WordPress.org

Ready to get started?Download WordPress

Forums

Website been hacked (12 posts)

  1. gaebe
    Member
    Posted 9 years ago #

    It's not technically related to the WP software, but I am hoping that some kinder soul her might help me figure things out. It's my website, including my blog, that has been hacked.

    Whenever I try to access my website (http://sofv.uni.cc) or the subdomains under it, the page is forcefully redirected to an infected webpage, which cause my domain to be suspended by my host. So far, I have found out besttraff.us/top/index.html and toolbarpartner.com as the sites that the redirection leads to. I have ban their IP, but it doesn't seem to solve the problem. I also run virus scan on my own domain, and it comes off clean. There was no redirection set up by me either.

    What should I do?

  2. ColdForged
    Member
    Posted 9 years ago #

    Do you have shell access or some way to modify your files? If so, check your .htaccess file at the web root. Look for redirects there. Also, make sure that only you have write access to that file.

  3. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Also, if you have ftp access, try renaming files that you think may be causing this - it could be the .htaccess, it could be another file.

    And when you regain control, CHANGE ALL YOUR PASSWORDS

  4. gaebe
    Member
    Posted 9 years ago #

    I can get to my files via Cpanel and the .htaccess file in the public_html has no redirect. That's what I get:

    # -FrontPage-

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    SetEnvIfNoCase Referer "^http://sofv.uni.cc/" locally_linked=1
    SetEnvIfNoCase Referer "^http://sofv.uni.cc/" locally_linked=1
    SetEnvIfNoCase Referer "^$" locally_linked=1

    ErrorDocument 401 /404.html
    ErrorDocument 402 /404.html
    ErrorDocument 403 /404.html
    ErrorDocument 404 /404.html

    <Limit GET POST>
    #The next line modified by DenyIP
    order allow,deny
    #The next line modified by DenyIP
    #deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName http://www.sofv.uni.cc
    AuthUserFile /home/sofv/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/sofv/public_html/_vti_pvt/service.grp

    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://catharsis.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://catharsis.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://gaebe.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://gaebe.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://glenn.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://glenn.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.cjb.net/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.cjb.net$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.catharsis.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.catharsis.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.gaebe.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.gaebe.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.glenn.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.glenn.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.cjb.net/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.cjb.net$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.uni.cc$ [NC]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp|zip|mp3)$ - [F,NC]
    deny from 65.75.165.80
    deny from 195.225.176.30

  5. Mark (podz)
    Support Maven
    Posted 9 years ago #

    It might not be the .htaccess - you can set up redirects in any files.

  6. Mark (podz)
    Support Maven
    Posted 9 years ago #

    I can see your site - what exactly do I need to do to get redirected ?

  7. gaebe
    Member
    Posted 9 years ago #

    hmm.... Well, right now it seems to work fine, but there's still two of the subdomains that's not accessible. I'm assuming that it's because I banned the IP of the 2 websites being redirected to. But over the past two days, I have been able to access the website on and off. At moments, it seems fine (like now) and then it gets redirected again.

    You don't have to actually do anything to get redirected. When I typed the domain in the address bar, the page either get automatically redirected, and my antivirus catch a whole load of trojan files, or I get to see the suspended page by my webhost.

  8. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Hmm....if this were mine, I'd backup everything and then start deleting files. You could get the files in your machine, scan them, open them and then rebuild the site ?

  9. gaebe
    Member
    Posted 9 years ago #

    The two subdomains still inacessible is http://glenn.sofv.uni.cc and http://catharsis.sofv.uni.cc

  10. gaebe
    Member
    Posted 9 years ago #

    Do you mean scan with antivirus? I could download the files on my computer. Should I scan the databases too? Also, I'm not sure if there's actually a virus on *my* files, seeing as the virus scan on the domain came off clean... I'm not sure if the antivirus could catch something like a redirect... =(

    And what are exactly should I be looking in the files?

  11. Mark (podz)
    Support Maven
    Posted 9 years ago #

    If this were my site, I would download all the files to my computer.
    I would then delete everything from the server.
    I'd upload a single page explaining the downtime.

    I would then scan everything on your machine, and open up every page of code. Once I was satisfied it was all clean - doing it section by section - I would reupload.

    But:
    - I would change every single password that you use on that server and if others have acess, change theirs too
    - I would make sure that permissions on all files were as low as possible (max 755)

    Hosts never really help out in situations like this, they just close you down - as you have seen.

    As for viruses ? Not sure - they could be being remotely loaded.

    Either way, if your site has been hacked, you need to do something.

  12. gaebe
    Member
    Posted 9 years ago #

    Ok. Thanks. I need to do something, that's for sure. :( Is it possible for someone to do this without having access to my files?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.