One thing I will add is that most of the files they uploaded replaced my own files using the exact same file names. It was the modification date of the files that gave them away. Had I been uploading and editing the site files around the time of the attack, it would have been far more difficult to identify them.
1 Like
I do not want to mention it. It might have been classified as “advertisement” in this forum.
You can try to check the tools recommended by OWASP.
4 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
Website URL
fish.42web.io
Error Message
This site was taken over by @sytrkonur.
Other Information
I can’t believe this has happened again after all that was done here:
https://forum.infinityfree.com/t/hacked
I have changed my email address and reset passwords but still they have managed to upload files to this account. What on earth can I do now? Is deleting the account the only option?
I merged and reopened your topic.
Deleting the account is probably not necessary, but it might help.
At this point, I would suggest doing the following:
- Change all the passwords again for good measure: your hosting account, client area profile and email account.
- If you haven’t done so yet, now is a good time to enable 2FA. It’s an absolute must-have for your email account, and also good to have on your InfinityFree client area account.
- Delete ALL files from your website. If a hacker got access to them, they might have left a backdoor in your website. This could be anywhere, and this could be more than one. Don’t cut corners and delete only the known infected files, cutting corners is how people get hacked.
- Upload your website again from a known clean copy. You want to be 100% sure you don’t put the backdoor right where the hacker left it. Don’t use any backups unless you are absolutely sure it was from before your website was hacked, and prefer uploading from a source that never touched a live server.
- Check the database of your website, especially if there are any user or authentication records there. Check it to make sure that no unknown admin users were created, or users have more permissions then they need to.
This is still not a guarantee that your website it safe. It doesn’t protect you in cases where:
- Your website code has a vulnerability that allows hackers to upload or execute their own code. There is no one-size-fits-all method to fix this, you’ll have to think for yourself what functionality exists in your website that could have such a vulnerability. But if you’re not sure about certain code or functionality, please do share so we can try to help.
- Malware or other malicious access to your computer where passwords may be stored or used. If someone is using or stealing your credentials there, then it will be virtually impossible to secure any account or service you have.
10 Likes
Thank you for replying to me. I’ve deleted all files, as I did last time around, and I’ve just uploaded one file, index.html that has nothing more than a head section and a <p> tag. I ran Aikido Security on the files on GitHub. The only thing it complained about was a var_dump that resided in a utility function dump_or_die(). I checked the DB and that remains untouched and I’ve run scans for malware on my machine which have come up clean.
I’ll leave the account as is with just the index.html there and see what happens.
Thanks again for the advice, I’ll let you know what happens next.
1 Like