| Question: |
Good afternoon. My website http://www.dialog-kniga.ru/ was hacked - don`t know how, and by whom, the page changed - you can tell by the logs when and what else is in the account could change. Master password I have now changed. |
| Question: |
Also I would like to know - does something the other sites on the account? Whether they suffer? |
| Answer: |
Hello. Files baili changed yesterday when the site has been hacked neizvestno. change parolli and template just take care of the security http://www.joomla-docs.ru/Безопасность |
| Answer: |
in the tmp folder of the website you file sGq2ezJY.php antivirus, it is not defined /home/tverpo/public_html/Dialog-book.EN/tmp]# clamscan -ir ./
----------- SCAN SUMMARY -----------
Known viruses: 3276793
Engine version: 0.98.1
Scanned directories: 1
Scanned files: 2
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 7.933 sec (0 m 7 s) but most likely through neo and hacked the site |
| Question: |
he might have gotten in with шаблоном7 |
| Question: |
Yesterday the site was new user registration - temporary folder he could throw without getting access hosting? |
| Answer: |
of course they could, you users can download files? deny such a possibility |
| Question: |
Check out the website http://chinatorism.ru/ - odd, too, all broken - yesterday what the changes were like - I didn`t do anything and have not changed. |
| Answer: |
nothing found |
| Question: |
OK. I will then render. |
| Answer: |
OK
|
| Question: |
I site deleted, and you have not stored a backup version that is earlier - for example when sites are migrated from one server to another? |
| Answer: |
ask what kind of website is it? |
| Question: |
http://www.dialog-kniga.ru/ - which was hacked |
| Answer: |
please Check now.
|
| Answer: |
your account is now sent spam all folders
cwd=/home/tverpo/public_html
cwd=/home/tverpo/public_html/amx-video.EN
cwd=/home/tverpo/public_html/amx-video.ru/engine/skins
cwd=/home/tverpo/public_html/amx-video.ru/engine/skins/chosen
cwd=/home/tverpo/public_html/amx-video.ru/engine/skins/ping
cwd=/home/tverpo/public_html/amx-video.ru/the script
cwd=/home/tverpo/public_html/amx-video.EN/showpro
cwd=/home/tverpo/public_html/amx-video.EN/showpro/engine/modules
cwd=/home/tverpo/public_html/braziylija.EN/template/africa
cwd=/home/tverpo/public_html/braziylija.EN/template/africa/plugins/content/socialsharebuttons
cwd=/home/tverpo/public_html/braziylija.ru/template/africa/plugins/content/socialsharebuttons/style
cwd=/home/tverpo/public_html/braziylija.EN/template/czech
cwd=/home/tverpo/public_html/braziylija.EN/template/czech/css/.sass-cache
cwd=/home/tverpo/public_html/braziylija.EN/template/czech/fonts
cwd=/home/tverpo/public_html/cat-runet.com/wp-includes/css
cwd=/home/tverpo/public_html/cat-runet.com/wp-includes/pomo
cwd=/home/tverpo/public_html/cat-runet.com/wp-includes/Text/Diff/Engine
cwd=/home/tverpo/public_html/cat-runet.com/wp-includes/theme-compat
cwd=/home/tverpo/public_html/chinatorism.EN/t
cwd=/home/tverpo/public_html/chinatorism.EN/t/tpl/languages
cwd=/home/tverpo/public_html/chinatorism.EN/t/tpl/library
cwd=/home/tverpo/public_html/chinatorism.EN/t/tpl/library/extensions
cwd=/home/tverpo/public_html/chinatorism.EN/t/tpl/library/functions/css
cwd=/home/tverpo/public_html/chinatorism.EN/t/tpl/library/media/css
cwd=/home/tverpo/public_html/chinatorism.EN/t/tpl/lightbox/css
cwd=/home/tverpo/public_html/Dialog-book.EN
cwd=/home/tverpo/public_html/Dialog-book.EN/plugins
cwd=/home/tverpo/public_html/Dialog-book.EN/plugins/content/mysql
cwd=/home/tverpo/public_html/Dialog-book.EN/plugins/system
cwd=/home/tverpo/public_html/Dialog-book.EN/plugins/system/p3p
cwd=/home/tverpo/public_html/Dialog-book.EN/plugins/system/redirect
cwd=/home/tverpo/public_html/Dialog-book.EN/tmp
cwd=/home/tverpo/public_html/e-gloryon.info/wp-includes
cwd=/home/tverpo/public_html/e-gloryon.info/wp-includes/fonts
cwd=/home/tverpo/public_html/e-gloryon.info/wp-includes/pomo
cwd=/home/tverpo/public_html/e-gloryon.info/wp-includes/SimplePie/Decode/HTML
cwd=/home/tverpo/public_html/e-gloryon.info/wp-includes/theme-compat
cwd=/home/tverpo/public_html/fix-up.ru/wp-includes
cwd=/home/tverpo/public_html/fix-up.ru/wp-includes/pomo
cwd=/home/tverpo/public_html/fix-up.ru/wp-includes/SimplePie/Decode/HTML
cwd=/home/tverpo/public_html/fix-up.ru/wp-includes/theme-compat
cwd=/home/tverpo/public_html/innewon.EN/install1/view/template
cwd=/home/tverpo/public_html/sprosi.com.ru/wp-includes/fonts
cwd=/home/tverpo/public_html/sprosi.com.ru/wp-includes/pomo
cwd=/home/tverpo/public_html/sprosi.com.ru/wp-includes/SimplePie/Decode/HTML
cwd=/home/tverpo/public_html/sprosi.com.ru/wp-includes/theme-compat
cwd=/home/tverpo/public_html/stressov.net/plugins/system/languagecode/language
cwd=/home/tverpo/public_html/stressov.net/plugins/user/profile/profiles
cwd=/home/tverpo/public_html/stressov.net/plugins/xmap/com_content
cwd=/home/tverpo/public_html/stressov.net/plugins/xmap/com_k2
cwd=/home/tverpo/public_html/toourturkey.EN/code/plugins
.
