Hacked. Desperate. Alone


#1

Hello! This is my first time posting on the forum and it is out of pure desperation to get two of my websites back online.
Two of my websites, both under same ftp username, have been hacked and are being referred to a site that looks like this: http://bagetmini.ru/flayer?12
I have been in correspondence with Dreamhost for OVER A WEEK and have received little help…simply a list of links to “possibly” hacked files. From what I understand, the problem lies in the htaccess files, which I was told to delete or clean up. Since these are in the root directory I have no access to edit them. Tried to delete them via FTP client and then create another one by updating the permalinks settings in Wordpress, but that didn’t work either.
I contacted an IT guy and he said he had never heard of a hosting company that doesn’t take care of these things themselves. He suggested I call dreamhost, but there is a $10.00 fee and I don’t think I should have to PAY for help when I am paying for their service!
Dreamhost hasn’t offered me any guidance and I have two clients whose sites have been offline for weeks.
I am desperate and need some help. Do I need to just dump the sites and start completely over on another site? I REALLY don’t want to do that, but I don’t have the expertise or the access to do much more…
Any ideas?


#2

You don’t have .htaccess in the directory of these sites?


#3

I DID at first and Dreamhost went in and renamed them to htaccess_off so that I could find them. I was told to delete the files so I did. They are no longer there, but then dreamhost sent me a message saying, "Hacked .htaccess files with malicious redirects were found under ______.com here: ____.com/.htaccess
I searched and searched, but cannot find any .htaccess files? I guess they are still there somewhere…?
What should I do?


#4

is your ftp client set to show hidden files? .htaccess is a hidden file and some ftp clients don’t show them unless you turn on a setting.

To also comment on your first post if you are on shared hosting then dreamhost is giving you exactly what you are paying for, hosting space and bandwidth, and for that you are paying a very small monthly fee that wouldn’t begin to pay for the cost of telephone support.


#5

I am using Cyberduck…do you know where to go in Cyberduck to check that setting?
I realize that I don’t pay a large fee, but I don’t know what they could tell me over the phone that they can’t tell me in an email?
I just assumed that this is the server’s responsibility since I am paying them for a secure place to put my site. Regardless, I am doing my best to try and mitigate the situation even with my limited knowledge base. I have been seeking help from local IT specialists, Dreamhost themselves, and now the forum. I hope there is someone out there who can help me with this. [hr]
okay I clicked “Show hidden files” and I DO see a .htaccess file, but it is grey instead of bold black, which means I can’t edit it? Should I try to delete the file? [hr]
Looked at info for the .htaccess file and it is 444 if that helps any? [hr]
I have also tried to go to the web url for the htaccess file and it redirects me to this site: http://www.bagetmini.ru/flayer?12
The same one my website redirects to.


#6

What are your sites built with? A CMS such as WordPress or Joomla? Custom PHP? Static HTML?

Dreamhost is responsible for keeping their servers and account holders information secure, you are responsible for keeping the content you put in your web directory secure. No general host can protect you from hacks to 3rd party software.

That said, have you read the threads here about recovering from a hack?
Do you know how to SFTP into your site so you can see invisible files and access all of your files?
Can you see if those files have been compromised?

There’s a looong discussion about this in this thread which has information about hacks affecting different CMSs and solutions for cleaning the mess up:
http://discussion.dreamhost.com/thread-134262.html

Also read this:

If you deleted the old htaccess file and it’s back, it’s probably being generated by malware code appended to your site files. You need to clean up everything, possibly reinstall your site.

Do you have backups?


#7

I use Wordpress.
Yes. I agree it is probably malware and I agree with everything you said. I HAVE looked over those threads, but they are so over my head that most of it I just don’t understand.
I have managed to find the .htaccess file and it looks like it’s ALL malicious code. As to malware…I have no idea how to deal with that or what that would even mean for me.
I do not have backups of these sites, but I could recreate them easily if I need to. The IT person I spoke with said it wouldn’t matter if I deleted wordpress and started over though…that they would still be compromised?
If I need to completely redo the sites I can do that, but I want to make sure I don’t waste a bunch of time only to have the site still filled with malicious code.
Any suggestions you have would be so appreciated. Thank you so much for trying to help.


#8

Your WordPress site probably got hacked because there was an insecure template or plug-in in it. That is how many sites - including some of mine - were compromised. Having users sharing different domains allows one infected site to spread to others. Both WordPress and Dreamhost have undertaken security upgrades recently to harden both the one-click installations and the WP software. Keeping WordPress upgraded is essential. Also, your plug-ins and templates.

You say you could recreate these pretty easily? Then I might suggest this…

Get rid of that htaccess file, delete it. Log-in via the shell if you have to.

See if you can log into your WordPress dashboard.

If you can, export your content using the WordPress exporter.
(that is, if you think this might be helpful to have your post and page copy)

Delete All of the WordPress files and anything else you find in your web directories. (keep track of what theme and plug-ins you want to re-install).

The hack going around earlier also created bogus directories and additional php files in your web directory and some of those were invisible - at least that’s what I saw in the mess that awaited one of my WP sites. Everything must go!

Re-Install a clean WordPress and create a fresh database for it (or use the DH one-click installer).

Import the content from the XML file WordPress gives you.

If you need to retrieve your images, save them before you zap the rest of the infected WP files. Your images should be ok.

To stay secure, continually check on the status of any plug-ins you may have been using to make sure they are up-to-date and secure. In general, never install any plug-in except ones that are available at WordPress.org.

Run each site (domain) as a separate user and set Extra Security for those users and Extra Security for your domains.

And a last thought…
If your sites are super simple and essentially static, you may be better off with a manually maintained HTML-based site.


#9

Note: Replace tutorial001 with your sFTP/Shell login user and domain.tld with the domain name.

  1. Rename the /home/tutorial001/domain.tld directory ASAP to something like /home/user001/domain.compromised

In FileZilla you right click the directory name and click rename. In the shell it’s “mv domain.tld domain.compromised”

This effectively takes the domain offline while your fiddling around and won’t allow your site to be the jump-off point for other attacks.

  1. Recreate the domain.tld directory and place a blank index.html file in it.

  2. Now do some of the suggested fixes in the other threads on a localhost setup, or start from scratch with a fresh install of Wordpress. But you need to make sure your home directory is clean first. In your case I’d start from a new user with real secure password. Download and start using something like LastPass. Use generated passwords of at least 12-15 characters. http://www.pctools.com/guides/password/

  3. If you’re doing this for a living invest in something like Qualys to check your sites. If you can use CloudFlare as well.

Jw