Hi, the sites on my vps were hacked yesterday and I am having trouble finding all the .php files they uploaded. I have about 50 sites and am not sure how many got affected but I think it was many, I'm still checking. I was told the 2 things I needed to do were, delete all these 234334.php files and edit the htaccess file to remove the redirect code. But, I am not sure how they got in. I have seperate logins for cpanel for about 10 sites and some of those remote sites also got the hack. Any ideas on how to find the files that were uploaded more easily than going through each folder one by one and Find out how they got in so I can close that? I am a non programmer btw, thanks for any help offered.
Since you don't know how you got hacked, it could have been done a few different ways. 1. You your self could have gotten hacked(kelogged, backdoored etc) and your passwords stolen, then someone logged into FTP/Cpanel. 2. Your web scripts are vulnerable to some form of web exploitation. 3. The server your websites are located on was either hacked, or configured insecurely. If you would like help finding the files the hacker uploaded and figuring out and preventing how they got in the first time feel free to shoot me a PM.
My websites was also hacked this week. All my .htaccess files was infected. What I did is, I reported it on my webhosting provider, after few hours all infected files were deleted.(hostgator rocks)
If you would like help determining how this attack happened, I do offer a service of post hacking forensics & pentesting(seeing if I can find vulnerabilities in your site and then fix it).
Thanks for the responses. I have someone cleaning out the infected files and removing the hackers uploaded files. It is still not clear how they got in. I do not think they hacked me. I have 2 separate hosts with sites and they both got hit. Some sites on the server got infected and some did not. The thing in common between the separate sites on the 2 servers was the blog themes and plugins. That might be how they got in. Thanks again
If you think its your host, that can be the problem with shared hosting. Alot of sys admins dont take the time to secure shared hosting as well as they should.
i though, rename public_html with another name like 'public_html_hacked', than create new 'public_html' folder, than re-upload the clean files.
If you're using WordPress you absolutely must make sure you keep everything up to date - plugins, themes, etc. (even ones you don't have activated) - everything. I also recommend using a few security plugins. My entire portfolio of sites was hacked not long ago and I am now militant about security. Once you get everything cleaned up, backups are a must. I just use a cloning script for my WP sites and that does the trick. Here are the security plugins I use: Bulletproof Security by Edward Alexander Ultimate Security Checker by Eugene Pyvovarov Secure WordPress by Website Defender WP Security Scan by Website Defender The Ultimate Security Checker gives some GREAT easy-to-follow tips on beefing up your site's security. I highly recommend spending 30-60 minutes installing and learning these. Once you get to know them, it will only take you 10 minutes to get them all going. I hope that helps.