Who can repair infected websites?

[rexall]

Wed 2 Oct 2013, 9:52 am

Hi All,

I am not technical, so perhaps you can point me in the right direction.

Two weeks ago, my websites were hacked by someone who replaced my home pages with pages identifying him as "Mustafa The Hacker" with an audio loop to chanting in Arabic or something, which I assume were some kind of Jihadist content. Charming! Never thought I would be a victim of terrorism!

Anyway, that is neither here nor there. I was able to restore my sites, but yesterday was informed by my host that they are all infected with a massive amount of infected files. The problem is that we may not be able to come up with a clean backup to restore everything.

QUESTION: Is it possible to remove the infection(s) and restore the sites without using a backup? If so, anyone know a reliable guy or service--local or not--who does this professionally? In this situation, promptness and expertise is more of a consideration than price.

Thanks for any suggestions.

Rex

[Chicog]

Who the hell is hosting it, and why haven't they got decent backups?

Get rid.

[rexall]

My host is FatCow. They are usually pretty good. I'm not very sophisticated with this technical stuff, and I don't know how it happened, but the oldest backup they had was 20 Sep, and it was infected as well. As I said, how or why, beats me! I just want to hear that someone can fix it and I have lost 100's of hours of labor building and populating these sites the past couple of years.

[Chicog]

Who developed it and don't they have the source somewhere offline?

Having just re-read what you wrote, it would seem you've been putting content onto a site without it being backed up?

I hate to say it, but you might just have learned a valuable lesson.

However, I would check your hosting contract and see what their commitments are regarding keeping backups.

I'd also bin them!

Edited October 2, 2013 by Chicog

[KittenKong]

I know that the hosters I use make regular backups and I dont rely on any of them. I always do these things myself; that way I know they will be done properly.

All my sites are zipped-up automatically every week, and I keep copies of the last six months of backup zips at another location. I also keep one or two older copies, and I also have all the files for the original installation.

[KittenKong]

" I was able to restore my sites, but yesterday was informed by my host that they are all infected with a massive amount of infected files. The problem is that we may not be able to come up with a clean backup to restore everything.
QUESTION: Is it possible to remove the infection(s) and restore the sites without using a backup? "

It all rather depends on how they have been modified.

What sort of sites are they anyway? Wordpress? Some other CMS? Or are the sites completely bespoke?

It's impossible to give a sensible answer without more details.

[bangkockney]

Are you serving static or dynamic pages? Is the DB still clean?

What exactly was attacked? The site or related application, the database server, etc?

What exactly do you mean by infected? With what, in what way? You just said the site was defaced...

What exactly has your host told you?

[Gregory Morozov]

Perhaps we can help you. Please send a message to me if it is still needed.

Sent from my Desire HD using Thaivisa Connect Thailand mobile app

[rexall]

Are you serving static or dynamic pages? Is the DB still clean?

What exactly was attacked? The site or related application, the database server, etc?

What exactly do you mean by infected? With what, in what way? You just said the site was defaced...

What exactly has your host told you?

Wed 2 Oct 2013, 4:56 pm

Thanks for all of the replies. Sorry for my long answer, but several of you guys have asked me complicated questions. My technical skill set is maxed out pretty quickly, so I cannot answer all of these questions very well, but let me consolidate and do the best that I can:

1. I have one account on FatCow with three domians, three websites: One is a vbForum, one is WordPress and the other is (mostly) an "OpenCart" brand shopping cart site.

2. I have been paying FatCow for back up service, but they told me that the earliest backup they have (20 Sep) is also has infected files. I don't know what that is about.

3. I don't know what type of infection it is or what is infected. A couple of weeks ago, all of my home pages has been replaced by a page saying that "Mustafa The Hacker" had hacked the site.

4. I also have a third-party backup service, MyRepono. However, it is buggy and I have been looking around for an alternative. Too late I guess. I have some backups there that "may" be clean, but I am stalling on attempting to do a restore until MyRepono resolves some issues and tells me it is OK to go ahead.

5. Originally, when Mustafa hacked me, I was able to restore my sites using MyRepono and thought all was well.

6. A couple of days ago, my site was frozen by FatCow due to infected files. Now, only an error page is showing. I can view my files via FTP (they are still there), but can't make any changes, so i can't even publish an explanation to my visitors. FatCow's explanation:

Hello,

A routine scan of your account has found the following malicious or infected files present:

moo.rexall/testdwt/affpro/affiliate/login.php: JS.IFRAME-1 FOUND

moo.rexall/mindbodythailand/forum/includes/class_xml_dom.php: SiteLock-PHP-HACKEDBY-ez.UNOFFICIAL FOUND

moo.rexall/mindbodythailand/forum/smf_forum/Themes/Bean/images/admin/change_menu.png: SiteLock-PHP-HACKEDBY-ez.UNOFFICIAL FOUND

This is just a couple of the more than 800 (!!!) files on the list. One of the guys I spoke to at FatCow said he had never seen anything like it.

6. I have just purchased a service form FatCow called "Site Lock" which is supposed to clean infected files, however I don't know if it will be helpful now or if I needed to get it before my sites got infected. Seems like a straight-forward question, but still waiting to hear back form FatCow about that. MyRepono dragging their feet getting back to me for some reason as well.

Obviously, we can re-create all three sites. It will be traumatic and expensive, but doable. Much more difficult, however, will be to duplicate the data, posts in vb and on WordPress and the hundreds of items in the shopping cart.

While this discussion is very interesting, remember that my original question was/is pretty simple: Anyone know of a person or service that can clean infected websites when a backup is not available?

Thanks, lah!

[Totster]

It might be possible to dump the database, reinstall WP and the cart plugin and then upload and link the database back to the site. This should restore it.

totster

edit/ the key here is that you have some software/plugins in WP that are vulnerable, so this will need to be investigated also.

Edited October 2, 2013 by Totster

[JSixpack]

I happened to run across a Mustafa-infected site recently. Seems to be catching.

Recreating the sites would seem unnecessary.

Since the host won't run the sites, just download them and run them on your local machine in a VM, and disinfect the files there. Probably not hard to do manually if you can't find a suitable antivir. Use a good editor, find the typical virus patterns in all files, delete them and replace w/ good code (find what the good code should be from an uninfected file--might be the same in many files). Good editors have a replace in files and replace in all opened files functions.

Tedious, but not that difficult. Database is probably not infected--not necessary, when it's so easy to infect the php. I might give a cursory look into the database at the beginning but probably wouldn't get back to it unless cleaning the php didn't entirely work.

You'll need to change weak passwords into good ones and also look into the security, .htaccess, file permissions, etc. The CMS has to be updated and all the extensions.

So then backup and upload. You're done except for establishing regular backups thereafter. Cron is your friend.

[JSixpack]

Actually you might be able to merely replace all the files with uninfected, maybe updated versions (for standard packages). Backup the configuration files first (also check them for evidence of the virus), then put them back in place after you've replaced all the others.

Yep, could be fast & easy.

[keeniau96]

Per Gregory reply above, I know him well here on Phuket a long time. The OP would do well to contact Gregory.

[gtm2k]

Rexall,

Please PM me your host's FTP details - most of the times its really a little script / link added to modify the behavior of the home page. Wont charge you anything for this please !

In case the site has been altered - which is actually faily uncommon - i'll let you know likewise.

Cheers !
gtm