Hacker remnants

[soccio97]

I'm not sure if this is the proper forum, so let me know if it's not.

I have a website with 93 sub-domains. About a week ago my main site was hacked. My hosting provider was able to get me back on line but three of the sub-domains still have the hackers message rather than showing the site pages.

I have little faith in my hosting provider (I'm in the process of changing). Can someone tell me where and what to look for to get things back on track?

The message that appears is different on each page:

- www.golf.tellmeaboutthat.com (Az3ar hacker was here - PALESTINE HACKER [email protected])
- www.lawofattraction.tellmeaboutthat.com (Az3ar hacker palestine hacke was eerereher)
- www.biz-net.tellmeaboutthat.com (Az3ar hacker was here - PALESTINE HACKER )

I use cPanel for editing and the sites are in a pHp format. Normally I go to pages.php to edit the page but I don't know what I'm looking for.

[soccio97]

If anyone is looking into this please stop. I couldn't wait for my hosting provider to solve this as they said they would a week ago. I figured that if the webpage came up with a message such as "You have been hacked by the Palestine Hacker" then that sentence had to be in a file for that particular website. So I started looking in all the important files first such as Index.php, pages.php, content.php, etc.

At first I had no luck and I looked at hundreds of files. Then I dcided to look at the common files. Under the directory "Public-HTML" there is a list of site names. I opened the site file and found the usual main files under "Includes". That's where I had been looking. However, there is a second index.php listed with the common files, not under Includes. Sure enough, the index.php had the message in it. I simply copied a good index.php from one of my good sites and replaced the bad one.

Not bad for a rookie!! OK!! This is where you tell me how smart I am. If anyone else has been hacked and you haven't been able to fix it, let me know and I'll try to give you a step-by-step.

After all the guys at www.virtualdr.com have done to help me, I can't wait to help somone else. Happy New Year!!

[fink]

Thanks for the followup
& Happy new year to you too!

[chiragthakkar]

If anyone is looking into this please stop. I couldn't wait for my hosting provider to solve this as they said they would a week ago. I figured that if the webpage came up with a message such as "You have been hacked by the Palestine Hacker" then that sentence had to be in a file for that particular website. So I started looking in all the important files first such as Index.php, pages.php, content.php, etc.

At first I had no luck and I looked at hundreds of files. Then I dcided to look at the common files. Under the directory "Public-HTML" there is a list of site names. I opened the site file and found the usual main files under "Includes". That's where I had been looking. However, there is a second index.php listed with the common files, not under Includes. Sure enough, the index.php had the message in it. I simply copied a good index.php from one of my good sites and replaced the bad one.

Not bad for a rookie!! OK!! This is where you tell me how smart I am. If anyone else has been hacked and you haven't been able to fix it, let me know and I'll try to give you a step-by-step.

After all the guys at www.virtualdr.com have done to help me, I can't wait to help somone else. Happy New Year!!

How do you ensure this does not happen again? What preventive actions can be taken?

[soccio97]

Since I posted this fix, I got hacked again. I've been trying to find out how to prevent it but have not had any luck so far. I've been told to make sure I have all the latest updates for any third party software that may have been dowloaded such as WordPress.

Just recently I was told that the hacker was using a PHP Shell which allows them to get into the cPanel or FTP files without a username or password, so making the password stronger doesn't work either.

Most of the security steps you can take only keep honest people honest. If a hacker wants to get in you really can't stop them. They are not doing any real or lasting damage, at least not to my sites, it' just annoying.

I have copies of all the files for my site. I keep them on my hard drive. That way if I get hacked I can delete the bad files and replace them. I've found that, so far anyway, the hackers are changing my index.php and/or pages.php files.

I've contacted my hosting provider about what I can do and how did they find the bad files. They are very vague and only told me that they had scanned for malicious script. I wish I could find out how to do that.

All I can say is to backup your files. If you do get hacked again, start looking in the index files.

I'm sorry I couldn't be more help. Good luck.

[Train]

Since only they have physical access to the computer they are the only ones that can do that.