The main point about a hacked site is that it is very rarely done through the site itself. There has usually been a lapse of server security, maybe with the host account or ftp account for the site, or with another account on the same server. As a consequence, you should log into the host account and change all passwords, check file permissions and make sure no back-door scripts have been left to provide the hacker another way in.

If the nature of the site permits, I would scrub the entire host account file space, databases and all ftp logins. Then start from a clean slate and create a fresh ftp login, make a fresh concrete5 install, and recreate the pages from content from the old site (use this as an excuse to upgrade and makeover). But don't let such an exercise lead you into a false sense of security. The most important thing is to change every password and close the door the hacker used.

Thanks for that, I'm in process of moving all my sites to a new server which is how I even noticed it. It is a client's site but (you know) one of those who hasn't actually paid for a while, sigh, which is probably why he hasn't brought it to my attention). Unfortunately I didn't want to rebuild this one, I had done a lot of bespoke work in it and a hard drive crash has lost my backup.

I would like to get it up and running on the existing server so that at least I'm just copying how it looks rather than re-creating something completely from scratch.

just a heads up that when you go to your url it downloads something to your computer so the machine your using is probably infected too

Many thanks.

In that case I'm going to edit the original post to remove the URL for now.

All, please don't visit!

I've checked out my machine and it is clean. I'm leaving the site up because I'm able to view it properly from here whilst I rebuild it on a different server.

I'm certain this isn't a C5 issue and thanks for the help I've been given.

My only word of caution here is that John is referring to a "Concrete5" site. There can be exceptions if you used plugins that were poorly written, and the peer review board tends to look over everything in the market place so anything you get from there should be good, it's things that you might pick up from other sites that could get you into trouble.

Also, if you are running anything else on the same hosting account it could be completely possible that the vulnerability happened there and they used a file from that site to "infect" your other sites. Wordpress sites are notorious targets for these kinds of hacks especially.

That said, John gives good advice on recovery, scrub your account. I typically take a full backup of everything to my local machine, including the http/ftp access logs prior to trying to undo any damage. This allows for an easier time locating of where the vulnerability came in to play if it was indeed something on your account that triggered it.

Thank you I'll take all of that advice. I am sure that this has arisen from
a bespoke scripted PHP site on the same shared hosting and my host agrees.



On 26 April 2014 21:46, concrete5 Community <discussions@concretecms.com>wrote:

I'm hoping it was on the same account and NOT simply the same server. There are plenty of things that your host could and should be doing to prevent cross account contamination, if this is the case I would be pressing them to resolve their security vulnerability long term or start looking elsewhere.

It was the same account. A client had a fairly large dating site on there
which was exploited. I'm in the process of moving entirely from this host
mainly due to speed issues.


On 27 April 2014 02:31, concrete5 Community <discussions@concretecms.com>wrote: