Jump to content
xisto Community
takerraj

Is My Site Hacked?

Recommended Posts

In my public_html folder, there are two new folders with suspicious names like dfasrexcv, adfsrqer and with some php files inside it. I tried to download them and scan that folder with my Norton, but I am unable to download the folder. The download option is greyed out. Also on my Google analytics account, the visits are decreasing drastically, 3 days before it is 160 visits, then it is 115 visits, yesterday it is 70 visits and now even less than 50 visits.

Share this post


Link to post
Share on other sites

As you already know, they are PHP files, scanning them with Antivirus wouldn't help since they wont be recognized as virus. You cannot download folders in file manager in cpanel. Use an FTP program and download the files inside those folders or just open them in edit mode in the file manager.Having a look at Awstats in your cpanel would help you identify more details on that, check for referrer websites, the IPs who accessed those files etc.In some cases, when you install and try the scripts present in Cpanel, it might create folders in the root directory. But anyway, check the contents of those files. The main page of the site is intact right? Then it is unlikely, that it is work of some hacker, hackers generally show off bright and clear that they have hacked. But before coming to any conclusion check out the files first.

Share this post


Link to post
Share on other sites

I downloaded them and opened those php in notepad and there are some divs etc. As I don´t know php, I want someone to checkout that file and see whether it is harmful or not. I´ve uploaded that file unto Google Docs.

 

The main page is intact.

 

Share this post


Link to post
Share on other sites

Yes, it is an attempt to hack your site. The code seems to be a keywords injection hack. Although it seems the script is harmless, but you can safely delete them. Now you would need to think, how that person got into your account and uploaded the files. Do you have any CMS running or have you given the FTP passwords or used them to login in public computers?

Share this post


Link to post
Share on other sites

Yes, it is an attempt to hack your site. The code seems to be a keywords injection hack. Although it seems the script is harmless, but you can safely delete them. Now you would need to think, how that person got into your account and uploaded the files. Do you have any CMS running or have you given the FTP passwords or used them to login in public computers?

Yes, I've deleted them. I am using wordpress for my main site. Apart from that I have another wordpress running as a subdomain. This subdomain is only known to me. Only me and my friend knows about this subdomain and I use it for website redesign purpose and only my friend who is very much interested in designing know that password. Also, the password of that subdomain is different from the main site.

I've never used public computers to login into my blog. I only share the FTP password with the Xisto - Support team. Because during compliant filling they ask us the password. Anyways, what can I do in order stop this type of problems in future.

Share this post


Link to post
Share on other sites

I am feeling insecure now. Should I delete the whole wordpress installation and do a fresh wordpress installation? Will the in-built Import and Export options in wordpress are sufficient for a complete backup, so that I won't loose any article or comment. For this fresh re-installation it takes around 30 mins for me to delete, upload and install. In the mean time, I want to take down my site and put a page which says that site is down to those who access my site. Is there anyway to do this?

Share this post


Link to post
Share on other sites

I don't have much experience dealing with hacked websites. All I can give is some pointers on what you can do.The first and foremost thing I would recommend is, changing the passwords of your Cpanel and FTP account(s). Wordpress is pretty secure, its highly unlikely that somebody used it as a way to get access to the account. Also assuming you only installed modules from the official Wordpress site, you need not worry about WP installation. But still its your wish, and yes the built-in functions would be sufficient to export and import the sites articles and comments.As for the last question, you can just put an index.html page in public_html with the notification of site donwtime.

Share this post


Link to post
Share on other sites

By the way, did you also see the mentionned php files, like "fullmetal.php" or busters.php ?

Actually there are some 100's of php files inside that anonymous folder Yordan. I didn't particularly see what those files are because the number of files are more. Thanks Spencer. You are really better than those Xisto - Support team. Not that they aren't working. They are doing their work but they are not specific as Spencer. They told me that they investigating how these anonymous folders are created and they told me to do that too. I am sure that this incident is going to teach me a new lesson in my role as a blogger.

Share this post


Link to post
Share on other sites

I think you need to remove these folders(dfasrexcv, adfsrqer) from your public_html. Make sure you check the folder permissions on your public_html(chmod values). Also this is time now, to change your cpanel username and password. If you're running wordpress then check this article to see if your wordpress got hacked. There are plenty of other sites to check on this subject(i.e. is wordpress hacked or not). Most of websites with CMS gets hacked by attackers these days(and almost no CMS is spared these days).

Share this post


Link to post
Share on other sites

I just checked and it seems that I also have this kind of things in my public_html folder.. I can't delete those files with FTP.. I am also using Worpdress..I deleted them through File manager on CPanel, but they seem to recreate or they never really get deleted? the folders are /public_html/xoljn/lyodl/I managed to upgrade wordpress if it was the reason.. Also I managed to rename those directories, delete some files, but not all, I just changed the permissions to main folder to 000 that it would not be accessible to anyone.. Any ideas how to remove those folders without having permissions?I also checked the statistics through CPanel, it seems that all the September month they were accessed quite often.. :D

Edited by Quatrux (see edit history)

Share this post


Link to post
Share on other sites

What's that? let me know, so that I too can avoid getting my site hacked.

One thing is to correctly chomd all files and to make sure your software is up to date. For instance, if you are using MyBB and running verision 1.2.12 while 1.4.5 is out, you may want to go ahead and update your software quickly :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.