Support » Everything else WordPress » Website been hacked

  • It’s not technically related to the WP software, but I am hoping that some kinder soul her might help me figure things out. It’s my website, including my blog, that has been hacked.

    Whenever I try to access my website (http://sofv.uni.cc) or the subdomains under it, the page is forcefully redirected to an infected webpage, which cause my domain to be suspended by my host. So far, I have found out besttraff.us/top/index.html and toolbarpartner.com as the sites that the redirection leads to. I have ban their IP, but it doesn’t seem to solve the problem. I also run virus scan on my own domain, and it comes off clean. There was no redirection set up by me either.

    What should I do?

Viewing 11 replies - 1 through 11 (of 11 total)
  • Do you have shell access or some way to modify your files? If so, check your .htaccess file at the web root. Look for redirects there. Also, make sure that only you have write access to that file.

    Also, if you have ftp access, try renaming files that you think may be causing this – it could be the .htaccess, it could be another file.

    And when you regain control, CHANGE ALL YOUR PASSWORDS

    Thread Starter gaebe

    (@gaebe)

    I can get to my files via Cpanel and the .htaccess file in the public_html has no redirect. That’s what I get:

    # -FrontPage-

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    SetEnvIfNoCase Referer “^http://sofv.uni.cc/” locally_linked=1
    SetEnvIfNoCase Referer “^http://sofv.uni.cc/” locally_linked=1
    SetEnvIfNoCase Referer “^$” locally_linked=1

    ErrorDocument 401 /404.html
    ErrorDocument 402 /404.html
    ErrorDocument 403 /404.html
    ErrorDocument 404 /404.html

    <Limit GET POST>
    #The next line modified by DenyIP
    order allow,deny
    #The next line modified by DenyIP
    #deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    AuthName http://www.sofv.uni.cc
    AuthUserFile /home/sofv/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/sofv/public_html/_vti_pvt/service.grp

    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://catharsis.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://catharsis.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://gaebe.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://gaebe.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://glenn.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://glenn.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.cjb.net/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.cjb.net$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.catharsis.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.catharsis.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.gaebe.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.gaebe.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.glenn.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.glenn.sofv.uni.cc$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.cjb.net/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.cjb.net$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.uni.cc/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.sofv.uni.cc$ [NC]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp|zip|mp3)$ – [F,NC]
    deny from 65.75.165.80
    deny from 195.225.176.30

    It might not be the .htaccess – you can set up redirects in any files.

    I can see your site – what exactly do I need to do to get redirected ?

    Thread Starter gaebe

    (@gaebe)

    hmm…. Well, right now it seems to work fine, but there’s still two of the subdomains that’s not accessible. I’m assuming that it’s because I banned the IP of the 2 websites being redirected to. But over the past two days, I have been able to access the website on and off. At moments, it seems fine (like now) and then it gets redirected again.

    You don’t have to actually do anything to get redirected. When I typed the domain in the address bar, the page either get automatically redirected, and my antivirus catch a whole load of trojan files, or I get to see the suspended page by my webhost.

    Hmm….if this were mine, I’d backup everything and then start deleting files. You could get the files in your machine, scan them, open them and then rebuild the site ?

    Thread Starter gaebe

    (@gaebe)

    The two subdomains still inacessible is http://glenn.sofv.uni.cc and http://catharsis.sofv.uni.cc

    Thread Starter gaebe

    (@gaebe)

    Do you mean scan with antivirus? I could download the files on my computer. Should I scan the databases too? Also, I’m not sure if there’s actually a virus on *my* files, seeing as the virus scan on the domain came off clean… I’m not sure if the antivirus could catch something like a redirect… =(

    And what are exactly should I be looking in the files?

    If this were my site, I would download all the files to my computer.
    I would then delete everything from the server.
    I’d upload a single page explaining the downtime.

    I would then scan everything on your machine, and open up every page of code. Once I was satisfied it was all clean – doing it section by section – I would reupload.

    But:
    – I would change every single password that you use on that server and if others have acess, change theirs too
    – I would make sure that permissions on all files were as low as possible (max 755)

    Hosts never really help out in situations like this, they just close you down – as you have seen.

    As for viruses ? Not sure – they could be being remotely loaded.

    Either way, if your site has been hacked, you need to do something.

    Thread Starter gaebe

    (@gaebe)

    Ok. Thanks. I need to do something, that’s for sure. 🙁 Is it possible for someone to do this without having access to my files?

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Website been hacked’ is closed to new replies.