1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:43 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Virus on my hosting

         

glennk

3:20 pm on Jun 29, 2011 (gmt 0)

10+ Year Member



As the title describes, I have a virus/hijack code on my hosting (Servage).

I think it was placed there by an ftp hack, although I am not entirely certain of this. I would really appreciate some help in sorting the problem.

There are roughly 20 domains on my hosting. All are now locked to one single ftp account for which I have changed the password.

The problem mainifests itself by changing the htaccess files of all domains running php websites (Mostly wordpress installations).

The htaccess files are injected with code which hijacks peoples browsers and redirects them to virus and scareware sites.

The problem is rectified by me cleaning the htaccess files on each domain and removing the injected code.

However, after several days the problem reoccurs and all the htaccess files are reinjected with the php code. Also the top level root file also gets a hataccess file placed in it which redirects all the domains to the scareware sites.

Im guessing that the way forward is to clean every domain on the hosting. This wont be too difficult as Im pretty familiar with cleaning wordpress installations. My main concern/ question is - How is this problem able to place a htaccces in the root folder, do you think the ftp is still comprimised ? also If I clean each domain one at a time, is it possible for another domain to reinfect the cleaned one ?

If the moderators move this to another board could you please let me know so that I know where to look on my return.

bwnbwn

9:39 pm on Jun 29, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Sounds like your wordpress is the problem have u cleaned the server up and updated to the newest version?

SteveWh

1:38 am on Jun 30, 2011 (gmt 0)

10+ Year Member



There are roughly 20 domains on my hosting. All are now locked to one single ftp account for which I have changed the password.

Everyone who uses that FTP account should do thorough antivirus scans (on their personal computers, not on the compromised server). Then change the password again.

Im guessing that the way forward is to clean every domain on the hosting.

Yes, clean, and upgrade all CMS and their plugins to latest versions.

How is this problem able to place a htaccces in the root folder, do you think the ftp is still comprimised?

Yes, or else there is a backdoor PHP script hidden somewhere in one of the sites. The hacker calls the PHP script with their browser. The web page gives them a user interface, and the PHP code translates their commands to server actions, giving them the ability to download/upload/edit files on the server without having to know any passwords. Sort of like CKEditor or TinyMCE, except without any requirement to log in first.

Also If I clean each domain one at a time, is it possible for another domain to reinfect the cleaned one?

Yes, especially if the server runs PHP as an Apache module rather than as CGI/suPHP.

If SSH is enabled, turn it off.

Since this is a recurring problem, the hacking activity might be getting thoroughly logged in one or more of your server logs.

rocknbil

4:54 pm on Jun 30, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Yeah it's entirely likely

1 - the malware was injected into WordPress

2 - you collected the malware via browsing/working with your sites

3 - you are the one re-infecting the sites unknowingly.

Also note this important thread [webmasterworld.com] if you use FileZilla. By default it stores the FTP passwords on your computer as plain text in an XML file.

glennk

11:26 am on Jul 4, 2011 (gmt 0)

10+ Year Member



So what steps do I need to take to get cleaned up ? There are 20 domains. Where should I start ?

SteveWh

2:01 pm on Jul 5, 2011 (gmt 0)

10+ Year Member



Are all 20 domains yours and under your control, or are you a hosting reseller?

Have all admins done AV scans with an AV program different from the one they were using at the time of the compromise?

Was malware found on any of the PCs?

glennk

3:21 pm on Jul 6, 2011 (gmt 0)

10+ Year Member



Hi Steve.

Currently all 20 domains are mine and under my control through 1ftp and 1 controll panel.

I have done system rootkit scan. System av scan and system malware scan. All is clean.

Yesterday I thouroughly cleaned 1 domain. Removing all files and folders in that domain and relacing with a clean install of wordpress. Today the htaccess of that domain was hacked again and a redirect set up through that hack.

Looking at the files through ftp. The htaccess file is the only file changed. All the other files appear untouched since I cleaned them yesterday.

Am I right in assuming that 1 of the following 3 options is the case ?

1. The ftp is still compromised.
2. The control panel is comprimised.
3. One of the other domains is compromised and the are able to get in there and alter htaccess in all the other domains ?

How should I proceed from here ?

Many thanks for your help so far.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:43 am May 21, 2026