InMotion Hosting Support Center

If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. We recommend that you regularly back up your website and store them on your local computer. If you ever have to restore your website, maintaining backups to do so can be invaluable.

**Note: If you already know you have been hacked, please see our article on recovering from a hack

How can I tell if my website has been hacked?

Some hacks are quite apparent since they deface your page, while others are more subtle. Here are some common signs that your website has been compromised:

  • Your home page has changed. If you visit your website, and instead of seeing the page you have created you see something entirely different it's likely that your page has been "defaced." Normally, these types of hackers will have a "hacked by..." message displaying to take credit for the hack.
  • Your access to admin pages no longer exists. If you cannot access your admin section of your website, it's possible the hacker has gained access to the adminsitrator account or cpanel and altered the passwords.
  • You get a Google Warning page. This is an indication that google has scanned your website, and one of the Google bots has found some code that is known to be malicious. If this is the case, Google will display a red warning page.
  • Your computer's anti-virus software warns you when you visit your website. This is a typical situation where your website is trying to install a trojan or another type of virus on your local computer.
  • A page will not load but it used to. If you haven't changed anything on your website and it is now not loading this could be a sign of a hack. This is not a typical hack but usually inidcates that the hacker has modified a database so it no longer functions as it should.

How was my website hacked?

The most common methods of hacking a website are:

  • Compromised cPanel or FTP account password
  • Code Injection
  • Remote File Inclusion

If you password has been hacked or compromised, this will typically be a defacement type of hack. If you use a content management system, the hack was usually done be exploiting the software. It is important when you use CMS software such as Joomla, WordPress, and OSCommerce to keep the software up to date.

How can I fix my hacked website?

Each hack is different so it is extremely difficult to suggest an exact method to resolve a hacked site. Here are some general methods to fixing a hacked website:

  • Change your passwords to your account. This is the best practice for any hack. This is the quickest way to limit the access to the website. By doing this, you can limit the access to your account. You should change your WordPress, FTP, and cPanel passwords.
  • Update all programs used on your hosting account. If you use a third party shopping cart or CMS it's important to keep that software up to date. This is because most updates are used to secure the actual software. As vulnerabilites are found the patches are released.
  • Update software on your local computer. Some programs such as Flash, have vulnerabilites that allow hacked to access data on your computer. We've seen some hacks even designed to search around for saved FTP credentials.
  • Run a malware or virus scan on your local machine. It is possible that you have picked up a piece of malware or virus that is copying your passwords.

For more information on fixing a hack, please see our article on recovering from a hack. Please see our Website Security article for more information on protecting your website.

Dedicated Server Features

Keeping your server secure is a full time job for any support staff. But that shouldn't be the only focus. Read more about what makes InMotion one of the top hosting companies out there.

Support Center Login

Social Media Login

   
Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Stop the pop-ups on our website
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-03-17 3:24 pm

don't you keep your websites virus free???????

My website is not working.... WHAT am I PAYING FOR ???

REally?   It has been over 2 hours since my email,,,, still aint heard from you AND

have seen some bit on your help(less) page that says you don't remove the virus?

WTF

I want a credit for my business site being non functional!  

Staff
9,968 Points
2014-03-17 4:15 pm
Hello angry, and sorry for the troubles.

InMotion Hosting runs Mod Security rules on the server to help prevent websites from being attacked, and we also run scans for known malicious files and scripts.

Unfortunately website attacks and hacking attempts are at all time highs, so it is imperative that you keep any website software that you're running on your website up to date with all of the latest security patches.

We keep the server up to date and secure, but unfortunately if you're running older versions of software with known exploits in the wild available, it could only be a matter of time before your site could be hacked.

I've written guides on both how to reinstall WordPress after a hack, as well as how to fix Joomla hacks and upgrade for security.

However in your case it looks like you possibly are using some different website software called Soholaunch that we don't have specific documentation for.

It looks like you had your index.php file updated last on 3/14/2014 02:18 EDT. The file itself appears to be encrypted with this text:

<?php // This file is protected by copyright law & provided under license. Copyright(C) 2005-2009 www.[SITE].com, All rights reserved.
$OOO0O0O00=__FILE__;$OOO000000=urldecode


I didn't want to link to the [SITE] so I've replaced that above, but it looks like they're a Chinese Micro Shield provider that encrypts PHP scripts. I took that encrypted code over to UnPHP.net and it defintely looked like a malicious file.

It looks like they attacker also placed a /css/help.txt file on your account that stored the IPs of some search engines like Google. Then if those search engine requested your site, it would serve them the /images/index1.php script also uploaded maliciously, and this file was a spammy handbag page.

They placed a copy of your original page at /css/index.php to serve to human visitors so that Google wouldn't catch on to their hack. However it looks like with the encrypted script they were using it was failing to execute properly.

I went ahead and cleaned up the hack, and restored your original index.php file to its proper location.

I would recommend updating any of your passwords, especially related to your Soholaunch software to ensure an attacker isn't just logging directly in. Then I'd work on transitioning away from the Soholaunch software, as it's no longer being maintained and could lead to further security exploits down the road for you.

