WARNING
This site was taken over by @sytrkonur.
This is new! It appears that one of my sites was hacked! I haven’t a clue how this was done, but does anyone know what to do about this? This is completely new territory for me.
This made me chuckle, but it could have been serious…
If you still have access to your account, please quickly reset your hosting account passwords and client area password as well, and also remove the hacked content they uploaded or the files that you don’t recognize.
Impossible to tell for certain, but if I had to guess, they got hold of your account details from somewhere (maybe another site where you use the same password had a breach?) and they simply logged in and uploaded new files.
Update your password, delete any files they added to your account, and reupload any that they deleted.
Doing a bit of digging into who @sytrkonur is (you’d be supprised what you can find, but please don’t go digging yourself, I have tools to protect me if I accidently wander into risky parts of the internet) it seems your’s isnt the only site they’ve aprehended.
https://faculitysearch.42web.io
also displays the same page. 
I’m curious how did the hacker gained access to your website. I have few questions for you.
You can provide other information not included in any of these questions. Any information will be helpful not only for administrators and staff members, but also for those who are concerned for the future of their websites. Personally I do not have any website at the moment.
I wonder if the exploit is beyond Infinityfree’s control or not. I hope the exploit does not affect any of these servers:
It will be dangerous if that’s the case. Imagine how many websites, businesses, professionals, students and/or enthusiasts will be affected 
Probably. I wonder which account credentials were hacked/leaked. It could be any of these credentials:
I can not for the life of me find my client area password, I’ve changed the FTP / DB passwords. I checked the docs and they haven’t helped. Where the heck is the client area pwd?
I have absolutely no idea what they hacked to get access to my account, I don’t use a CMS, the passwords are completely unique to infinityfree and used nowhere else. This is a first for me. They definitely uploaded files into the account though.
Thats the normal password you use to log into infinity free. go to “profile” and you can change it in there
No CMS, no framework and the languages used are PHP & JavaScript
thanks for that, it was driving me a little nuts trying to find it. This password was unique to this site FWIW
Unfortunaitly that makes it harder to work out how they could have hacked in. But either way, I’m glad the damage was minimal, and you’ve been able to get it sorted
the exploits were written in php BTW if this is helpful to anyone
How do you know the exploits were written in PHP? I wouldn’t be supprised if the files that were uploaded were php files, but thats not the exploit itself
My hacking knowladge is limited, but I’m not sure how PHP could realistically be used to hack a website… given that PHP is run server side, they’d need to get the php onto the Infinity free servers, and then find a way to force it to add files to your account.
Programming languages generally have security vulnerabilities of their own. That’s why using outdated versions of PHP for your site is dangerous- vulnerabilities in them won’t be fixed. Such vulnerabilities, when successfully found and exploited, can be used to take over a website.
The code itself is also a factor, however. For example, in the past there have been malicious WordPress plugins (or malicious modifications of legitimate plugins) that include backdoors for attackers to use. Poor programming can unintentionally create these types of vulnerabilities too. It’s possible for PHP to access, modify, and create files on the server it’s on, so if an attacker breaks into your site through a vulnerable script like that (or an outdated PHP version) it would very much enable them to modify the files on the hosting account, even without ever having access to the account itself or your client area account.
Sorry, by exploits I meant the files that were uploaded files in my account, they were php, I didn’t recognize anything else in them.
I’ve no idea how they got into my account, I’ve since changed the hosting account passwords and client area password. I’m just amazed that the other hosting accounts weren’t compromised as well, why would they just target one out of three?
I have since done a thorough scan of my own system, I was wondering if filezilla had somehow been compromised. The only thing that the malware scanners complained about was NGROK which I haven’t used for a long time. This has now been removed as a precaution.
Is there anything else I can do to prevent this kind of thing happening again?
Frequently roll (set new) passwords, frequently check the system, work only on your personal computer with no hackers around on your own private WiFi, and always be alert.
Exactly. Even if the password of each hosting account is strong enough and unique to Infinityfree, it does not mean that we are safe from other exploitation attacks.
It’s hard to say if the exploit has not been identified yet. The hacker can always do that with the same exploit if you’re not careful. It’s better if you can identify the bug or the source of the exploit first before taking any preventive measure. There is always a tradeoff when done inappropriately.
You should always follow security standards and conduct security analysis in your source code. Never trust any user input. Ensure that your web application is ready for production if you want it to be available in public. If it’s currently under construction, then I highly suggest you shouldn’t upload it yet unless you have appropriate reasons to do so.
If you’ve suspected that your device has been compromised, then try to secure it first. Then, secure your back-end application. Afterwards, try to eliminate all vulnerabilities in your client-side code.
Take note that no matter how strong a system is, there will always be a weak point for everything). While applying this security measures can reduce the overall possibility of any hacking accident, it does not mean you will be entirely safe from hackers.
There’s a lot of info here, for that I thank you very much. As it is such a concern, I wonder if you and the folks on here have any recommendations for tools to test your own code (back-end & client-side) for vulnerabilities? I think this would be extremely beneficial for anyone reading this post in the future.
Thanks to everyone who has contributed so far, it’s very much appreciated.
Fishbite
If you upload your code to GitHub, there are a few services that will scan and check for vulnerabilities for you. I’m not going to mention any here as I have not used them enough to recommend one, but I know they exist.
But basically, don’t trust user input ever no matter what, sanitize database queries, don’t open API endpoints unless you need to (and always secure them)
One last thing that I’m sure you already know is to never post a screenshot of the Monsta file manager url as it contains your ftp login name (plain text) and your ftp login password (base64 encoded)