and they uploaded a shell (php file with admin permission) and from that point they did whatever they wanted with your website.

        check every line in your mySQL syntax find possible errors and fix them.
        Thanks for that I was curious about how they may have done it.

        Anyway, best to be safe rather than sorry, completely clean your sites and re-install from scratch. I am sorry if you do not have any backups, I bet you will from now on eh?

        If you can not get to your sites quickly then you should defiantly suggest to the google bot not to browse until you have had a chance to fix things.

        Waste of everybodys time, but I guess these losers have nothing else to do with their time, personally I prefer a good book.

        Steve C
        Signature

        Information about the coolest high tech toy leapster explorer

        {{ DiscussionBoard.errors[4369763].message }}
        • Profile picture of the author cjt
          Thanks Steve
          I have all backuped up except for one of the hacked blogs. Musted have slipped through the net, not that I have a lot...but thats OK, it wasn't doing much. I'll just scrap that one.
          I have deleted everything from the servers and waiting to reinstall the one that I have.
          These blogs were on JustHost and I have been reading in some posts they are not the most love hosts around. I have other blogs on HostGator but just thought of spreading them around.
          I did get onto JustHost support which they gave me their templated hacking info, what to do etc. but haven't gone back for more support, thought I'd get more info in here...

          Could anyone tell me how hard/painful just to move it all back to Hostgator. Domains just need the DNS changed but what about hosting?
          {{ DiscussionBoard.errors[4371730].message }}
  • Profile picture of the author cardine
    Originally Posted by cjt View Post

    [*]do I just restore a backup and continue playing..?
    Definitely do not do this. There is some sort of security vulnerability in one of the plugins/scripts you are using, so if you restore a backup that vulnerability will still exist and it is very likely you'll get hacked again.

    I'd change all of your passwords and upgrade all of your software to it's latest versions.

    Could anyone tell me how hard/painful just to move it all back to Hostgator. Domains just need the DNS changed but what about hosting?
    A hack like this has nothing to do with what host you are using. Moving to Hostgator will not fix anything. If one of the scripts/plugins you are using has a security vulnerability, it will continue to have a security vulnerability no matter where it is hosted. What is most important is that you upgrade all of your plugins/scripts, as most developers release security patches for their software all the time.
    {{ DiscussionBoard.errors[4376841].message }}
  • Profile picture of the author Abadi339
    so sorry..
    {{ DiscussionBoard.errors[4385321].message }}
  • Profile picture of the author Ross Petal
    Sorry to hear about the hacking. It is so common nowadays. I've heard of some software you can get to protect your PC or laptop. It was mention in one of the WSO's in here. I'll try and get you the details.
    {{ DiscussionBoard.errors[4386109].message }}
  • Profile picture of the author masterxm
    Choosing the right Password with uppercase and lowercase letters are essencial for not beeing hacked.

    And also check your Browser too if its a Phishing Website !
    Signature

    {{ DiscussionBoard.errors[4386345].message }}
  • Profile picture of the author Big Squid
    Ugh! I've been hacked a couple times and, truthfully, I'd rather lose my wallet. It's much easier.

    People have left some good advice on here, you should follow that. The one thing I'd suggest is check your .htaccess file. Make sure everything is good. It's permissions should be set at 644. Typically, hacked .htaccess files get set to 444.

    In addition, you can set up you .htaccess to block unauthorized access, and eliminate directory browsing (that is key). A simple Google search will bring up tons of info on that.
    {{ DiscussionBoard.errors[6925718].message }}
    • Profile picture of the author tomfinster
      Originally Posted by Big Squid View Post

      The one thing I'd suggest is check your .htaccess file. Make sure everything is good. It's permissions should be set at 644. Typically, hacked .htaccess files get set to 444.
      Ok, let me see if I am understanding you correctly!? Are you saying that if I set my permissions to 444 instead of 644, then I am increasing my chances of getting hacked? Is this what you are stating? And if not, can you please elaborate?

      Many Thanks,
      Tom
      Signature

      Some Of The Top Affiliate Courses In The Industry!

      {{ DiscussionBoard.errors[7667439].message }}
  • Profile picture of the author campeche10
    This is so great information I wish I should have know this before. A few months ago one of my account got hacked and now that i see i will double check all of the information
    {{ DiscussionBoard.errors[6945062].message }}
  • Profile picture of the author rising_sun
    Banned
    Increase your security or
    just read more about security,
    It's a matter of sorrow to be hacked .
    {{ DiscussionBoard.errors[6955694].message }}
  • Profile picture of the author joseph01
    SOME ADVICES :

    -> Change your password every 2 or 3 months (there is no eternal pssword)
    -> Don't Install non-trusted Plugins (Wordpress or Joomla)
    -> for Non Wordpress sites pay attention to SQL INjection and Directory browsing
    {{ DiscussionBoard.errors[7668724].message }}
  • Profile picture of the author kentooz
    What CMS you used? If wordpress try
    1. Always update your CMS with new update this is fixed CMS bugs.
    2. Do not use plugin except from wordpress.org or use premium plugin in accordance with wordpress new version.
    3. HTACCESS must be 644 for permission.
    4. Find suspicious script in your webhost.
    5. Maybe you need support from your webhosting.
    6. Check vulnerable in check vuln online (search in google)

    Hopefully this can be the solution for you
    {{ DiscussionBoard.errors[7669202].message }}
  • Profile picture of the author abraham26
    You have dedicated or VPS server? Can be hacked another site on VPS or the server itself and then the hacker have access easily to any site from that server.

    1. Scan PC with antivirus updated (there are viruses that autoconnect with your FTP program and upload malicious file).
    2. Update regularly Wordpress or what CMS you are using.
    3. Update plugins and delete unused plugins
    4. Update theme
    5. Use strong passwords to not be hacked by dictionary attack
    6. Use a service that alerts you when something is changed on your code http://sucuri.net/services
    7. More security tips related to Wordpress here Hardening WordPress « WordPress Codex

    The first rule is to have always backups (there are automated ways to do that).

    I was hacked too, i know the feeling
    {{ DiscussionBoard.errors[7669266].message }}
    • Profile picture of the author so11
      Hello,

      the only way to know that everything is clean is to restore from a clean backup or do a comprehensive security audit on your site.

      Advices provided here are excellent, but the problem is you still don't know what exactly happened.

      My recommendation is :
      1.(if possible) restore from a clean backup
      2. Scan your website using a free or professional security service
      3. Patch up identified vulnerabilities and apply recommendations from the security service.
      4. Adopt good security practices

      In order to correct the problem you need to identify it first!

      good luck
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7670221].message }}
  • Profile picture of the author rockong
    I hate hackers! Unless they're working for me then I love their development skills (not their hacking skills lol)

    First, contact your hosting company to see if they have backups that they can restore for you. The great hosting companies (shout out to xygenhosting) have these and will perform it for you for free.

    If they can, change your cpanel password after and make sure everything is up to date.

    If they can't, I wrote down in a .txt file step by step instructions on how to clear out WP files after being hacked. Send me a PM if you would like it.
    Signature

    Are you a SEO company? Make extra money by becoming a white label backlink audits and removals service reseller.

    {{ DiscussionBoard.errors[7679446].message }}
  • Profile picture of the author IMDESTROYER
    Banned
    was it a password hack? Im about to launch a site but i don't have a database. Did they hack into your hosting providers servers or did they just get past your password?
    {{ DiscussionBoard.errors[7682166].message }}

Trending Topics