Recovering from a hack


#1

Need help from anyone on here. Have a weird situation. I have about 30 sites hosted on the hagatna server. Noticed this morning that a few of my sites were acting up a bit. On one of them, the home page displays content but no styling (almost like it’s detached from the stylesheet). But that’s not the weirdest thing.

I’m pretty sure I checked every single site that I have hosted in my dreamhost account on hagatna, and if you search the site in Google, and then click on the link that should take you to the site, it redirects to google.com. SO WEIRD. This also happens when you click on links that are on the pages of each site. For instance, if I finally am able to navigate to the site on the server, when I click on the “home” menu link, it goes to google.com again! I have also seen this happen today, literally, when you type in the domain name of the site in ANY browser (goes straight to google.com).

All of the files look fine for the affected sites when I log in and view the files via FTP. I have not thoroughly looked through the file structures yet, but I cannot see any files that I don’t recognize.

Please help. Dreamhost is not responding.

Before anyone tells me to do it, I have already:

  1. reset all (yes all) of my passwords related to my dreamhost account
  2. tried to restore from backups (that apparent dreamhost doesnt store) because of their NO BACKUP gurantee
  3. I know it would help but unfortunately for privacy I cannot give any of the site urls

thanks for any help that anyone can provide. I’m just trying to figure out what happened and see if anyone else has lived through this nightmare.


#2

OK so I FINALLY got an email from Dreamhost saying that several of my .htaccess files were hacked. Just saw another thread dating all the way back to 2/17 with people having the same issues. Something about a php infusion that redirects sites to another site.


#3

Redirects to Google? Hrmm… sounds like an exploit in a testing phase.

Did you happen to keep a copy of the exploited files?


#4

hello Gap8383,

I am having the same problem, except they removed my wordpress sites and made a back up called infected and did not copy all files and replaced it with a completely non functional version of the site. I can’t even use the admin dashboard. Argh!

Here is what I know about the httaccess attacks:(this is what I found out so far)

1- it affects the .htaccess file by placing a redirect from there
2- it also affects part of yr database and if you have large sites it is worth sending to a service that will look at yr database and clean it up
3- your actual files are not affected

That is what I gathered so far.

I am truly disappointed by Dreamhost’s lack of knowledge and slow response time.
I believe a ton of us got hacked into and partially is because of Dreamhost’s security.

Anyway, it is a total mess on my end right now. Hang in there.