WordPress.org

Ready to get started?Download WordPress

Forums

Website Hacked. Need Help please (25 posts)

  1. chrissmit
    Member
    Posted 1 year ago #

    Hi all,

    Ok, my websites are hacked. About all 10 of them.

    I know it happens to others and I know it will be solved.

    However, I'm still stuck with a couple questions. Here goes:
    All my websites run onder one host (Servage.net). I have scanned a few files and all .htaccess files are infected and other files as well. I've deleted some of the .htaccess files in the different root folders, but they keep coming back.

    How do I stop this (preferrably without deleting the root folder(s))?
    And if it comes to restore's of backups (which I have), how do I prevent a clean site being infected by the one's I haven't cleaned yet (I can only restore them one at a time).

    thx!

  2. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

  3. chrissmit
    Member
    Posted 1 year ago #

    I've read all links.
    thanks.

    It does not answer my questions though.

    All my websites run onder one host (Servage.net). I have scanned a few files and all .htaccess files are infected and other files as well. I've deleted some of the .htaccess files in the different root folders, but they keep coming back.

    How do I stop this (preferrably without deleting the root folder(s))?
    And if it comes to restore's of backups (which I have), how do I prevent a clean site being infected by the one's I haven't cleaned yet (I can only restore them one at a time).

    thx!

  4. The Hack Repair Guy
    Member
    Posted 1 year ago #

    If you have installed all of your websites within one common directory then you've placed yourself in a difficult situation security wise. It is very likely mass hacking of your websites will continue to occur in future.

    There are just too many variables with WordPress to be installing all of your sites within a single shared account. If one is hacked all others will be hacked (as innocent bystanders). It only takes a single old forgotten plugin or theme to light the proverbial fire...

    Your best approach in future, if you are concerned about the security of your clients, is to move each website off to their own separate FTP user/pass account. This can be done quite easily by transitioning to a cPanel WHM or Plesk style account.

    This is a very serious issue, which so many folks simply don't fully grasp for some reason. Web designers who host multiple websites within one of these so called unlimited shared accounts are simply stacking matchsticks next to the campfire... a disaster waiting to happen.

  5. chrissmit
    Member
    Posted 1 year ago #

    I indeed have an account with unlimited domain names.
    Does it make a difference if all my sites have their own folder?
    (think I know the answer...).

    So how do I stop the (re-)spreading of this virus when fixing one site at a time?

  6. The Hack Repair Guy
    Member
    Posted 1 year ago #

    You could start by moving your money making site out to it's own separate account. Lock that down and at least you'll have one website clean and back up and running quickly.

    The others you'll need to work through one by one in regard to clearing out the hacks, checking every file for malware, updating, changing passwords, etc.

    There is no easily solution. Basically, a rain storm hit your dorm room (the type of hosting you have now-- dorm room style hosting), and to get fully dry your cheerleaders will need to wander off to to their separate rooms and dry off...

  7. chrissmit
    Member
    Posted 1 year ago #

    Thanks for the help sofar.

    After having restored everything, is there a way to find out what caused the problem, or where the infection started?

  8. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    http://codex.wordpress.org/Hardening_WordPress - if each aspect is not clear, consider hiring someone.

  9. chrissmit
    Member
    Posted 1 year ago #

    I'm not sure how that answers my question?

  10. The Hack Repair Guy
    Member
    Posted 1 year ago #

    Once you've restore you will have erased all the evidence.

    If your web host provides FTP logging you could start there to see if the your FTP account was the entry point.

  11. WPProHelp
    Member
    Posted 1 year ago #

    Contact your hosting provider to look into the issue. It is not the first time someone got hacked because the breach was from the hosting provider's network and not from their software / website etc.

  12. chrissmit
    Member
    Posted 1 year ago #

    Thanks for all the help guys.

    I've learned a lot!

    One more question: what are the chances my database is infected?

    I've done some searching, and it seems very unlikely. From what I've read, is that if a virus is in a DB it would not be able to do anything, since nothing gets executed in the DB.

    thx!

  13. WPProHelp
    Member
    Posted 1 year ago #

    If your database is infected it does not neccessary means it will not work. I.e. it might be that the malicious user injected malware code in blog posts content, i.e. in the database and not in the theme.

    That does not mean the database is infected, but the database might contain infected code.

  14. chrissmit
    Member
    Posted 1 year ago #

    OK, thanks WPProHelp

    One more question:
    I've downloaded the files in one of my infected sites and scanned it with Sophos virus scanner for Mac.
    No viruses found...

    How can that be?

  15. WPProHelp
    Member
    Posted 1 year ago #

    It can depend on many factors. Some code might be obfuscated in the files and the antivirus will not detect them.

    Once such files are parsed by the PHP engine of the webserver, then these are executed and the end result (the virus or malware) is presented to the user.

    It could also be as I said before that the actual malware code is injected in the database; i.e. as part of "WordPress content".

  16. The Hack Repair Guy
    Member
    Posted 1 year ago #

    >I've downloaded the files in one of my infected sites and scanned it with Sophos virus scanner for Mac.

    HTML and PHP files are text files not applications or programs.

    Also, web page "malware" are not viruses.

    Sophos might catch some obvious long base64 snippets of text, but sophos is an antivirus scanner, not a HTML/PHP malware scanner.

  17. chrissmit
    Member
    Posted 1 year ago #

    Ok, that makes sense.

    Thx

    Is there a way to find out (scan) what virus / hack it was?

    Something like an online scan?

  18. Try the scanner at http://sitecheck.sucuri.net/scanner/ -- they're very up to date on which exploits are out there in the wild, and the information they provide when they find something is solid.

  19. chrissmit
    Member
    Posted 1 year ago #

    I've heard of them, and indeed, when my sites were hacked it showed maware.

    Ive cleaned up everything (back up restore :-) ) so it shouldn't show anything.

    I'm curious to know How I was Hacked and what the hack was.

    In addition I'm curious if any of the extra security measures I took will make a difference.
    In ither words, is there a site where I can "test" hack my site and see how secure it is?

  20. WPProHelp
    Member
    Posted 1 year ago #

    There is no specific site for that but there are a number of tools, such as WPScan which you can use to scan your website and they will report to you if you have something vulnerable.

    WPScan: http://wpscan.org/

  21. chrissmit
    Member
    Posted 1 year ago #

    Hi WPProHelp,

    Thanks for the link.
    Looks impressive!

    I've downoaded the zip file, but it's so impressive I dont know what to do with it.
    It looks like it uses old type Dos command style...

    Sorry to be so ignorant!

  22. WPProHelp
    Member
    Posted 1 year ago #

    It is actually a command line tool that runs on Ruby. If you let us know your URL and give me permission, I can run a number of scans against your website and send them to you.

  23. chrissmit
    Member
    Posted 1 year ago #

    Thought it was something like that...

    Thanks for the offer to help.
    But (with the utmost respect), I'm having a little difficulty giving others permission to my site.

  24. WPProHelp
    Member
    Posted 1 year ago #

    No problem at all. Good luck with fixing it.

  25. chrissmit
    Member
    Posted 1 year ago #

    thx!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags