URGENT !!! Someone hacked into the site and edited my php files !!!! ???????????


#1

@admin i need your urgent help…
someone got into my root files and edited some php files…???
thanks to my backup habit ,the site is still online and running …
i use cloudflare’s services too…
How am i supposed to stop this future…
i am quite worried now!!!


#2

@Rikhi55 said:
@admin i need your urgent help…
someone got into my root files and edited some php files…???
thanks to my backup habit ,the site is still online and running …
i use cloudflare’s services too…
How am i supposed to stop this future…
i am quite worried now!!!

Change your password quick!


#3

@Rikhi55 said:
@admin i need your urgent help…
someone got into my root files and edited some php files…???
thanks to my backup habit ,the site is still online and running …
i use cloudflare’s services too…
How am i supposed to stop this future…
i am quite worried now!!!

Change your password from Client Area AND from the panel (you can also do that via Client area)
Also, make sure that there is no malicious code in any of the files.


A bit offtopic, but what did the hacker actually change if you don't mind?

#4

@ChrisPAR said:

@Rikhi55 said:
@admin i need your urgent help…
someone got into my root files and edited some php files…???
thanks to my backup habit ,the site is still online and running …
i use cloudflare’s services too…
How am i supposed to stop this future…
i am quite worried now!!!

Change your password from Client Area AND from the panel (you can also do that via Client area)
Also, make sure that there is no malicious code in any of the files.


A bit offtopic, but what did the hacker actually change if you don't mind?

@ChrisPAR my index.php file!!! they displayed some text …
and i think they got access to it from outside!!!
i doubt that they had access to my hosting’s password cause they would have then edited/damaged it completely not just my index.php and 3 more php files that were in htdocs folder i.e. they either failed or didn’t had access to my inner core files,neither they deleted any inner core file…
???


#5

btw i have changed my password…but still as i mentioned my doubt i fear the attack again!!! ?


#6

@Rikhi55 said:

@ChrisPAR said:

@Rikhi55 said:
@admin i need your urgent help…
someone got into my root files and edited some php files…???
thanks to my backup habit ,the site is still online and running …
i use cloudflare’s services too…
How am i supposed to stop this future…
i am quite worried now!!!

Change your password from Client Area AND from the panel (you can also do that via Client area)
Also, make sure that there is no malicious code in any of the files.


A bit offtopic, but what did the hacker actually change if you don't mind?

@ChrisPAR my index.php file!!! they displayed some text …
and i think they got access to it from outside!!!
i doubt that they had access to my hosting’s password cause they would have then edited/damaged it completely not just my index.php and 3 more php files that were in htdocs folder i.e. they either failed or didn’t had access to my inner core files,neither they deleted any inner core file…
???

What text? Which team was it?
Have you checked your code for vulnerabilities?

@Rikhi55 said:
btw i have changed my password…but still as i mentioned my doubt i fear the attack again!!! ?

Do not fear, if yu have changed password and your files have no known vulnerability there will be no problem.


*Btw, maybe the hackers were Team_CC?*

#7

What text? Which team was it?

they didn’t mentioned!!

Have you checked your code for vulnerabilities?

that would be tough !!
but how do they edited my php file???
they didn’t touched html ???
why???

@Rikhi55 said:
btw i have changed my password…but still as i mentioned my doubt i fear the attack again!!! ?

Do not fear, if yu have changed password and your files have no known vulnerability there will be no problem.

I hope so…

Btw, maybe the hackers were Team_CC?

whoever they are should mind their own business i was so disappointed ,by chance i had the codes backed up in my pen drive otherwise i would have been in a great trouble!!


#8

If your website gets hacked, they could be using one of three points of entry:

  • Your client area account.
  • Your hosting account.
  • Your website’s code.

Changing both your client area password and hosting account passwords never hurts. And assuming your email account has not been compromised, it should safely eradicate issues #1 and #2.

Issue #3 is a bit harder to solve. Outdated, poorly written or pirated software often contain security problems or backdoors making your website easy prey for hackers. If you suspect any software of your site falls into that category, it would be a good idea to remove it from your account.

However, it’s important to note that all these measures work preventatively. Since your account has already been hacked, you need to take more drastic measures.

Since attackers have already been inside your website, they may have left a backdoor in it to easily access your account again later. That’s why, ideally, you should rebuild your account. Take a backup of all the files currently in there, and then upload fresh copies of all softwares, plugins and themes you used on your website. After that, you can transfer any website specific files back from the backup (like user uploads), but make sure to take a good look at what you upload so you don’t upload any suspicious files.

@Rikhi55 said:

Have you checked your code for vulnerabilities?

that would be tough !!
but how do they edited my php file???
they didn’t touched html ???
why???

It’s tough, but it’s necessary if you want to make sure your website will not get hacked again.

