cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
roopbiswa
New

My account hacked on 18th April still cant recover

Account hacked on 18th April. I checked They renamed my index.php to index.php.bak and put there index.html on every addon domain. Also they added 2 more file on every addon domain hz.html that is also a clone of their index.html. And they put a php file noname.php in every folder. Also they created here and there a new folder named "noname_config". This folder contains an .htaccess file containing comand : "Options all
Require None
Satisfy Any".

And a shortcut icon for root folder.

I got anothe flder named sym and it contains another htaccess "Options all n DirectoryIndex Sux.html n AddType text/plain .php n AddHandler server-parsed .php n  AddType text/plain .html n AddHandler txt .html n Require None n Satisfy Any".

Also they created a .mysql_backup folder in root directory and there I can see all backup of db file in gzip format.

I have changed all login and ftp passwords. Blocked suspected ips. Deleted all suspected file and folder. But on 19th april I checked the hz.html file was there again in every root folder domain wise. I deleted again and also blocked few more ips. But today again I see the hz.html is there. Can you guys please help me out of this situation. This is now become almost a regular event in an interval of 2 or 3 month. I am really scared now. And also I did not  find any virus scanner in server too. I am getting tired fighting them and feeling helpless.

Guys please tell me How to protect all this and the way to get rid off it.

 

My htaccess in public_hetml is :


RewriteEngine on
RewriteCond %{HTTP_HOST} ^trizend\.in$ [OR]
RewriteCond %{HTTP_HOST} ^www\.trizend\.in$
RewriteRule ^/?$ "http\:\/\/www\.software\.trizend\.com\/" [R=301,L]


<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 5.152.207.1
deny from 5.152.207.2/31
deny from 5.152.207.4/30
deny from 5.152.207.8/29
deny from 5.152.207.16/28
deny from 5.152.207.32/27
deny from 5.152.207.64/26
deny from 5.152.207.128/25
deny from 36.5.191.172
deny from 66.249.79.90
deny from 95.153.134.39
deny from 5.255.250.94
deny from 114.121.245.147
deny from 77.88.47.13
deny from 122.163.45.126
deny from 103.28.22.89
deny from 69.63.188.121
deny from 112.215.175.98
deny from 223.255.230.238
deny from 69.63.188.0/24
deny from 173.252.124.59
deny from 66.220.151.92
deny from 36.84.228.238
deny from 66.249.79.75
deny from 144.217.80.113
deny from 69.30.222.130
deny from 36.110.171.172
deny from 180.76.15.18
deny from 66.249.79.80/29
deny from 66.249.79.88/31
deny from 40.77.167.1
deny from 40.77.167.2/31
deny from 40.77.167.4/30
deny from 40.77.167.8/29
deny from 40.77.167.16/28
deny from 40.77.167.32/27
deny from 40.77.167.64/26
deny from 40.77.167.128/25
deny from 114.124.180.174
deny from 34.209.223.175
deny from 180.76.15.25
deny from 66.249.79.1
deny from 66.249.79.2/31
deny from 66.249.79.4/30
deny from 66.249.79.8/29
deny from 66.249.79.16/28
deny from 66.249.79.32/27
deny from 66.249.79.64/26
deny from 66.249.79.128/25
deny from 5.9.62.130
deny from 5.9.62.1
deny from 5.9.62.2/31
deny from 5.9.62.4/30
deny from 5.9.62.8/29
deny from 5.9.62.16/28
deny from 5.9.62.32/27
deny from 5.9.62.64/26
deny from 5.9.62.128/25
deny from 1.23.149.250
deny from 5.9.155.1
deny from 5.9.155.2/31
deny from 5.9.155.4/30
deny from 5.9.155.8/29
deny from 5.9.155.16/28
deny from 5.9.155.32/27
deny from 5.9.155.64/26
deny from 5.9.155.128/25

1 REPLY 1
Heather
Employee

Hello @roopbiswa!

 

Yikes! I'm sorry you're having so much trouble. Have you checked for plugins or applications that may be out of date? Sometimes hackers use those as a door into your site. 

 

Heather - GoDaddy | Community Moderator
24/7 support available at x.co/247support