In case you didn’t notice Reactuate was hacked last night. I got a call from another admin at The Houston Image that there seemed to be a hacker message on the site. I was out at Wal-Mart buying t-shirts for models to wear at today’s shoot, and thought it was probably nothing. Got home checked the site and sure enough it said.
Owned By nEt^DeViL !! *nO wAR* *aB0 m0h4mM3d rlz!* Contact me net_devil@hackermail.com
Then I looked at some other sites served from the same host. Reactuate was down. My photography site Reactuate Photography was down. My wife’s blog. My son’s blog. My software company, R.A.D Productions. All down.
I ftped in to see if they had totally destroyed everything, maybe changed my passwords. At this point I figured they have my main password and complete access to my Dreamhost account.
Got in and found all the files for the sites were there.
Maybe they changed the .htaccess to point every domain to the same file, but no changes to that file.
I sent a support request to Dreamhost and started looking for where the message was coming from. To make a long story short, the hacker had changed every file with the name index.* to his little hacker html. It was a pain, but I was able to go through and restore most of the files.
If this has happen to you here’s a useful command I used. You ssh into your account and at the top of any directory you think is hacked enter this:
find . -exec grep “Owned By” ‘{}’ \; -print
This will list all the files that have that string in them. You don’t want to put nEt^DeViL in it because that ^ character will cause the search not to work.
After I got most of the sites back, Dreahost sends me a message telling me I had an old version of WordPress running with had a vulnerability in it that would let a hacker change any file on your webserver. I looked through the sites today and found that my cooking site was running 1.2, which is a very old version.
In the process of cleaning up the server I got rid of a few dead sites I had, and my cooking site was one of them.
Hopefully that will help others. And remember always keep a back up of everything. Plugins, Themes, Gallery software. Everything.