It’s possible the hackers edited files through FTP or a file manager, or by being able to execute PHP code on your account. If they can freely execute PHP code, they can also modify any file on the account, including other PHP files.

But of course, the fact that they can edit literally any file in your website doesn’t mean they always do.


#9

admin what you wrote would be a good template for the knowledge base article :smile:

I would add another reason
Infected computer/device - some malware steals FTP logins
and simply send login information to “creator” via C&C server
so make sure to scan your computer for viruses regularly.

Do not use a suspicious/unprotected/free wifi point,
school computers and any other devices you don’t have full control over it


#10

It’s possible the hackers edited files through FTP or a file manager, or by being able to execute PHP code on your account. If they can freely execute PHP code, they can also modify any file on the account, including other PHP files.

access via FTP seems to be an alarming reason to me…


#11

you can view access and error logs (from client area) and searching for something suspicious like weird URLs, etc. and the IP address that requested it

for serious digging you need a server administrator


#12

Never use ftp without SSL, it’s highly vulnerable.
I recommend turning on ftp-SSL (if supported)

SSL is encryption between your ftp client & the server anyone who eavesdropping would just see jumble of nonsense.

Run anti-malware scan on your machine, Change password for client & hosting. also if this isn’t the first time try Re-setting your router to clear any malicious code running due to recent vulnerability and update it’s firmware if possible.

If using so called “Free Wi-fi” Don’t use plain text over ftp.

Hope this helps :slight_smile:


#13

@Lanturn said:
Never use ftp without SSL, it’s highly vulnerable.
I recommend turning on ftp-SSL (if supported)

SSL is encryption between your ftp client & the server anyone who eavesdropping would just see jumble of nonsense.

Run anti-malware scan on your machine, Change password for client & hosting. also if this isn’t the first time try Re-setting your router to clear any malicious code running due to recent vulnerability and update it’s firmware if possible.

If using so called “Free Wi-fi” Don’t use plain text over ftp.

Hope this helps :slight_smile:

Yes, it’s true.
You can use webftp.phpwebhosting.com and check the SSL option and ftp.epizy.com is supported with SSL and will connect through FTP with SSL and now it’s not FTP anymore but is FTPS (File Transfer Protocol Secure).


#14

@UnknownLolz said:

@Lanturn said:
Never use ftp without SSL, it’s highly vulnerable.
I recommend turning on ftp-SSL (if supported)

SSL is encryption between your ftp client & the server anyone who eavesdropping would just see jumble of nonsense.

Run anti-malware scan on your machine, Change password for client & hosting. also if this isn’t the first time try Re-setting your router to clear any malicious code running due to recent vulnerability and update it’s firmware if possible.

If using so called “Free Wi-fi” Don’t use plain text over ftp.

Hope this helps :slight_smile:

Yes, it’s true.
You can use webftp.phpwebhosting.com and check the SSL option and ftp.epizy.com is supported with SSL and will connect through FTP with SSL and now it’s not FTP anymore but is FTPS (File Transfer Protocol Secure).

If you’re worried about people getting access to your FTP credentials, then you definitely should not use just any FTP client you found online.

If you use our file managers and FTP software on your computer, you know that only you and InfinityFree can access your account. On some random website, you don’t know whether the website owner stores and shares your FTP credentials.

FileZilla uses TLS (SSL) by default and so do our file managers. No need to enter your FTP credentials anywhere else.

@OxyDac said:
admin what you wrote would be a good template for the knowledge base article :smile:

I would add another reason
Infected computer/device - some malware steals FTP logins
and simply send login information to “creator” via C&C server
so make sure to scan your computer for viruses regularly.

Do not use a suspicious/unprotected/free wifi point,
school computers and any other devices you don’t have full control over it

This is not exactly a frequently asked question, but you’re right, it would be a good idea to write this down so everyone can use it.

And you’re right on the infected device as well. If your computer is infected with malware, you left your login details on a shared computer or someone is listening in on your network connection, that’s also a good way to get your account compromised.


#15

It’s good that @Rikhi55 does not owe money to this guy :smiley:
https://thehackernews.com/2018/07/web-hosting-server-hack.html


#16

Everything seems good now and thank you all for sharing your valuable suggestions …

It’s good that @Rikhi55 does not owe money to this guy :smiley:
https://thehackernews.com/2018/07/web-hosting-server-hack.html

That is one hell of a way to use your talent !!!
???
Btw it would have been better if he contacted authorities first,but there are always many situations/conditions…


#17

@OxyDac said:
you can view access and error logs (from client area) and searching for something suspicious like weird URLs, etc. and the IP address that requested it

for serious digging you need a server administrator

@OxyDac i am unable to select day of access logs in cpanel !!


#18

Are you using Webspell by any chance?


#19

@Rikhi55 use an FTP client and download both folders and open files with notepad or some other text editor


#20

I forgot to say if logs files are not erased