Sites compromised--help!


#1

I have inherited an account that appears to have been compromised by someone who is posting viagra/cialis spam in several subdirectories of several sites on the account. I changed the account passwords and deleted the subdirectories with the rogue content, but when I came back a couple of hours later, the subdirectories were back and now I can’t delete them (I get an error that says I don’t have enough privileges–even after chown’ing everything to 777).

I am new enough to this to be totally bewildered. Does anyone have any suggestions?

How can I delete the offending content?

Is it likely that there is a script/process running that is watching for the directories to be deleted and then putting them back? How could I search for such a script or process and get rid of it?

Any help you can give would be most appreciated.


#2

Odds are that it’s not a password issue, but a site vulnerability. I don’t know what you’re running, but you’ve got a bit of work ahead of you.

First, contact Support to set permissions so you can delete the directories, and let them know your site has been compromised. Maybe they can give it a quick skim to see what happened.

-Scott


#3

After digging a bit more I found that the subdirectories were nested several layers deep within a directory that was named with a .dot filename, which was keeping that directory from being affected by a chown -R. Once I specifically changed the permissions for the .dot directory to 777, I was able to dig down and delete everything.

I am waiting for feedback from DH support and will post results here.


#4

Are you running a Joomla site? I was having similar problems at one point. It seemed to be resolved once installed the latest updates and searched their forums for any 3rd party add-ons that had security vulnerabilities.