My Site is Being Hacked

Permalink
Alright, so I was called back to a site I built a while back because it is being hacked. Each time, the site gives a 500 error. I was able to find the problem. At first it was the index.php file was being renamed to index.php.hacked. I fixed that and then I started finding various other files to either .hacked or .suspected. If I remove the .suspected or .hacked, the site returns to normal working order. Also, when I search for the url on google, it says: "This site may be hacked." Example:https://www.google.com/#q=orlandobiblechurch.com...

I am running 5.6 and 5.7. Both are being hacked in the same way.

This site is on a Arvixe server and they have told me there is nothing they can do. I have changed passwords and it keeps happening. It seems to me that this might be a person doing this, cause after I change the filename back to what they are supposed to be, it isn't a set amount of time before the site goes down again, it varies.

Thanks!

Blenderite
 
JohntheFish replied on at Permalink Reply
JohntheFish
The .hacked markers could be automatically appended by security software to files that have been damaged and fail signature tests.
Blenderite replied on at Permalink Reply
Blenderite
Gotcha, so I should completely replace the files or is there a better way?
JohntheFish replied on at Permalink Best Answer Reply
JohntheFish
First you need to track down what the security software is and see if it keeps any log of what it has found and why it is puking. No point doing a lot of work only for it to happen again.

With that out of the way, personally I would copy everything essential for recreating the site using the host control panel, scrub the whole lot, database and files, make sure it is thoroughly cleaned out, then recreate a clone from fresh source, the copies made, and whatever tweaks I needed.

Most important is to make sure that anything executable comes from fresh source and to only use the host control panel.
Blenderite replied on at Permalink Reply
Blenderite
Yeah Arvixe has no security feature like that. We have decided to move the site from Arvixe to A2 Hosting. They appear to have more security features.

The site isn't too hard to remake so I will probably just do that.
WebcentricLtd replied on at Permalink Reply
hi, I've seen this before. Your site has definitely been hacked.

You need to get a copy of the site and clean it if you can. You also need to change any of the passwords within the website.

Also you need to change any passwords for your hosting for the website, for mysql, ftp etc.

Personally I'd probably close the account for that domain if it were on shared hosting and set up a new one against the domain name and set everything up from scratch with your cleaned database and code with all new passwords / webspace etc.
Blenderite replied on at Permalink Reply
Blenderite
Its going to be several days before the site can be moved over. The site owner has asked me if there is a way to stabilize the current one till the move is done.

How would I go about scrubbing through the files? Is it what it sounds like, looking through each and every folder for any files that do not match the C5 file structure? Or is it a little less torturous?

Thanks!
atiqursumon replied on at Permalink Reply
atiqursumon
You have big mistake because at first you should be an input antivieres protector. So now one way opens remove all life from public html and refresh than uploading file by filezilla
just1n replied on at Permalink Reply
If you're familiar with Git you could create a local repo, download the current site and place it in the repo, perform the 1st commit.

Take note of the date and time you place the original files onto your system as I think they'll all have the same date and time for when you do that.

Download the same version of C5 from concrete5.org.

Go through the new set of files and change any filename extensions where the original ones had been changed to .hacked etc.

Copy the new files into the repo and let them overwrite whats there.

Using a nice Git tool like Atlassian SourceTree it ought to show any file differences between the files that were present in both downloads, so you'll see if the contents of any have been tampered with.

Now the reason for noting the date and time of copying the site files to your PC is so you can see if any still have that date on after you copied the new files over the top. Investigate each of these additional files from the site source as to what they are, maybe they'll just be packages or updates?

Do something similar with the packages if you can get hold of the same versions from the marketplace. Maybe there's a rouge package in there, do they all tally with what was delivered from you to the client when the site was created? Are they all packages installed from the marketplace or has the client installed something from elsewhere?

Change the usernames and passwords, particularly the one concrete uses for its db connection and any for admin users.
Blenderite replied on at Permalink Reply
Blenderite
I will do this. Thank you!