Help our website has been hacked.... how do we resolve ?

**amber** · 03 April 2014, 12:31 PM

Hi can anyone on here PLEASE help as our website has been hacked and is being redirected to another site when clicked on after being returned by google and other search engines but direct links to our website work fine.

We use Xara Webdesigner 7 (windows 7 64 bit)
Hosting with EASYSPACE

We have contacted Easyspace but they are basically saying there is nothing they can do.

Here is a cut and paste of the submitted support ticked I raised with Easyspace outlining the problem we are having and I will add their reply next..... if anyone on here can advise what we can do it would be very much appreciated

Submitted to Easyspace Support

Hi, please could you help.

I rang support last week regarding a domain name and hosting we have with you. Basically our domain name/website appears to have somehow been hacked.

When people find us via a search engine although it shows our domain name in the returned search (for our home page) it shows text not belonging to us and also when people click on the returned search a website NOT OURS opens. As you can imagine with this being our business website it is causing us a lot of problems not to mention embarrassment. We are a car accident repair company and the website opening is one for handbags.

I have tried reloading the local backup of our website (the last change date we made were back in September 2013) but this has not resolved the issue.

I have also run GOOGLE Webmaster Tools on the domain/website as advised by Easyspace Tech support when I phoned last week and that returns no errors or malware. I also ran a 'Fetch' by google webmaster tools and that worked fine and OUR website was returned rather than the 'handgag' one.

It would appear that if we directly enter our domain name to access the website all is fine... it is ONLY when search engines are used that the problem or redirection happens.

We have tried everything we can think of or have been advised to do and nothing so far has worked.

If you can help resolve this or advise on any other things we could try it will be very much appreciated as we are loosing business not to mention looking very unprofessional.

Please note.... that having just tried again out website is now returning a DIFFERENT redirection but still to another false site than it was over the weekend.

I have attached a file to this in the hope that it may help you understand the issue we are having.

Thankyou

**gwpriester** · 03 April 2014, 12:39 PM

1. Change your password. Use as many characters as allowed by your web host and if they permit symbols, use these too. Use numbers, characters upper and lower case. And it is best to use something that is not a recognizable word. e.g. 2kL0PLxrt45wRT7 These are much harder to hack.

2. The redirect script has probably been inserted into your index.htm page. To be on the safe side, delete all your files and republish your website. Unless your computer is infected this should get rid of the redirect script.

3. Change your password every other month at least and once a month is better. If the material on your site is sensitive then change your password even more often.

**amber** · 03 April 2014, 12:40 PM

I also sent them these screen dumps to show where the 'hack' code appears to be

Click image for larger version.

Name: hacked penketh autobody redirect 1.jpg
Views: 162
Size: 80.2 KB
ID: 101413

Click image for larger version.

Name: hacked penketh autobody redirect 2.jpg
Views: 155
Size: 59.4 KB
ID: 101414

**xtom** · 03 April 2014, 12:43 PM

Also check for any htaccess files that might be redirecting as well.

**amber** · 03 April 2014, 12:46 PM

Hi sorry I didn't see your reply gwpriester

I have tried republishing the website from the local .web file stored on my PC but that didn't resolve it. Do you know how I can actually delete all the files that are stored on the Easyspace server or is that something they would have to do for me. I hope not as they aren;t being too helpful at the moment which is not like them.

I am just changing our ftp password with them so hopefully that may work.

**amber** · 03 April 2014, 12:50 PM

I have just received this from Easyspace.... I have no idea what they mean by CMS and Admin file passwords.
Can I set those in Xara ? Aaargh

Hi

Thanks for contacting Support Services.

Apologies for the delay.

The redirect is a result of a hack on the website. You can either restore the website from one of your backups on the control panel.

Here is some general advice on improving your sites security:

The first thing would be to get the passwords for any access get changed. This includes the FTP, control panel and email passwords.

Next thing to check would normally be to if there is any Content Management System (CMS) software active on the domain. These would be the biggest contributor to a hack. If you are using a CMS such as wordpress or joomla, consider upgrading. Other than that , they can normally use password locking on the admin folders.

The site is hosted on one of our shared platforms so any further investigation would have to be done yourselves.

When did you first found the site had been manipulated? What was changed or how did it come to their attention?

Use passwords with as much complexity as you can , the password might be getting intercepted via email/im or some other way.

Kind regards,

**amber** · 03 April 2014, 01:16 PM

Hi Xtom and thanks for your reply too.

Please could you tell me where I can find or access the htaccess files and how I can check them?

I'm sorry if this is another stupid question but all we do to publish our website is to enter our ftp hostname, ftp username, ftp password and subdirectory web/content (which we were given by easyspace when we took our hosting years ago) in the 'publish' box withing Xara and it does the rest for us.

We pay to have weekly back ups done of our website files from Easyspace too but we cant revert to one of the backups as when I downlod them they download as individual files so I can't open them to republish as I can only open the .web file from xara software which apparently is auto saved and overwritten to my local pc and not transferred or stored on easyspace servers.

Thanks

**xtom** · 03 April 2014, 01:24 PM

By the sound of it you aren't using a cms so most likely it was a ftp hack. Changing your passwords will prevent hacking again but you still need to check and clean up the already hacked files. If you republish the site from xara it will upload clean html files and should overwrite any hacked ones - if the site is still redirecting after this you need to check for any dodgy htaccess or php files. Use an ftp client like filezilla to look through the various files and folders. In particular check for a .htaccess in the root directory along side your main index file. If you have just a static website you could try temporarily renaming it old.htaccess and see if it fixes the problem. If it does then that is a bad file and needs to be cleaned of the malicious redirecting code.

**amber** · 03 April 2014, 01:31 PM

Thanks and I think that makes sense to me. Is filezilla something I can download of the web somewhere or do I buy it from Xara and last question I promise..... is the htaccess file something that is generated by xara when we publish our website or is it a server type file that easyspace put there ?

Thanks and I am so sorry for all the questions and my lack of knowledge regarding all this.

**xtom** · 03 April 2014, 01:37 PM

Fliezilla is free -> https://filezilla-project.org/download.php?type=client

xara doesn't upload htaccess files and they are not really needed for a static website, sometimes hosting companies might provide a default one or sometimes none at all. But if there is one there check it out.