PDA

View Full Version : My Server Was Hacked....


RichieBoy67
07-24-2007, 06:12 PM
Yep, not one site but every site on the server was brought down and I am still recovering.... I still have not been able to track how they got in but they ran a script that changed every file,image or template containing the words I listed below...

They index file they replaced my files with said " Just Relax --- Nothing was deleted" which I took to mean that they didn't touch the database thankfully. They did overwrite probably around 200 files though on all my sites. I guess they justify it in thier own minds that they didn't delete anything but they basically deleted every "root" file in every directory... So how they can say they deleted nothing is beyond me...

I am still finding it very hard to figure out the motivation behind doing something like this to people that are basically into the same things? Internet, sites etc.. So far I have about 5 of my sites back up with about 15 to 20 more and some of these are very small but I have spent days on this and because of this I am so behind with everything... I just don't understand it...

Anyhow, if anyone has been hit by this same hacker let me know... I have heard many different things such as a hole in cpanel... I cannot figure out how they got into the root of the server liks that...

The files etc overwritten contained the words below...

login
main
default
index
home

It took me many hours to figure this out.... Basically you have to go either overwrite your whole site or go through each and every directory and replace any file, image or template containing these words... They delete all these files and tell me not to worry because they didn't delete anything...

Has anyone been hit with this? Any ideas on how they could have gained access? Even if they got into a site, how could they have gotten into the root in order to mess up the entire server? Even my host could not gain access. he thought his password was changed but I told him it was his loin file being overwritten... I don't know how they got access that far in...

I was hit by a hacker some time ago but they only changed some stuff in my forum site.... This was different and much worse...

Thanks

aranthorn
07-24-2007, 10:31 PM
Sounds like a rootkit got installed. If I were you, I would seriously consider wiping the server and starting from scratch. If it is a rootkit, it will just happen again. If you run a windows OS, switch to Linux. If you're running Linux, install this utility: http://www.rootkit.nl/.

Just my $0.02