I think my website has been hacked
If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. We recommend that you regularly back up your website and store them on your local computer. If you ever have to restore your website, maintaining backups to do so can be invaluable.
**Note: If you already know you have been hacked, please see our article on recovering from a hack
How can I tell if my website has been hacked?
Some hacks are quite apparent since they deface your page, while others are more subtle. Here are some common signs that your website has been compromised:
- Your home page has changed. If you visit your website, and instead of seeing the page you have created you see something entirely different it's likely that your page has been "defaced." Normally, these types of hackers will have a "hacked by..." message displaying to take credit for the hack.
- Your access to admin pages no longer exists. If you cannot access your admin section of your website, it's possible the hacker has gained access to the adminsitrator account or cpanel and altered the passwords.
- You get a Google Warning page. This is an indication that google has scanned your website, and one of the Google bots has found some code that is known to be malicious. If this is the case, Google will display a red warning page.
- Your computer's anti-virus software warns you when you visit your website. This is a typical situation where your website is trying to install a trojan or another type of virus on your local computer.
- A page will not load but it used to. If you haven't changed anything on your website and it is now not loading this could be a sign of a hack. This is not a typical hack but usually inidcates that the hacker has modified a database so it no longer functions as it should.
How was my website hacked?
The most common methods of hacking a website are:
- Compromised cPanel or FTP account password
- Code Injection
- Remote File Inclusion
If you password has been hacked or compromised, this will typically be a defacement type of hack. If you use a content management system, the hack was usually done be exploiting the software. It is important when you use CMS software such as Joomla, WordPress, and OSCommerece to keep the software up to date.
How can I fix my hacked website?
Each hack is different so it is extremely difficult to suggest an exact method to resolve a hacked site. Here are some general methods to fixing a hacked website:
- Change your passwords to your account. This is the best practice for any hack. This is the quickest way to limit the access to the website. By doing this, you can limit the access to your account. You should change your WordPress, FTP, and cPanel passwords.
- Update all programs used on your hosting account. If you use a third party shopping cart or CMS it's important to keep that software up to date. This is because most updates are used to secure the actual software. As vlunerabilites are found the patches are released.
- Update software on your local computer. Some programs such as Flash, have vulnerabilites that allow hacked to access data on your computer. We've seen some hacks even designed to search around for saved FTP credentials.
- Run a malware or virus scan on your local machine. It is possible that you have picked up a piece of malware or virus that is copying your passwords.
Dedicated Server Features
Keeping your server secure is a full time job for any support staff. But that shouldn't be the only focus. Read more about what makes InMotion one of the top hosting companies out there.
We value your feedback!
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
2014-03-17 3:24 pm
don't you keep your websites virus free???????
My website is not working.... WHAT am I PAYING FOR ???
REally? It has been over 2 hours since my email,,,, still aint heard from you AND
have seen some bit on your help(less) page that says you don't remove the virus?
I want a credit for my business site being non functional!
2014-03-17 4:15 pm
Hello angry, and sorry for the troubles.
InMotion Hosting runs Mod Security rules on the server to help prevent websites from being attacked, and we also run scans for known malicious files and scripts.
Unfortunately website attacks and hacking attempts are at all time highs, so it is imperative that you keep any website software that you're running on your website up to date with all of the latest security patches.
We keep the server up to date and secure, but unfortunately if you're running older versions of software with known exploits in the wild available, it could only be a matter of time before your site could be hacked.
I've written guides on both how to reinstall WordPress after a hack, as well as how to fix Joomla hacks and upgrade for security.
However in your case it looks like you possibly are using some different website software called Soholaunch that we don't have specific documentation for.
It looks like you had your index.php file updated last on 3/14/2014 02:18 EDT. The file itself appears to be encrypted with this text:
<?php // This file is protected by copyright law & provided under license. Copyright(C) 2005-2009 www.[SITE].com, All rights reserved.
I didn't want to link to the [SITE] so I've replaced that above, but it looks like they're a Chinese Micro Shield provider that encrypts PHP scripts. I took that encrypted code over to UnPHP.net and it defintely looked like a malicious file.
It looks like they attacker also placed a /css/help.txt file on your account that stored the IPs of some search engines like Google. Then if those search engine requested your site, it would serve them the /images/index1.php script also uploaded maliciously, and this file was a spammy handbag page.
They placed a copy of your original page at /css/index.php to serve to human visitors so that Google wouldn't catch on to their hack. However it looks like with the encrypted script they were using it was failing to execute properly.
I went ahead and cleaned up the hack, and restored your original index.php file to its proper location.
I would recommend updating any of your passwords, especially related to your Soholaunch software to ensure an attacker isn't just logging directly in. Then I'd work on transitioning away from the Soholaunch software, as it's no longer being maintained and could lead to further security exploits down the road for you.