My hosting provider has told me that my server has been "fully rooted" and the only way to fix it is a reinstallation from scratch. That is very frightening to me because it will take a lot of time to set-up again and this will cause major downtime. Is there no other way to resolve the issue without reinstallation?
Hi, This is the "safe" and generally recommended approach to resolving the issue simply because it can be extremely difficult to impossible to know what has been changed on the system. Some hosts will not allow any other course of action as most people will just ignore it and get exploited constantly. I would recommend that you do the reinstall and if you need help getting everything setup again you might want to think about hiring an admin to install everything and lock down the server while he is at it.
I should just mention that what happened was the exploit added javascript at the bottom of a few index.php files which then caused fake anti-virus pop-ups. This is the worst time for something like this to happen to my website, we are experiencing our best time of the year so I'm looking to pay someone to fix this.
All I can say is I hope you had a backup, this is something I have gone through a few times, it is what it is, just keep a copy of all your work and backup all the time, good luck with your new server.
This does not sound like a "fullly rooted" problem as this type of attack is generally caused by weak or compromised ftp account passwords. I would highly recommend consulting a decent systems admin to take a look at the server and assess the actual damage and suggest a solution. In my personal experience most of the dedicated server admins will not take the time to actually look at the problem. The response provided by your provider looks to be a simple template and does not appear to contain any relevant information about the attack. If you want to take a look yourself I would recommend running chkrootkit and rkhunter to start. If just your pages have been altered I would recommend that you delete and re-upload all your website files after changing all your ftp passwords.
I can take care of you server administration .. if you pay me some $ .. i can patch all exploits in your server .. add me on MSN i have full experince on managing linux secured servers since 5 years
Usually the safest thing to do when you are rooted is to re-install and start from scratch. You have no way of knowing what all they put on there. Leave it as is, and they will likely get right back in again.
Yeah it was done by a guy with the email address I just changed my password and it looks like I caught it pretty fast