Thread

So, one of my client’s EE sites got hacked and they are on the horrible host Network Solutions. I’ve been following all the proper steps and we may even just move them onto mediatemple or another better host if client approves. But before any of that happens I have a question about upgrading.

Many files have been compromised and edited. I believe the hackers are scanning every directory for index.php or index.html and then proceeding to edit and add their spam links. There are also additional non ee files that have been uploaded. They are currently running 1.6.0 and I now have 1.6.3 to upgrade them too. My concern is whether or not I should upgrade the hacked files on their current host before doing anything else. I assume this will overwrite all EE files that have been compromised.

Also, from reading the KB on moving to another server I know it says to get the current version working on the new server before upgrading.

To recap:
- Do I upgrade on the hacked site first?
- I don’t have the 1.6.0 version anymore to install if we get a new host

I’ve backed up the DB, the template files and am in the process of backing up the entire site currently. My hope is we move to a new server by tomorrow but I’m not sure the proper procedure moving a current EE install that has been hacked into a new server. I am able to access the CP with no problems.

thanks!

Update from client: they don’t want to get a new host (yet). This sucks. So should I try and update to 1.6.3 then re-backup everything (include DB)? I just want to make sure everything is good because I need to wipe the ftp server of all files.

Since you won’t be moving for now, just upgrade to the latest version and build. I suggest replacing all files. Yes, make a db backup before, then upgrade, get everyhintg working and backup again. Well, that’s what I’d do, anyway.

Yeah, I agree. Thanks Ingmar, just wanted to make sure I take the proper steps but it all sounds right. Will try upgrading now, since I’ve already got a backup.

Hi, Joey,

A few things to note: you will need to manually clean up config.php and path.php, and use those after you update.

Also, have you yet discussed with your host where this attack came from?  We take security very seriously and want to make sure that you get fixed up and all is well.  You might also check for other PHP scripts to ensure that they don’t need security updates.

Make sure NS knows what happens, and hound them for an explanation of where the attack came from.  Otherwise you may just find this keeps on happening.

Hey Lisa, yeah I’ve talked with Network Solutions a couple times. You won’t believe it. Firstly, they disable error and access logs by default so we have no way of knowing who was accessing the server. And secondly, they said after I take all the steps I’m doing now, to upgrade to their “Watch Dog” service for an extra $15/month. Client wants to do “Watch Dog” until July before we move to a new host. But we are not staying with them for long. Pretty horrible service if you ask me.

Good point on the config and path files. I’ve done some cleaning up already, this is actually the 3rd time that the server has been accessed. I cleaned it up twice and accessed the host and we just weren’t fast enough on getting the 1.6.3 upgraded, etc.

Will upgrade to “Watch Dog” which will supposedly help prevent this and I’ve made sure access and error logs are freakin enabled!

I am just utterly speechless.

Your client seriously won’t entertain moving?

Just to add to what I said, since I got over my initial shock - for less than that $15/month you could move to EngineHosting and get an incredibly secure, highly optimized hosting solution, with the most knowledgeable and best support you’re likely to come across.

Just something to consider.

Tell me about it! I feel the exact same way. Thankfully, client is just as angry as we are. They just don’t want to change hosts today. I guess they wanna wait until next week.

HA! Totally, I told them MediaTemple but just told them EngineHosting as well. I can’t believe NS expects you to pay $15 more a month for a secure site.

Hey guys, just an update to let you know everything went smoothly, even if it did take all day. Appreciate the support! I’ve made my case to move to a new host right away and now that we are upgraded to 1.6.3 when they do get new hosting it will go smoothly. Everything is as secure as I can get it on my end and if Network Solutions drops the ball they are going to get a very angry phone call.

😊 Let’s hope client chooses EngineHosting!

Glad to hear the update went well, and here’s to hoping that you move to a better host!