View Full Version : Welcome back G|A
05-04-2012, 08:38 PM
So what was that *!&^@#$ hacker site-not-working thing all about?
Basically, all last week we were working on some database issues. Something kept locking up the tables, but we couldn't figure it out. We had moved to a pretty robust dedicated server and still MySQL would take up a ton of processor time and the tables were continuing to lock up. I was finally able to narrow it down to a 3rd party SEO software, which I then disabled. The dev re-enabled the built-in SEO and a few other fixes and it looked like the site was finally stable. We all breathed a sigh of relief and then the dev told me he was going to be gone for three days. That was fine because it looked like the site was good to go. That was last Thursday.
On Friday, I woke up and saw an email from the host saying that they detected that the site was hacked. I brought up the page and indeed it was. I asked the dev to please restore the site from a previous backup. There was a shell on that backup, but we deleted and and thought all was good.
I was up late that night and still paranoid. I kept the FTP client open and kept refreshing the directories every now and then to make sure timestamps weren't changing. At around 1:30AM PST I noticed that a few core files had new timestamps. I refreshed again and noticed that the .htaccess timestamp changed too. We were getting hacked again. That's when I logged into WHM and suspended the site and prompted renamed and moved the suspect files. We then employed the host to clean the site and remove all shells. They did the best they could, but they couldn't be 100% sure until they were able to cross reference the some custom modules with the dev's personal copy. However, the dev would not return for a few more days.
After the dev came back, it took a few days for everything to be double checked. We finally reopened the site today, but I'm still a bit paranoid. Once a hacker gets in, it's hard to tell the extent of the damage. I'm still crossing my fingers.
05-05-2012, 06:46 AM
Glad to see we're back. I still dont get what the "hacker" gets out of hitting a site like this. If its not a site that has a few full time guys, then where are the bragging rights? Its almost as pitiful as few years ago when a friends personal blog was hacked.
Hopefully it's clean now. We've further uninstalled some 3rd party modules. Last night I also detected a full featured SHELL program in one of the directories. I had made a backup of the entire site after it was restored and then I randomly decided to try out an online scanner. It detected a "PHP/Obfuscated.E application" on the site backup directory. I typed in the address in my browser and was able to pretty much upload whatever I wanted using that SHELL. Man, talk about scary. I deleted that file, copied the entire site to my hard drive and did another scan. Hopefully it's truly clean now. :yell:
Powered by vBulletin® Version 4.1.12 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.