Site Hacked

[galwegian]

I have a site running indexu 5.4 and it has been completely hijacked. The url is garages[dot]ie/index.php can someone pls help me fix this?

[Bruceper]

Most sites are hacked by various means, these include

a) weak password for the script in question
b) weak password for the control panel
c) weak password for ftp logins
d) weak password for root logins
e) lack of login flood control for root accounts
f) hole or exploit in software
g) login hijacked via keylogger (scumware installed)

As you can see, most sites are hacked for weak passwords. There are no known exploits for IndexU 5.4x/Deluxe so that's not an issue here.

Step 1
Scan your computer with a known good online virus scanner such as Kaspersky or Panda Activescan. Once that has cleaned everything it can, download a tool called Spybot - Search & Destroy

After Spybot has run and cleaned everything it can, go back to the virus scanned and scan your system again.

Yes you may need to pay for antivirus software. If you don't want to pay then please stop reading right now because I don't want to help you if you won't help yourself.

Step 2
Stop using Internet Explorer for god sakes! Internet Explorer is the worst browser know to humankind for allowing software to install without your knowledge. Switch to Opera or Firefox

Step 3
Change your email address if you are using a free service like hotmail, yahoo or gmail for sensitive emails that may contain passwords and usernames. Email addresses by ISP's are typically safer and don't expire like free accounts do. Never use a free email for domain registration.

Step 4
Determine how the hacker got in. Check your raw logs, control panel logs and FTP logs for IP addresses that do not belong to you. Find out what URL's they went to or where the login occurred such as FTP or SSH.

If they exploited a script on your server then delete the script in question. If it was a brute force attack to log into FTP then move to Step 5

If it was a successful brute force attack on your root account STOP and get professional help (see HELP at the end of this post)

Step 5
Change all of your passwords to a secure password. A secure password is at least 10 characters in length and contains uppercase and lowercase letters, numbers and symbols.

An example of a secure password is c+ylSu@&XW

Yes it's hard to remember, but no one is going to guess it. The longer and more difficult it is the harder it is to brute force or guess it.


Step 6
Since you have already determined how the hacker got in and removed the offending script now you can repair and/or replace any files that were damaged or deleted.

This is where regular and routine backups come in handy. You can have your site restored in minutes.


HELP
If you run a dedicated server and you found that your root account was exploited please contact a professional to get them to fix your system before you do any further work on your site. Platinum Server Management are great guys that will help you with your system but they only work on cPanel servers. Their cost is $29.99 per month, a real deal even if you only use them to fix up your system once and cancel.




And now on to the nitty gritty. I'll gladly take a look at your system. I would need the following

whm username and password (if you have WHM)
cpanel username and password
ftp username and password (typically the same as cpanel)
indexu username and password
your license key
a backup if you have one
a deposit of $50

What do you get?
I will check to see where they came in and how it was done.
I will replace your broken/damaged/missing files and restore the site.
I will ensure that everything I can fix will be fixed

The final price may be well and above $50, remember that's only a deposit.

[galwegian]

but I use only firefox on a mac and do not have a particularly weak password!

[galwegian]

'The final price may be well and above $50, remember that's only a deposit.'

think I'll pass on that one.. thought this was a support forum not a rip off scam for faulty software

[Bruceper]

It's not IndexU that's at fault, and that's the problem here.

It could be your computer, it could be your host, it could be your control panel, it could be any of your passwords such as root, ftp, ssh, mysql or indexu.

And this is a support forum, go talk to a security specialist or even your host and ask them how much they would charge. $50 is a bargain in comparison.

[CEC]

think I'll pass on that one.. thought this was a support forum not a rip off scam for faulty software

it's obvious your issues aren't just limited to your site.

thanks for the great info bruce.

[Skelbimai]

I have a site running indexu 5.4 and it has been completely hijacked.

First of all - update antivirus software & check your home computer carefully.
In 85% of all cases problems are under your table...

[esm]

In 85% of all cases problems are under your table...

Table...??? and here I been thinking all these years the problem was between the ears.

That is what I get for thinking...


.

[dody]

Please contact webhost, they're the 1st one you may contact and ask the footprint of the hacker. If it's in shared server, and if the ssh is available, then the risk being hacked become higher.

Since you're using mac, i assume no problem with your pc, please ask webhost for possible hacker footprint. If it goes to indexu script, we'd be happy to work with you.

[galwegian]

The first thing I did was get on to hosts, they assured me the problem was not on their side and was to do with the software I used for the site. I have several other websites using custom built web applications and none have been hacked..

[Bruceper]

Hold on here, don't think of Mac OS X as "secure". In 2007 there were 234 "critical" vulnerabilities. I wouldn't call that a secure OS by any stretch of the imagination.

Sure anything before OS X might be safe, but not any more.

galwegian, lets play it this way. Send me the following
whm username and password (if you have WHM)
cpanel username and password
ftp username and password (typically the same as cpanel)
indexu username and password
your license key
a backup if you have one

I'll check your site out for free. But if I find that the exploit was because of anything other than IndexU (that doesn't include weak password by the way) then you can send me double my estimated fee above and I'll fix it.

I'll need full logs for the past 48 hours to make sure you haven't changed your passwords just to keep it on the up and up.

And as a side note - hosts lie, constantly. Because they want you to feel safe and keep pouring money into them.

[galwegian]

Thanks for the offer Bruceper. I have a programmer working on this and he has restored the site. He says he cant find how they got in though so it seems that it may be open to further attacks in the future.. If this happens I will take you up on your offer - if still open - and will definitely pay if its not the software..

[Bruceper]

Absolutely it's an open offer for a few months (I won't say forever because that's technically impossible).