Who can help with this?
My client's website has been hacked.
All search engine traffic was diverted by a script index.php to a clothing shop in china.
The index.php has been deleted.
The files global.asax, web.config files has been restored, all redirection have been stopped.
The items are showing, you can login as customer with admin role, but the link Administrator to go into admin panel is giving an error page domain.com/errorpage.htm?aspxerrorpath=/admin
I have restored to a previous backup but still the same error. The database contains item text + images(all in one).
Is there anything I can do to resolve this problem.
They are using version 3.40
Thanks for your help
Kind regards,
Maurits
Hacked website
- 114
- 906
- 6/29/2009
- United States
Firstly, now is a great time to upgrade to 3.7.
Secondly, if your client is using a windows box then see below:
Now please tell me you have an SQL backup of the "database?" In your specific case I would take all my directory folders that have your customization and restore them over a new install. Your clients computer is infected with backdoor. Malwarebytes may help but longshot. Look for ANY exceptions in your firewall.
Don't bother trying to repair that database unless you have no options left.
In the case of a hacker you always have to reformat data. Did you leave port 3389 Remote Desktop open? It's going to happen again by the same hacker using different ips...sorry to say. If your using a windows box
#1)use google recaptcha code
https://developers.google.com/recaptcha/
#2) right click on task manager>Performance Tab>Open Resource Monitor at bottom>Overview>Focus 100% on network tab. keep an eye out for RDP on 3389 or FTP 25
You'll find your hacker.
temp used this program to stop unwanted attempts 3 tries and locked out
#3) https://rdpguard.com/?v=2-6-3&fam=x64
OR this one
https://syspeace.com/
I take it your Client does not know how to lock down a server (not bashing)go to "Local Security Policy" the account policies> account lockout policy and account lockout threshold = 2
Now if they guess wrong two times they must call you to get in.
I won't get into windows firewall due to its complexity and possibility of locking out everyone.. SO I can get you a PowerShell script that will DENY all IPS from China ....You can always whitelist with a trusted China Ips later if you want, but that's little more complicated but you can do it.[/i]Just ask me if you need it.
Lastly, what is the Event Viewer>Windows Logs>Security>Filter current log>Keywords pull down to you see Audit Failure.....is your event ID 4776?
If so read that log they probably used an dictionary password guessing attack. RENAME: "admin" and "administrator " TO ANYTHING but those names. That's easy prey.
Tell your customer he's $%%ed ... just kidding you can fix this but start with new database rebuild from there. Hope I didn't scare you but security is full time job!
Secondly, if your client is using a windows box then see below:
Now please tell me you have an SQL backup of the "database?" In your specific case I would take all my directory folders that have your customization and restore them over a new install. Your clients computer is infected with backdoor. Malwarebytes may help but longshot. Look for ANY exceptions in your firewall.
Don't bother trying to repair that database unless you have no options left.
In the case of a hacker you always have to reformat data. Did you leave port 3389 Remote Desktop open? It's going to happen again by the same hacker using different ips...sorry to say. If your using a windows box
#1)use google recaptcha code
https://developers.google.com/recaptcha/
#2) right click on task manager>Performance Tab>Open Resource Monitor at bottom>Overview>Focus 100% on network tab. keep an eye out for RDP on 3389 or FTP 25
You'll find your hacker.
temp used this program to stop unwanted attempts 3 tries and locked out
#3) https://rdpguard.com/?v=2-6-3&fam=x64
OR this one
https://syspeace.com/
I take it your Client does not know how to lock down a server (not bashing)go to "Local Security Policy" the account policies> account lockout policy and account lockout threshold = 2
Now if they guess wrong two times they must call you to get in.
I won't get into windows firewall due to its complexity and possibility of locking out everyone.. SO I can get you a PowerShell script that will DENY all IPS from China ....You can always whitelist with a trusted China Ips later if you want, but that's little more complicated but you can do it.[/i]Just ask me if you need it.
Lastly, what is the Event Viewer>Windows Logs>Security>Filter current log>Keywords pull down to you see Audit Failure.....is your event ID 4776?
If so read that log they probably used an dictionary password guessing attack. RENAME: "admin" and "administrator " TO ANYTHING but those names. That's easy prey.
Tell your customer he's $%%ed ... just kidding you can fix this but start with new database rebuild from there. Hope I didn't scare you but security is full time job!
- 7
- 35
- 10/22/2012
- United Kingdom
It is on a shared hosting platform, not on an actual server.
I had a look at the customers in the database itself;
2 are like a service account
500 normal customers
3000 customers with a NULL value, is this normal for the database or are they used for internal processes?
>> 3 customers with a value of #FILE c:\xxxxx.txt in the ZIP and first line of address.
(These have been deleted)
On the shared hosting, I can disable PHP. The shop doesn't use PHP in any of the script or does it?
I had a look at the customers in the database itself;
2 are like a service account
500 normal customers
3000 customers with a NULL value, is this normal for the database or are they used for internal processes?
>> 3 customers with a value of #FILE c:\xxxxx.txt in the ZIP and first line of address.
(These have been deleted)
On the shared hosting, I can disable PHP. The shop doesn't use PHP in any of the script or does it?