My site was hacked by HEXB00T3R

[king888]

All of the php file in my site were changed to be hacked page. But password to FTP still remain the same. I don't know why this happened. I used anti virus on my PC and I have never been hacked before. Is it done by server site ? All the file in server remain the same except file with .php extension.
Here is my site that was hacked.
www.vitaminfast.com

[inveostore.com]

It is hard to help with no technical details but first of all check your .htaccess file content.

[DFW Products]

I have 6 stores online and have never been hacked while using Prestashop. I was when using OSCommerce but not Prestashop. I would guess and say they got in through the server.

[king888]

I checked .htaccess file. It looks normal nothing suspicious. I guess the hacker might got it through the server because I saw some site in the same server as mine ( I used shared hosting) got hacked also (but not every site )

[inveostore.com]

Many Presta users do very insecure modifications to their stores...

[king888]

Many Presta users do very insecure modifications to their stores...

How to know which things secured or unsecured ?

Thanks

[abrownleo]

Its probably got more to do with your host rather than the software. Hexboot3r is notorius for stuffing up many websites by inserting an index file which overwrites your homepage leaving everything else intact as normal. Overwrite his index file with your original one and your website should go back to normal. Id say he has some sort of software which inserts this file into thousands of websites at a time throwing many people into panic mode. Im a web designer and already had to fix up about 30 of my clients website this morning that he had hacked. Not sure what sort of kick this idiot gets out of this but Id really love to bump into him in a dark alley one night!!!..lol

[MrBaseball34]

We had something similar. Several of our PHP scripts had an iframe injection
My host won't admit it but I think they somehow let them in via FTP.
I wrote a script to detect it and clean it and run it on cron job daily.

[noesac]

.
I wrote a script to detect it and clean it and run it on cron job daily.

Is this like an anti-virus sort of scanner?

[MrBaseball34]

no, it just uses grep to seach for iframe injections and removes the,

[king888]

I still don't know how me managed to get it . All of my .php file was changed to his hacked page. Fortunately,I have the backup but I don't know how soon we will attack my site again.

[MrBaseball34]

I would definitely suggest changing your FTP and cPanel passwords and using sFTP in the future.

[nathanjaysa]

hi there... sorry to bother you folks again with this Hexboot3rs issue but i have been hit now on a few of my sites i have done for clients and i am a Novice Joomla Designer too, i have no backups, from this lesson i have now recently installed akeeba backup plugin and will backup after updates to ensure i have clean files.. now if i am not mistaken from what i see here, all i have to do is what > abrownleo said to copy one of my non hacked sites index.html and overwrite hexboot3rs one. can i use the latest index.html file from 2.5.6 joomla or must it be the same version as what was on the site that was hacked.. as i have learned that in joomla the index.html should be pretty basic referral path page not a data page as such i really need some advise here please if you do have please feel free to PM me much appreciated PS: is it only the index.html file that he hacks or the index.php and images or such.. ???