Elxis sites hacked

[MadonaMady]

and one static website without any php programing on it just html files

Was the static site also hacked?

no

[Ivan Trebješanin]

the hacker could change my index.php file and my .htaccess file

how could he do that :S

I think your server has been "rooted". So I don't think there's much you can do except for changing hosting company.

[datahell]

Ivan is right, it is not an Elxis issue. You must search your server for a malicious script (most probably a shell script -or a perl/cgi or even php one).
This script is executed regularly so even if you restore the original files they will be modified again automatically.
You must locate and delete this script. Then restore the sites.
To prevent the modifications of index or other files you can temporary chown them to root (it wont help if the shell script runs also as root).
Here is a way to do if for a web site index files automatically:
cd /to/website/root/folder/
find . -type f -name "index.php" -exec chown root:root {} \;
find . -type f -name "index.html" -exec chown root:root {} \;

Or chown everything to root:
cd /to/website/root/folder/
chown -R root:root *

A way to find the malicious script is to use the find command to search for files modified in the last X days. When this attack first occurred? Yesterday?
You can run:
cd /
find . -type f -mtime -1 (use -2 for the day before yesterday and so on)

If you get too many results you can also use the executable option to limit them down.
find . -type f -executable -mtime -1

Look carefully the results to locate the bad script. If you locate the script then search for it in the internet.
Find all the occurrences it might have and delete them all. Do a search by name of the bad script(s). Find and restore all affected files.
Strengthen the security in your we server (mostly the php installation). Take special attention to the web server access logs for the date the attack first occurred. There is maybe a bad outdated exploitable script somewhere on your server the attacker used to upload his scripts. I have seen such attacks against osCommerce for example. From your second attachment I see a mytickets script that it is exploitable. I think is the cause...

If I was in your case I would stop apache from running till I clean up the web server:
/etc/init.d/apache2 stop

Also delete the affected .htaccess files.

An other important tip is to change the port your ssh runs and disable direct login of user root. Create an other ssh user account, login with it and then use the su command to switch to root account.

To answer your question on how is possible for someone to change the htaccess file: It is very easy to change a file from the time you have uploaded a script on the server.
It is a simple as this:
$h = fopen('index.php', 'w');
fwrite ($h, 'write anything in the file...');
fclose($h);

A question: How your php runs? as mod_php, as fast cgi? do you use suexec?

[MadonaMady]

thanks all for your help i found the security valnarbilty and fixed it and i am going to share how i did that
first i used shell access to find a ( base64_decode )
grep -r base64_decode *
in my root folder for each website
and i checked the results so good
i found that there is some strange code  with base64_decode
at  ( root/templates/ekebic/index.php ) with is an Elxis Template and it is not the default on even not in use
this is the code i found

Code:

<? eval(gzinflate(str_rot13(base64_decode('FJzHjq1Ksn897/TUJBQERVO......etc......57FJQ8=')))); ?>

i go to decode it and bingo this is how the hacker can do every thing that is done
this is the decoding result ( find in a txt file in attachments )

i  cleared that code and restore the original index.php of that template code
can some one make it more clear for me about what this could could do coz iam afraid i understand it wrong :S

and started reading more about how hackers can hack the website

but what is strange is that i need to know from the first starting how could he put that code in my files ?

could he inject it into a site that i let users to make posts and articles in it ? or throw what can the hacker inject a code into a website ?

[datahell]

This is the result of the attack, not the cause...

[MadonaMady]

This is the result of the attack, not the cause...

yes i know that but i don't know how he get into my server :S

[datahell]

If you don't know how to access your server, then it is sure that you don't know how to manage it, you haven't set it up at all and there is no security on the server. So, if you don't know how to manage a web server why you got a dedicated or virtual server? Find a good hosting company and buy normal hosting packages. You will only have to deal with your sites as the server will be managed by people they know their job. You will be less anxious and your sites much more secure.

For all: I see many people buying dedicated/virtual servers while they know nothing about managing a server. A control panel such as plesk or cpanel does not makes you a server admin. Buy normal hosting packages, don't pretend the server admin. Unfortunately there are professionals that also don't know how to manage web servers and sell hosting packages. This is awful. On the other hand there are experienced linux users who have small hosting companies with well configured web servers and excellent support. These are the best hosting solutions you will find on the internet for small to medium scale web sites.

[@ndreas]

I totally agree !!!

[MadonaMady]

If you don't know how to access your server, then it is sure that you don't know how to manage it, you haven't set it up at all and there is no security on the server. So, if you don't know how to manage a web server why you got a dedicated or virtual server? Find a good hosting company and buy normal hosting packages. You will only have to deal with your sites as the server will be managed by people they know their job. You will be less anxious and your sites much more secure.

For all: I see many people buying dedicated/virtual servers while they know nothing about managing a server. A control panel such as plesk or cpanel does not makes you a server admin. Buy normal hosting packages, don't pretend the server admin. Unfortunately there are professionals that also don't know how to manage web servers and sell hosting packages. This is awful. On the other hand there are experienced linux users who have small hosting companies with well configured web servers and excellent support. These are the best hosting solutions you will find on the internet for small to medium scale web sites.

Dear this is not a dedicated server or virtual one this is a shared hosting from justhost.com
i don't know about managing servers so i will not buy a dedicated server

[babis1]

http://www.webhostingstuff.com/review/JustHost.html
i thing before you buy something just search in google p.e. search for problems justhost.com
from one post
"I signup with Just Host.com, since its started my all websites are Hacked, all index page replace with hackes page. Just Host says change Databse password etc...but my website static pages only, every 2month your website will he hack, Just Host Not S...  read more ..."

[datahell]

If multiple sites hacked then the whole server was hacked and not only yours...