Elxis sites hacked

[MadonaMady]

Hello
i am facing a seriose problems this weak and finally i thought about sharing it with you ppl

i used elxis cms in some of my clients websites
and iam using a hosting that gives me unlimited number of websites to host in the same account from justhost.com

and this days i got a hacker fucking my life the hacker name is ( aWaNg_v2 )

he can change all my index.php files in all my websites and the .htaccess file ( i attached both files he changed in my websites )

each day he do that and i go restore both files

note that in my elxis websites i pass the securety test means that defender is enabled and flood blocker and every thing is going good

so how he can go and change my index.php and .htaccess files ?

any one can help me and till me what to do please ? this cause me loss of my clients

[xmanhattan]

Hello MadonaMady,

Are your files and folder / directories permissions set properly?  They should be 644 and 755 accordingly except for the cache and tmp folders.

[@ndreas]

First of all , change all your passwords , strong passwords recommended.
Then , check the apache log files of the server
Then check your computer for viruses
Do you have the latest version of elxis installed?
Finally , is this the only site with problems? Are there any other of your sites hacked?

[MadonaMady]

Hello MadonaMady,

Are your files and folder / directories permissions set properly?  They should be 644 and 755 accordingly except for the cache and tmp folders.

yes all of them

[MadonaMady]

First of all , change all your passwords , strong passwords recommended.
Then , check the apache log files of the server
Then check your computer for viruses
Do you have the latest version of elxis installed?
Finally , is this the only site with problems? Are there any other of your sites hacked?

i did changed my paswords but after i did that alsow hacked again not just one website but all the websites in my hosting account also
my computer is cleare of viruses
and i have the latest version of elxis yes

[@ndreas]

All your sites are elxis powered?

[MadonaMady]

All your sites are elxis powered?

in that hosting yes
and one static website without any php programing on it just html files

[@ndreas]

check your server log files, to see how they get access to your files

[MadonaMady]

check your server log files, to see how they get access to your files

what should i search for in my log files ?

[@ndreas]

it is not something specific you are looking for, there is a lot of work to be done is cases like this

[webgift]

I am decently sure that there are several CMSs on your Server than Elxis. Can you provide us a live url of one simple elxis site?
A senario:
Because of 90% of hacking case are between 3-4 different files. Change the permission of those to 444 from 644. These files are:
index.php
index2.php
configuration.php
templates/my_template/index.php

My site hacked. What can i do?
In case that your Elxis site hacked, don't try to connect to the administrator area! Don't even try to check this out even in front-end area. You can see the website only in case that you have deactivate the javascript through your browser. (firefox -> options-> content -> activate javascript on/off). This happens because in some cases may get your passwords or something else. Connect through FTP software, edit the configuration.php file -> $mosConfig_offline = 1 This change will set your site as offline.

- Logs (error and access). Check these files on your server.
- Check which files have been modified. This predisposes a Shell Access. For example : cd /path/to/elxis/root/folder/
find . -type f -mtime -1
- Check the database.
Check if there is any user has been created. Table users.

[apkoutsou]

As Elxis itself does not give direct access to the hacked files (like htaccess, index.php, configuration.php) but only to the template's index.php, I believe that the problem is not with your CMS, but with your server, especially the file server. It is most probably that the hacker has access to the whole server.

So first of all change *ALL* your passwords, as @ndreas suggested; not only Elxis', but also the passwords for ftp, control panel etc (though I believe that it will not work, but do it anyway in case the hacker has only your account details).

Then check the log files as webgift instructed. First find about what time the last hack happend (checking when the hacked files were modified) and then check all server's logs to see what happened that time.

[MadonaMady]

the hacker could change my index.php file and my .htaccess file

how could he do that :S

[MadonaMady]

i done all of that and i added this code to my .htaccess file in every website
<Files php.ini>
order allow,deny
deny from all
</Files>

to stop him from viewing the php.ini code
and i changed the permissions as you told me
and i reviewed my site files to see what happen but i do that throw ftp coz iam not familiare with Shell Acces comands and i found a file that he added to one of the websites and it is in attachments
i deleted it and changed all the passwords again

what should i do now ?

[rentasite]

and one static website without any php programing on it just html files

Was the static site also hacked?