hacked! - redirect SE traffic

Hav3n

Hav3n

New member
Mar 19, 2010
1,849
37
0
GA
WTF>>> my third try at this thread... my guess is they don't like *htaccess in the thread title?

Hi guys,

I was hacked today (last night).

They changed all the .htaccess files to redirect from their site if the visitor came from any search engine (including googlebot).



I am lucky i caught it today before any of my rankings were effected.


I want to know... how do you....

1) make sure you've solved the problem and closed any security holes. My host's support suggests running AV on all my files after downloading them to my computer... this a good idea?

2) Any tips on how to prevent this type of thing in the future?


ATM: i am thinking my FTP program was compromised?

Thanks!
 


changing all passwords should be your first step.

I gotta admit this problem would confound me too.
 
Hav3n said:
shared. (i know ... i know)
Click to expand...

As someone else will point out. If you are on a shared hosting then the person that hacked into the shared server if that's what he did, could have done it by open exploits on different sites on the same server as yours.
 
Time to go dedicated. This was an eventuality, i just was dragging my feet.
 
Bofu2U said:
Check your themes folder, if you see sm3.php do this -> Twitter

Sounds like you're talking about that. If it is that, it's the TimThumb hack.
Click to expand...

Excellent information.

Probably could have saved me some work but i've already nuked and restored the problem site (as far as I could tell)

...and checked all the theme folders and none of those are showing up.
 
Update:

It was timthumb.php

And it came from the themes that were installed by a 3rd party Socialifi that was building some MFAs for me.

Not only did Socialifi not build the websites they said they were, but the themes they loaded on my server had the timthumb.php virus.

thank God i only have them WP access and not cpanel access...

Also i haven't gotten my $300 back from them after i requested a refund.

Say away!!!!!!!!

Lesson learned.
 
Hav3n said:
Update:

It was timthumb.php

And it came from the themes that were installed by a 3rd party Socialifi that was building some MFAs for me.

Not only did Socialifi not build the websites they said they were, but the themes they loaded on my server had the timthumb.php virus.

thank God i only have them WP access and not cpanel access...

Also i haven't gotten my $300 back from them after i requested a refund.

Say away!!!!!!!!

Lesson learned.
Click to expand...
They most likely used something like boygj or megadownload to get your templates illegally. I experienced something similar once. Once I got rid of the theme the "designer" used and just bought one and did it myself no more hacks.
 
I had the same experience with Socialifi. Paid $300 for 5 sites and they barely even started work on them. Requested a refund and they stalled on that also. I would recommend doing a chargeback with your CC. I did this last week and won the chargeback.

This is one more reason why you should ALWAYS USE A CC WHEN PAYING WITH PAYPAL.

Admin - Please ban Socialifi as it appears he has scammed a number of people now.

Hav3n said:
Update:

It was timthumb.php

And it came from the themes that were installed by a 3rd party Socialifi that was building some MFAs for me.

Not only did Socialifi not build the websites they said they were, but the themes they loaded on my server had the timthumb.php virus.

thank God i only have them WP access and not cpanel access...

Also i haven't gotten my $300 back from them after i requested a refund.

Say away!!!!!!!!

Lesson learned.
Click to expand...
 
quamism said:
I had the same experience with Socialifi. Paid $300 for 5 sites and they barely even started work on them. Requested a refund and they stalled on that also. I would recommend doing a chargeback with your CC. I did this last week and won the chargeback.

This is one more reason why you should ALWAYS USE A CC WHEN PAYING WITH PAYPAL.

Admin - Please ban Socialifi as it appears he has scammed a number of people now.
Click to expand...

Yeah I've already got a dispute in with my CC... I too used a CC thru PP.

/protect your ass online
 
This issue happens literally 50 timea per day because of people chmod 777ing their htacces file to accommodate word press.... it is really dangerous, and if you are with the wrong hosting provider you could really screw yourself over.

I'm definitely not saying that's what you did...just saying.
 
I had some themes that I bought from woo themes, I did get an update but only about a week later. I have updated my theme framework to resolve this

Unfortunately I also had my laptop that got compromised locally by malware. I ended up changing av, my server password and got the hosting company to clean my server up once I identified where the prob was.

I now run the most aggressive settings on AV even if it does slow my laptop down which is getting a bit old. The problem with security notifications are is that they are in essence reactive and can either be late in getting a fix out or not at all if no one knows about it.
 
had a pirated woothemes that never updates and got caught, immedately bought a legit license and rectified this situation, im a baller paying $70 for premium themes yo
 
If you have one timthumb file on any of your sites on your server the guy then has access to all of your sites.

I had this same thing happen to me. The guy changed the htaccess to redirect search engine traffic and he did it to all of my sites. I contacted my hosting and they went through and scanned everything and were able to clean it all up.

The guy had also installed a php shell file that allowed him to get access even after I had deleted the site with the timthumb file. So even if you have deleted the timthumb file, there are probably still other files somewhere on your server planted to allow him to still have access afterwards.

If you havn't contacted your hosting yet, contact them and see if they can scan you sites.

Happened right in the middle of me selling a site for low five figs, real pain in the ass.
 
If you're interested, I have a new service for money sites. We update WP for you, we changed out all the timthumbs on our client sites automatically, etc. If you make money off your site, send me a PM.
 
You must log in or register to reply here.
Top Bottom