Results 1 to 6 of 6
  1. #1

    Exclamation My Website Got Compromised

    have a virtual account with several domains on it, the root domain has a index.php, i noticed someone created a ton of spam pages on my root domain and modified the .htacess none of the other domains on the account were hacked

    the host tech support said my ftp was compromised and accessed from some ip in russia and that the hackers stole my ftp password with spyware.

    i read on other places however that this is not spyware but because of the php index file, now i have good anti virus and spyware tool and never noticed a problem but am worried because if they did have spyware they also have my other banking and email passwords

  2. #2
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    314
    Likely you'd be best to go through those accounts and change the passwords to them. If your scripts are insecure/out of date, they can possibly be hacked, so I'd also make sure to update your scripts to the latest versions as well.
    ElicitServers - Canadian hosting dedicated customer satisfaction! Shared/Reseller/VPS/Dedi/Colo
    100% redundant, 100% owned/maintained, GigE connectivity
    Offsite backups, 24/7 support (1-877-533-8993), 30-day money back | cPanel hosting

  3. #3
    Use SFTP in the future.
    My personal blog -- rubiverse.net

  4. #4
    Join Date
    Apr 2011
    Location
    [[email protected] ~]
    Posts
    108
    Try transferring files through SFTP. It is the same protocol as SSH.

    --cP
    Revo4 - The Revolution In Clustered Hosting.
    Redundant H-Sphere Linux Hosting w/ True 99.9% Uptime.
    Why Not Get Started Today?
    corey @ revo4.com

  5. #5
    Join Date
    Feb 2010
    Location
    Worldwide
    Posts
    60

    Lightbulb

    Hi,
    Regrettably this type of situation is pretty common nowadays. It's very likely your password was compromised through your personal computer.

    My favorite malware checking software is free and can be downloaded at:
    http://malwarebytes.org

    Try this software to see if your computer harbors malware / viruses, which are often installed to steal passwords, address book lists and the like.

    Likewise, as mentioned before, make sure to check whether your hosting account has any additional FTP accounts set up and delete those, as well as change your current FTP password. If you are running an application like Wordpress or Joomla, make sure to change the passwords on those as well.

    It's unlikely your web host was compromised. Though since you've been hacked once, it may be worthwhile to look around for another web host who provides "free daily malware scans" as part of their service. Had your host been monitoring your account for malware you would have been notified the day of the compromise (a necessity if you are running a business online).

    Best Wishes,
    Jim Walker
    The Hack Repair Guy

  6. #6
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190

    It's impossible to determine

    how your site was hacked.

    If you're hosting provider determined that your site was compromised by viewing the FTP logs, and the username in the logs was the same as yours, then yes, it may have been a virus on your PC that stole your FTP credentials.

    You have some good recommendations so far:

    1. Use SFTP. FTP transfers all data, including username and password in plain text. If you get a virus on your PC, the virus can install a sniffer which can view all FTP traffic. SFTP is encrypted, making it much more difficult to sniff.

    2. Use Malwarebytes along with another good anti-virus program, such as Avast or AVG.

    3. Don't use a free FTP program. These frequently store their saved credentials in a plain text file. The virus can seek and steal this information.

    What you don't mention is if your website is using some CMS or ecommerce software.

    All software has a vulnerability at one or another. Keep your software and your all your plugins updated. We've seen vulnerabilities being exploited in software used to manage the FAQ's on websites, phpmyadmin, Joomla, Wordpress, Open Cart, oscommerce, Zen Cart, Magento, Virutemart, and almost all other software.

    You have to keep them all updated. Also keep the plugins updated.

    Implement a good strong combination of .htaccess files and php.ini files. These will go a long, long way to protect your websites.

    One last comment, while the economy of scale works well for hosting many websites on one account, it also makes any one of them vulnerable. Hackers upload shell scripts to websites which is basically like a File Manager without a login.

    This gives them total access to every file in your account. You have no idea which site might have backdoor shell script in it - until all the files are examined. Desktop anti-virus programs are ill-equipped to find these backdoors. Our test show that they can only find about 18-20% of backdoors that hackers use.

    Please post back with more questions or any additional information.

Similar Threads

  1. Website got compromised, javascript added to end of html file, need help
    By keith70 in forum Systems Management Requests
    Replies: 7
    Last Post: 02-04-2010, 12:37 AM
  2. Website got compromised, javascript added to end of html file, need help
    By keith70 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-26-2010, 10:22 AM
  3. Compromised?
    By fullroast in forum Hosting Security and Technology
    Replies: 1
    Last Post: 10-15-2002, 10:55 PM
  4. The God's Workshop - Black & White Website!
    By nexea in forum Web Site Reviews
    Replies: 6
    Last Post: 05-01-2001, 10:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •