My friend's site has been hacked...!

[Maccy]

http://autocleaningservice.co.uk/

Seems a little odd for someone to hack a small valeting business that has only been running for 6 months or so?!

 

[xb8browney]

http://autocleaningservice.co.uk/

Seems a little odd for someone to hack a small valeting business that has only been running for 6 months or so?!

Could be someone else on a shared hosting platform?

 

[SoundsGood]

Script kiddies probably found the site by searching Google for sites running a specific version of software that they have an exploit for.

Good music though

 

[PermaBanned]

Their formatting is horrible. Blank headers just to move the title down a bit?

 

[daz]

It will usually be due to a vulnerability in whichever CMS they were using (e.g. WordPress or Joomla), or a vulnerability in one of the plugins/modules/themes they have installed on it.

Contact your host and they should be able to restore a backup and may be able to check logs to find out the cause.

 

[Maccy]

Yeh we've raised a support ticket with Vidahost, hoping we can find out something.

 

[Pho]

Looks like it was built with WordPress so that may have been an old version or one of the plugins contained an exploit like Daz said.

Note that the IP address 88.110.0.xx which may show up in the logs is me poking around, I didn't hack it .

 

[james.miller]

Looks like it was built with WordPress so that may have been an old version or one of the plugins contained an exploit like Daz said.

Note that the IP address 88.110.0.xx which may show up in the logs is me poking around, I didn't hack it .

lies! grab the pitchforks gentlemen

 

[Maccy]

They'd changed the admin password as well, so I've managed to do a password reset and change it back. Can't see much changed in the actual Wordpress directory, I've updated everything too.

 

[Pho]

lies! grab the pitchforks gentlemen

It's the perfect coverup .

They'd changed the admin password as well, so I've managed to do a password reset and change it back. Can't see much changed in the actual Wordpress directory, I've updated everything too.

It could also have been something simple like an FTP password being leaked.

If you login to cPanel have a look at the server access logs - that should give you a hint as to if they got in through an exploit or not - post them here if you're not sure.

 

[Maccy]

Is that the raw access logs? They only go back until this evening when I first discovered the hack.

 

[p_r_i_m_e]

looks like index.php/htm still overwritten, tried restoring that yet?

 

[Pho]

looks like index.php/htm still overwritten, tried restoring that yet?

It's showing the index page on any address you enter on the site (e.g. go to /aosdijioasjd for example) so you might want to check the .htaccess file too.

Is that the raw access logs? They only go back until this evening when I first discovered the hack.

Hmm are there not archived ones / ones for other days? It might just be showing you a day's view.

I wouldn't have thought they would have been deleted anyway.

 

[pitchfork]

lies! grab the pitchforks gentlemen

Please don't.

 

[michaelp]

Dam script kiddies! Go get em pitchfork

 

[AHarvey]

stupidly easy to do on some sites. there's a backtrack linux fan page on facebook and some of the tutorial hacking videos on there show just how easy it is with some sites and the right software.

 

[Sir SpankalotUK]

usually after a hack I would clean the files out, especially *.php. They could easily have hidden a shell script, then I'd restore a backup and update the installation. If you don't need people to have access to the wp-admin folder, then password protect it, just another bit of security.