Today I got an email from this girl, she said this: my friend said dat a picture on this site... http://www.<siteremoved>.com/pic342.php was a picture of me or sumthing? could u help me find dat picture? or is there no such website? The website is actually my own one, and I didn't put that file on there (I knew it was a spammy virus as there was no picture and it's a php file it wants you to download). So I check my FTP. My password didn't work. At this point I was getting quite nervous as I make a living from this site. My cpanel password is also changed, so I reset it and *thankfully* the guy who hacked me didn't think to change the contact address on the password resetting. I check my awstats and... well... check it for yourself: As I said, I make a living from this site, it doesn't get many visits but has a very high conversion. So if any of that traffic boost was genuine, I would definitely have known. So then I check my FTP with my new password to delete the virus stuff, but I come across this htm document, dated for todays date. Here's a picture of what it's like: http://img96.imageshack.us/img96/7306/stats2cj7.jpg It has everything, from myspace to hotmail to ebay to banks. I'm guessing a 500 hundred or more different user credentials and passwords. The file itself is 2mb big, which is quite a size in notepad. There's even a separate notepad document on my FTP which has stored Paypal details, it looks like there's about 50-100 different ones. Aswell as the virus file (pic432.com) which is a MSDOS file, there's four new .mp3 files, I'm not sure if I should download them incase they're also bugged somehow. Anyway, anyone had the same thing happen? The guy who did it is obviously pretty professional, from the way it was all setup and the way he got tens of thousands of people on my site within a day. My password was also very secure, 8 characters using both letters and number combinations.
Any idea how I would do that? Must be a way in cpanel somewhere. I don't think it would do much good, someone like this would probably use a proxy or lives in a country where it's pratically legal. I'll give it a shot if I can find it.
Well maybe somewhere in your statistics. Just look for someting unusual. I dont know sometimes even the most clever hackers forget to cover their IP.
Well first thing's first. Are you dedicated or shared hosting? I would contact my hosting company immediately. Also be sure to store any logs you have. This is how hackers supposedly setup phishing sites. Then when people find out the problem it's you who has to do the explanation. This is really sad, but I've heard there is some really dirty competition out there that would pay for someone to hack your server and report you as a phishing site and blacklist you. I've had something similar happen to me when I was in top 5 search results for a highly competitive term. Good luck to you!
Well, you might want to check your FTP stats/ logs to find the IP Address from where those files where uploaded. Chances are very low that you might find the correct IP Address, as the attacker seems to be professional. If you have backup files, make sure you replace all the files in your server, including database if any, as there might be a backdoor installed.
Making a living off 320 hits a day (and awstats inflates stats terribly to begin with).. Wow.. No matter how the conversions are thats hard to believe. Anyways, what was he doing, running phishing scams thru your server and saving the info on them? I had that happen to me just last week - one of my sites got hacked (smaller site, I didnt really notice), and I got an email from my database center saying that I have 6 hours to get it off or my servers being shut down. Anyways, if you really are making al iving off that site, do yourself a favor and dont run it on a cpanel host. I've had way too many experiences with hacking.. Once, a hacker got access to everything and anything on my server. I told my host he got into my cpanel and he called me a liar. I continued speaking to the hacker , and told him what my host had said. He gave me my hosts cpanel information - for his main business website. As krishmk said, restore the files, a backdoor could be installed. Be careful..
I remember getting hacked by some indian guy... the hacker alias was "sameklink" and he had a website (dont go to it!!!!) which would be sameklink.tk DONT GO TO IT 'again' ... Anyways, I'm not using cpanel instead vdeck <-i know it can be a pain... Remember to disable the "anonymous" ftp browsing for that must be the way he uploaded his little virus. Also another site hosted on a vdeck panel that I had created for my friend to sell his little ipod cases and cell phone cases @ ecasesdirect.com <- LOL same thing, the anonymous ftp was enabled but I haven't helped him with this since he never paid me for what he had promised. Also, I read you made your "living" from this website. Do you still live with mom and dad? My website msmods.com is getting 4-5 X the traffic and I can't seem to understand how you do it?
So many people have been infected and keep sending me those same messages on MSN. It gets annoying. But wow, I didn't really expect it to be that bad.. 2MB of passwords, etc. is alot..