|
| Question: |
Now not working - This Account Has Been Suspended |
| Question: |
Oooo - where flies the spam? |
| Answer: |
you wrote where, with all these folders. you vedb not changed the password. |
| Question: |
Here`s the account I changed the password as soon as I saw the crack today, approximately 22 15. |
| Question: |
What should I do? |
| Answer: |
at the moment the account is checked by the antivirus completely. then we can open access to only for you what would you have checked all the sites, changed passwords on all sites and protect all sites |
| Question: |
I changed my passwords on all sites - most likely the entrance is via ftp |
| Answer: |
why didn`t you then change the ftp password ? the situation is very bad, we found a large number of files which sent out spam, but the problem is that they are not defined by antivrus they are all created on or around the 20th March have starne names like 7vesFCj18.php _Pa.php MKscu__w.php QEXwLa1.php etc. changing the list of files sent to EMAIL |
| Question: |
Received the e-mail hacked, but it is empty |
| Answer: |
sent |
| Question: |
Same thing - blank. There is a app or everything in the text? |
| Answer: |
all text. let another email |
| Question: |
EMAIL |
| Answer: |
sent to EMAIL |
| Question: |
I don`t know why - maybe mail.ru blocks the text. Try or text file or EMAIL |
| Question: |
By EMAIL too |
| Answer: |
sent to EMAIL |
| Question: |
Also empty - so I will get - they all block. |
| Answer: |
let ip with which you will work |
| Question: |
IP |
| Question: |
Only I have dynamic ip and changed 3 times a day |
| Question: |
Also wanted to ask - if I activate the service provider fixed IP, is it possible to make shared access via FTP with reference only to that ip ? And will generally whether it is a guarantee of safety or is it all useless? |
| Answer: |
access to open in the ftp server, the server will bind to ip |
| Question: |
Even do not let cPanel |
| Answer: |
Inform your IP, your IP you can find on the site 2ip.ru |
| Question: |
Here IP IP |
| Answer: |
Access: IP is opened. |
| Question: |
Tell - all FTP accounts and leave one? There are many of them and change the password on all very long, especially I use just one. Which ones can I delete it? |
| Answer: |
Delete all you can also you use. |
| Question: |
I changed the passwords from the login.Changed the password from cPanel, it`s main FTP other ftp accounts deleted.Changed the passwords from admins on all sites.Deleted all files found spamming, well at least through all folders with sites for 2 times - removed about 50 files.Requesting permission to launch sites - also please monitor spam sending tonight, if any, although I hope to have removed everything. |
| Answer: |
check every website script http://www.revisium.com/ai |
| Question: |
I have a problem when checking - always climbs 504 Gateway Time-out. But for full check you need an ssh connection - how to do it I don`t know. |
| Answer: |
we started scanning |
| Question: |
Thank you - I also through 10 starts sometimes runs)))) |
| Question: |
I checked it out - only website http://stressov.net not be - but all the files on hacked.txt I deleted. |
| Question: |
All, I have now checked everything and website http://stressov.net. Please start the normal operation of the sites. |
| Answer: |
the Request is sent to the administrator. |
| Answer: |
test status php ai-bolit.php Scanning file [amx-video.ru/uploads/posts/2014-01/13900590086421308204.jpeg] 72582 of 146808. [Avg: 7 files/s Left: 2 h 56 m ] |
| Question: |
OK - wait. |
| Answer: |
. [Avg: 7 files/s Left: 1 h 21 m ] |
| Answer: |
log /public_html/AI-BOLIT-REPORT-30-03-2014_14-19-210772.html |
| Question: |
The log looked - all potentially dangerous for spam distribution files have been removed. Please include the sites. |
| Answer: |
OK |
| Question: |
How to watch - there is a spam mailing list or not? |
| Answer: |
you did not see the logs of the mail server is available only to the administrator. |
