Hacked

Hi, I haven't been around for a long time, so am not sure of who to contact. It seems last week on the 3rd my site/ftp (godwin.ralert.net) got 'hacked' into, and .htaccess files and edits to index.html files were dropped into every folder in the directory, redirecting connections to a malicious domain (webarh.com). I tried to clean it out but it hit again on the 5th. I'm not sure what caused this, but suspect it might be connected to MyPHPAdmin; as a precaution can I get an admin to change the ftp password and pass it to me? If possible too could someone assist in cleaning this out? It's really tedious going through every folder deleting this stuff. Are there any recent backups available on your end? Thanks.

Edited by Godwin, 07 December 2010 - 03:51 PM.

I'd love to help but I'm awfully busy at the moment. I'll try to get some time to look into it tomorrow evening though.

It's nothing urgent, I can wait. It's okay if there is no quick way to clean it, I'll probably just download the entire directory to do it myself, and prune the files a little at the same time. Was planning to relaunch my site sometime this month or next year. I think what's pertinent right now is to just change the password. Hopefully someone can find out how this happened.

I'm trying to do a quick cleanup as much as I can, but I'll need some help here. You've used so many suspicious scripts and some of them simply demand too much effort to be cleared up. Anyway, make sure you use the latest software and eliminate anything that you are not using. Also, change the phpMyAdmin settings (do you really need that?).

I've taken a look at the account and it really is infested. I was able to delete all the generated .htaccess files with relative ease, but it seems you also have a ton of HTML files with injected javascript that redirects to that site.
Of course we can try to fix this, but to be plain honest, it would probably be easier and safer if you just started the site from scratch and ported over specific content as necessary.

Using this as an opportunity, I've created a new, real account for you at godwin.revora.net which is properly isolated system-wise (the previous attack could've affected all ralert.net sites, which fortunately doesn't seem to be the case). This will also give you more options, as listed on our Hosting Page. Plus, we want to fade out ralert.net anyway; preferably you'd just create a new site there, separate from the ralert.net mess.
I've also changed the FTP and MySQL passwords of your old account to prevent more damage. I further suggest you scan your computer for malware, as previously we've had a similar case where it seems the FTP password was taken from the client computer.
Once you send me your e-mail address by PM I'll give you all the login info.