My DreamHost Sites are Hacked... :-(


#1

Hey folks -

A few weeks ago someone noticed that my blog had been replaced with a “ci al is”* ad. It didn’t show that way to me, but for people who came from Google it did. Also Google had marked my site as “possibly compromised.”

Sure enough after spelunking around most of my DH sites I cam eacross these various strange PHP files that were long base64 enocded text with various PHP commands embedded in them. They always have short names like “solt.php”, “mara.php” etc & they sometimes come embedded in a series of numbered folders.

I trashed all of these that I found (I saved them off if anyone wants to take a look) & upgraded my WordPress - but the files keep coming back & I fear the worst. Any advice on how to proceed?

I have a large blog on DreamHost in WordPress & I guess I’ll need to somehow back it up & then reconstitute it? Is that as painful as it sounds? And how do I keep this from happening agin?

Ugh.
Thanks

'deep

*I reformatted this word to not set off SPAM filters.


#2

I’d love to know how they do it… If PHP files are appearing, it’s either a compromised password or some exploit in your web app which is being used to write a file to your account. Change your password, update or even reinstall your web app, and make sure DH support knows so they can have a look. there’s also a good (extensive) wiki page on what steps you can take.

If you do manage to figure out how they did it, let us know.