- Jacob
n/a Points
2014-06-05 3:31 pm

Focus on backups - that's your best defense against hackers.

I always say, "never trust your web host when it comes to backups."

Embrace a good backup methodolog, so that when these events occur, you'll not lose hours of life attempting to recover from them. Enjoy!

Jim WalkerThe Hack Repair Guy

n/a Points
2014-07-09 11:41 am

My website, hosted by Inmotion, has been hacked this day:

http://innovationhub-act.org/drupal

It says 'Hacked by bRpsd!

Can you help me fixing the problem, please?

 

Staff
11,186 Points
2014-07-09 1:19 pm
We recommend that you change any and all passwords, and then restore from any backups you may have been making. After doing so, be sure to check over all of your code for vulnerabilities and keep Drupal up to date at all times to ensure that security flaws are not present within the restored site.
n/a Points
2014-07-20 10:10 am

my website homepage says 'Hacked by bRpsd' i lost access to cpanel and wordpress

what to do?

 

Staff
25,072 Points
2014-07-21 10:02 am
Hello Joe K,

Thank you for contacting us. You can regain access to cPanel via AMP.

From cPanel, you can reset your WordPress password multiple ways.

I also recommend reading our tutorial on Reinstalling WordPress after a hack.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-08-29 9:44 am

My client's website homepage also says "Hacked by bRpsd" -- and InMotion was at the top of the list on Google for a search by that phrase. Is there something here that makes it vulnerable? This is a Drupal website, but so far it looks like they achieved access through CPanel or FTP, as opposed to hacking the Drupal admin (I may be wrong about that, just in the early stages of checking into it).

Staff
39,789 Points
2014-08-29 11:14 am
Hello Lark,

There are many reasons a hack can occur. The most often is due to the hacker gaining access to credentials through various means. Our article on what to do after a hack will help secure your site against a repeat incursion.

Kindest Regards,
Scott M
n/a Points
2014-12-07 10:55 pm

I also had my email account hacked last week and i managed to get some information at http://www.hackedemails.com/help-emails-hacked/ hope it helps others like it did for me

 

n/a Points
2015-02-12 5:09 am
[Jacob M] Hello Francois, my name is Jacob M.  Thanks for contacting us today! 
[Francois] hello Jacob
[Jacob M] You could add a capcha that they have to type letters and numbers in order to post.
[Francois] This is already the case, I even went to the code Cpanel/edit) of my page and intentionaly added an error in the link, so the page isn't accessible but they still come through.
[Jacob M] You might need to have a developer look into this. You can make a post here to have our developers take a look: http://www.inmotionhosting.com/support/community-support/ask-a-question

[Francois] ok i'll try that

Staff
25,072 Points
2015-02-12 12:46 pm
Hello Francois,

Thank you for your question. I looked at your site and noticed a really weak capture system in place. I recommend using a stronger captcha system, such as Google's re-CAPTCHA. "reCAPTCHA frequently modifies its system, requiring hackers to frequently update their methods of decoding, which may frustrate potential abusers." (source)

Although this is a better method, it is still not 100% uncrackable.

If you have any further questions, feel free to post them below.

Thank you,
John-Paul
n/a Points
2015-12-04 5:04 am

hi , our institution website is hacked.  it displays

 

# Hacked by bRpsd~!

IT Huh?? , Contact me on cy@live.no for real IT (:

 

i have the admin rights oly. but server is maintained by some other company.. I can enter into admin page... how to restore my website ??

 

Staff
34,939 Points
2015-12-04 10:09 am
Hello Prabha,

Sorry for the problem with the hack! If you're a customer of InMotion and you have a backup, then I would suggest restoring the non-hacked backup of your site. Follow the recommendations of our article on recovering from a hack. If you don't have a backup, then I highly recommend speaking with a developer/programmer to go through your website code to help recover it.

I hope this helps to answer your question, please let us know if you require any further assistance.

Regards,
Arnel C.
Staff
11,637 Points
2015-12-09 9:27 am
Reach out to the Support Department and they should be able to help you.
n/a Points
2016-01-22 2:00 pm

As a professional cyber incident responder, I would like to add my 2 cents. A hack is usually the result of many factors, and resolving the hack will not resolve the reasons for it in most cases. 

Consider this: was it your behaviour as a webmaster which resulted in your website being badly maintained? Did you not ask for security from your web developers? 

Think about these and when fixing the hack, try to resolve the vulnerabilities which led to it in the first place. 

n/a Points
2016-03-24 4:07 am

We have been hacked.  I am lost as to the next steps.  Google is hopelessly complex.  There are pages that I cannot localte to delete.  How can you help?    Do I take it offline?  Will you delete my site?

Staff
25,072 Points
2016-03-24 10:17 am
Hello Philip,

Thank you for contacting us. I first recommend following our guide on Recovering after a Hack.

Then, protect your site going forward by following our guide on Website Security - Preventative Measures.

Thank you,
John-Paul

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

18 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!