Portal Home > Knowledgebase > Articles Database > Excessive Hacking Of My Websites By dr.timor [Please Help ]

Excessive Hacking Of My Websites By dr.timor [Please Help ]

Posted by Amarbir, 12-04-2012, 05:16 AM
Hello , i Have a VPS server taken by whost.in in india .I host approx 14 websites on that VPS .Out of those only 1 is accessed more .I on nov 28th figured out that many of my websites were defaced by dr.timor hacking group .i started the recovery of my websites .The only thing i did was delete that hack1.html file uploaded to my home directory and then take a backup of the mysql and home folder to my local pc .i had to go out of station and today and yesterday i cleaned this file and in some cases the index.php was replaced by me with proper file .I was smiling i did it .What i did was i changed the cpanel password for all the sites [ but did not change the ftp/email etc etc password nor the passwords to access mysql ] .My website lynxchandigarh.com is hacked again .i am not a expert here but i can do and implement anything you want me to .For starters i am downloading kaspersky 2013 to upload on my laptop and scan the same for any infections etc .Does some of you have a brighter idea .I am fedup with whost.in .This company does not respond to anything when required .I have lost one of my websites also in this process as they lost the backups too .i am looking for a good VPS service provider who can help a businessmen like me when i need thier services .Not only this i an wanting to find out how dr.timor script is attacking my websites and defacing them .Does anyone here know whats could be the reason to this please and also suggest a vps please .I Like Linux Hosting With Cpanel And Whm

Posted by Dr_Michael, 12-04-2012, 05:33 AM
First of all, download and install this on your PC: http://www.malwarebytes.org/products/malwarebytes_free/ Then, perform a full scan and clean your PC. Let us know if it found any infections. After that, log in to your WHM and change the passwords of all sites using the random password generator.

Posted by Amarbir, 12-04-2012, 06:04 AM
Sir , i will do the needful and update you .Thanks from the core of my heart ,You know how i feel its much appreciated

Posted by Amarbir, 12-04-2012, 07:20 AM
Sir , i installed the same and scanned my system .This has found one infection " PUM.disabled.securitycenter " . This Is My Report . Malwarebytes Anti-Malware (Trial) malwarebytes.org Database version: v2012.12.04.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 7.0.5730.13 Amarbir :: DIRECTOR [administrator] Protection: Enabled 12/4/2012 3:40:28 PM mbam-log-2012-12-04 (15-40-28).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 225769 Time elapsed: 34 minute(s), 7 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) I Am Also Getting Emails From one of the companies in india with the following content "Dear Sir/Madam, CERT-In is tracking defacement of Indian websites on regular basis. We have found that the website "lynxaudio.co.in" hosted on IP has been defaced on 11/12/2012 by the hacker group "Bangladesh Cyber Army". The URL of the defaced website is: lynxaudio.co.in "

Posted by Dr_Michael, 12-04-2012, 09:16 AM
Now, log in to your WHM and change the passwords of all sites using the random password generator.

Posted by Amarbir, 12-04-2012, 09:30 AM
Sir , I Am using the following scripts . 1 : Wordpress 2 : webasyst 3 : tantumweb 4 : phpbb 5 : vbulletin forums 3.X 6 : livezilla " online help " 7 : autoindexphp i checked my main blog website lynxchandigarh and its totally #$#$@$ up with DR.timor .There is code in many locations .i would like to find out how i can check the sql database for infections .i plan to get a temp VPS at a different location and try to shift my websites to that after cleaning as much as i can .Wordpress scripts are heacking attached and hacked i can see many dr.timor files in admin folder .

Posted by Dr_Michael, 12-04-2012, 09:57 AM
Usually it affects the files and not the database. In order to clean your files you have 3 solutions: 1. To manually download all the files, remove the malicious code and upload them again. 2. To restore a recent backup of the files. 3. To pay a removal service such as Sucuri.

Posted by Amarbir, 12-04-2012, 10:35 AM
Sir , i am thinking of first taking a alternative vps ,Then creating a website there and installing wordpress via cpanel .Then i would like my old saved database to get linked to that new website .is this possible .

Posted by Dr_Michael, 12-04-2012, 11:51 AM
That would be the best option!

Posted by Amarbir, 12-04-2012, 12:06 PM
Well, i am not a php and mysql expert but i would definately like some assistance from someone for hellping me out to see if i have a database compromised .i am sure it is as i could see some code in dr.timor scripts and other such stuff that was directly referencing to database in it .any suggestion please

Posted by Dr_Michael, 12-04-2012, 12:11 PM
I would suggest to select a new Host, fully managed with good support, to help you in every aspect and every step until your sites get back online without malicious scripts.

Posted by Amarbir, 12-04-2012, 12:56 PM
Well, Any suggestions For Good Managed VPs Hosting Company ?

Posted by Vinayak_Sharma, 12-04-2012, 01:10 PM
Amar, are your WP and other applications upto date and secured properly? Is your VPS properly secured? I will suggest better hire some like Steven from Rack911, to get your issues fixed and moved to your new VPS.

Posted by whmcsguru, 12-04-2012, 01:30 PM
Obviously not. It's not just about securing the VPS though. You need to make 100% sure that you're using the latest and greatest versions of the software you're putting on your site. If plugins don't work, replace them. If themes don't work, get a new one. Usually, a defacement is based on the site script, not the server itself. Scripts like the ones you're using are hacked all the time, you need to stay on top of updates for them.

Posted by Amarbir, 12-04-2012, 01:35 PM
Well, Plan is To Buy Another VPS And Then Migrate One Website To the same after cleaning to the best of my ability with support from the script provider forums etc .The first step is to take a vps and i am stuck there .For all indians i would say whost.in is the most hopeless people in support ,there servers are insecure and they have no backups of my websites and thier response to tickets is hopelesssssssssssssssss .i wish many people read this post before they take hosting from whost.in

Posted by Dr_Michael, 12-04-2012, 01:37 PM
I would say that it is even more possible that it happens because of an infected PC and thus "stolen" FTP password.

Posted by whmcsguru, 12-04-2012, 01:44 PM
While it's a possibility that this caused it, it's usually not that complicated.. It's easier any more to just determine what version of script the user is running and run a hack based on that. I'm not saying the possibility of getting someone's ftp password from an infected PC is out of possibility, but that's usually not how this stuff happens.

Posted by Amarbir, 12-04-2012, 01:46 PM
Well, thats possible but i am currently scanning the system and had kaspersky fully working and active there installed in it .i have updated the antivirus to 2013 version and scanning my system .its something to do with something .Once i check my local pc ,i will clone the hdd to other location and install everything again .till that time i am looking for a vps hosting provider thats not lousy like whost.in .

Posted by Dr_Michael, 12-04-2012, 01:48 PM
According to my experience, this incident is more often than outdated scripts.

Posted by ovais, 12-04-2012, 02:08 PM
It seems to be an issue caused by any outdated script which should be easily traceable by analyzing logs. If you have managed service from your provider then they should be able to tell you exactly why the breach happened.

Posted by Amarbir, 12-05-2012, 05:17 AM
Well, By Anychance you know www.whost.in man these guys suck royally .i have 4 open tickets and since 48 hours no response earlier they were responding .the attack was on one of my blogs using sym links i think .

Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
FTP >>Cpanel Resellers (Views: 267)
CSF / PT_LOAD_ACTION (Views: 238)
reseller hosts? (Views: 295)


Customer Testimonials

John Doe
It's a great service with fantastic support. It's definately good value for your money. Overall rating, 10 out of 10.
Mike Smith
Much better than my previous hosting company - I also got help with migration at no extra cost. Friendly support too.
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.