One Of My Website is Hacked Repeatedly, What is the Best Thing To Do?

Boraan · #21 (**permalink**) 07-08-09, 11:13 PM

I replied to your message. you sure you don't have access to your logs?

bizzar528 · #22 (**permalink**) 07-09-09, 09:13 AM

You should have a professional take a look at your site, your code, and your hosting.

Obviously it's not just as simple as changing a password so you should really do a full review. If you want help, let me know and I can probably take a few minutes to check it out and maybe recommend a few things. If you want, your welcome to PM me.

Julie Viola · #23 (**permalink**) 07-09-09, 06:54 PM

You are right Bizzar528, it's not ss simple as changing the passwords and usernames as I learn now. I just know now that even after i changed the password it keeps on coming back.
I really appreciate your offer but I have just got someone to have a look at it and if it doesn't pan out or shall i say it's too steep for me, I will remember your offer to check it out.

Thanks again

Julie Viola

Boraan · #24 (**permalink**) 07-09-09, 07:26 PM

Julie, before we go ahead, I want to eliminate the possibility that your computer isn't the source of compromise. There is a program called Malwarebyte's Antimalware. I was built by a friend of mine a few years ago and it's really good at detecting things that other spyware programs can't, like keyloggers.

One of the most common points of compromise is the home or office computer. If you changed the passwords on the same computer you normally use you could have sent the hacker your new user/pass. Use Malwarebyte's to do a full scan of your computer and clean up whatever it finds. If it doesn't find anything then we'll go ahead with moving your site to my servers.

Yes the free hosting offer is still on the table.

Julie Viola · #25 (**permalink**) 07-09-09, 09:25 PM

I use the Norton 360 and I have been cleaning it up the few days especially before changing my passwords. Would that be enough? As some of the people I have talk to said once you got the Norton 360, you should be okay..

Please let me know..

Thanks

Julie Viola

Boraan · #26 (**permalink**) 07-09-09, 10:47 PM

nope, use malwarebyte's. it was designed to look for stuff like keyloggers, brute force programs, etc

Julie Viola · #27 (**permalink**) 07-10-09, 01:58 AM

I only found one after using the malwarebyte's Anti-Malware. The name is Rogue.sysCleanPro and I have remove it already. this was the on object on the files that the software saw when I run it.

Does that helps?

Thanks
Julie Viola

wirehopper · #28 (**permalink**) 07-10-09, 07:20 AM

I think boraan is right - and it looks like AntiMalwareBytes works for you (I've used it too). Set it up to get the updates so that it protects your system from new threats, and, I think it is worth paying them for the software (I did) - it's excellent, and there is a lot of work in it. The cost of the software is far less than the time lost recovering from malware.

Boraan · #29 (**permalink**) 07-10-09, 08:28 AM

Rogue.sysCleanPro is a seriously aggressive malware. Basically what it does is generate pops saying your system is infected and does a fake scan pointing where it obviously finds thing to be fixed that can only be fixed when you purchase the full version.

It is very dangerous as has been known to install additional spyware, dl viruses, repair itself, spread and in some cases compromise account security and credit card/bank security.

Registry entries:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\memman.vxd

Files:

Code:

C:\ProgramData\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.SysCleanerPro)
C:\Windows\System32\memman.vxd (Rogue.SysCleanerPro)

Could a hacker use this to compromise your accounts? if it was part of the software bundle that you use for uploading/accessing your godaddy account. Other than that? idk. it seems like you may have have gotten it from another program, maybe a maintenance utility or something. Since it does have a history of compromising security, we'll go ahead and try to elimitate it as a possibility.

Since we now know that you have no known infections, change your passwords and re-upload the site information. If you don't get hacked again then we know that was the point of compromise. If it does then we've basically elimited anything on your pc as a point of compromise with exception to one thing.

How do you access your godaddy account? do you use the browser or another application?

Julie Viola · #30 (**permalink**) 07-10-09, 05:20 PM

I use the browser and then log into Godaddy.com.
this is the infected files Files Infected:
d:\backup\programdata\{0c067481-4ace-4387-bd53-e083082dc882}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.

thanks
Julie Viola