HELP! I got hacked and it's redirecting to PPC ads!

[crossfittn]

Hey guys, I just got hacked. I have no idea what to do.

Phentermine Weight Loss Support | Phentermine Discussion

Some asshole decided to hack my site and redirect it to
one of his PPC pages, Top10Meds.com.

How can I fix this? Unbelievable... I worked so hard!!!!!!!!!

 

[Xrproto]

phenforum comes up for me. You must have adware or something on your system

 

[Diorex]

I also get your site...Guess that is good news...

 

[illusion]

Yeah I am getting phenforum as well

 

[nachoninja]

maybe your computer got hacked, I see your forum

 

[Jon]

Unless you're using this forum as linkbait you whore.. Only I'm allowed to do that!! jk

 

[nachoninja]

Top10Meds.com

is a parked godaddy page

 

[crossfittn]

DAMNIT your responses were so fast! lol

I was informed by one of my members first, since the forums still worked fine. I told her to go download ad-aware..
Then I went to my homepage and was redirected to top10meds.com!

I tried uploading my backup index.php but that didn't help.

Then I found an htaccess.txt in my root directory, and downloaded it. Then I deleted it from the server.
That stopped the redirection. Everything looked ok in the file except I found this line in it:

RewriteRule ^/patricio* index.php?q=patricio

Could that have something to do with it? I don't think it was ever there before and I don't recognize "patricio"
Do you guys know any common ways he could have done this? Bruteforce to find and ftp password? I have no idea...

I hope the rewrite rule I posted is a common one for him and maybe this will help someone else.

 

[zerohex]

Hey guys, I just got hacked. I have no idea what to do.

Phentermine Weight Loss Support | Phentermine Discussion

Some asshole decided to hack my site and redirect it to
one of his PPC pages, Top10Meds.com.

How can I fix this? Unbelievable... I worked so hard!!!!!!!!!

Don't rule out a DNS poisoning attack. Make sure your DNS record has not been changed recently.

 

[crossfittn]

Thanks ZeroHex, I'll watch out for any DNS record changes. Would those be on my dedicated server?

Guys, I read the redirected url wrong.. it was this site:
TOP 10 PHENTERMINE OFFERS

Is there any way I can prevent him from hacking my server and editing my htaccess again?

 

[Jan]

And I thought I was the only one that was getting hacked lately, I'm glad I'm not alone!

For what little I know, the permissions can be changed on the files on the server. If I need to change something I do it on my blog now, then I put the permissions back so only I can write.

I'm sure there is lots better help out there and I'm all ears!.

 

[zerohex]

Thanks ZeroHex, I'll watch out for any DNS record changes. Would those be on my dedicated server?

No the DNS server is usually a different machine and it's usually maintained by your domain host.

You should try to determine what actually happened. If your .htaccess file was changed, you should look at securing your web server first.

 

[shaggz]

Couple of things:

The htaccess file that is read is usually .htaccess, not htaccess.txt. Maybe that was just a demo file or something.

Also, the rule.........

 RewriteRule ^/patricio* index.php?q=patricio

........would require the initial url to begin with 'patricio' to even do anything. So, unless your forums initial url is like "www.myforum.com/patricio.php" then that doesn't look like the cause.

If this happens again, go to a windows command prompt and type:

nslookup www.yourdomain.com

This will show what IP address the nameserver is reporting back. Also, download the plugin "LiveHTTPHeaders" for firefox. Visit your site in firefox and if the hijack is taking place, you can see whether it was a redirect on your server, etc.

As most have already said:

This sounds like either some spyware that is trying to hijack targeted users, or a case of DNS poisoning to do the same.

 

[ScottDaMan]

Excellent advice. I hadn't seen someone post about nslookup until I read your post. That's the first thing you do when you have a dedicated box.