I Think My Website Has Been Hacked

If you think your website has been hacked, it’s good to determine the nature of the hack as soon as possible. There’s many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. We recommend that you regularly back up your website and store them on your local computer. If you ever have to restore your website, maintaining backups to do so can be invaluable.

How Can I Tell if My Website Has Been Hacked?

Some hacks are quite apparent since they deface your page, while others are more subtle. Here are some common signs that your website has been compromised:

  • Your home page has changed. If you visit your website, and instead of seeing the page you have created you see something entirely different it’s likely that your page has been “defaced.” Normally, these types of hackers will have a “hacked by…” message displaying to take credit for the hack.
  • Your access to admin pages no longer exists. If you cannot access your admin section of your website, it’s possible the hacker has gained access to the administrator account or cPanel and altered the passwords.
  • You get a red Google Warning page. This is an indication that Google has scanned your website, and one of the Google bots has found some code that is known to be malicious. If this is the case, Google will display a red warning page.
  • Your computer’s anti-virus software warns you when you visit your website. This is a typical situation where your website is trying to install a trojan or another type of virus on your local computer.
  • A page will not load but it used to. If you haven’t changed anything on your website and it is now not loading this could be a sign of a hack. This is not a typical hack but usually indicates that the hacker has modified a database so it no longer functions as it should.

How Was My Website Hacked?

The most common methods of hacking a website are:

  • Compromised Password to:
    • cPanel
    • Website or CMS Software
    • FTP
  • Code Injection
  • Remote File Inclusion
  • Outdated Website Software, such as:
    • Plugins
    • Addons
    • Themes

If you password has been hacked or compromised, this will typically be a defacement type of hack. If you use a content management system, the hack was usually done be exploiting the software. It is important when you use CMS software such as Joomla, WordPress, and OSCommerce to keep the software up to date.

How Can I Fix My hacked Website?

Each hack is different so it is extremely difficult to suggest an exact method to resolve a hacked site. Here are some general methods to fixing a hacked website:

  • Change your passwords to your account. This is the best practice for any hack. This is the quickest way to limit the access to the website. By doing this, you can limit the access to your account. You should change your WordPress, FTP, and cPanel passwords.
  • Update all programs used on your hosting account. If you use a third party shopping cart or CMS it’s important to keep that software up to date. This is because most updates are used to secure the actual software. As vulnerabilites are found the patches are released.
  • Update software on your local computer. Some programs such as Flash, have vulnerabilites that allow hacked to access data on your computer. We’ve seen some hacks even designed to search around for saved FTP credentials.
  • Run a malware or virus scan on your local machine. It is possible that you have picked up a piece of malware or virus that is copying your passwords.

For more information on fixing a hack, please see our article on recovering from a hack. Please see our Website Security article for more information on protecting your website.


Keeping your server secure is a full time job for any support staff. But that shouldn’t be the only focus. Read more about what makes InMotion one of the top hosting companies out there.

24 thoughts on “I Think My Website Has Been Hacked

  1. Thank you very much. The article was very helpful.
    I also want to ask about what kind of hack my website currently experiences. I recently noticed that another website (domain) is stealing contents from my website and updates immediately I update anything on my website.

    I checked online and found that it could “domain allias” but I need someone here to help me understand this better and to provide solution(s) on how to fix this.
    Thank you

    1. A domain alias is usually setup by adding a parked domain. But, this would need to be setup within the same account as your main site, so most likely this is not what is being done.
      You may want to perform a WHOIS lookup to see who owns the domain that is copying your content and where it is registered. There is often an “abuse” address you can reach out to and report this type of thing.
      Thank you,
      John-Paul

  2. Hi,

    I am not sure if our website has been hacked or not. It is still looking the same and functions the same. Here is the problem:

    1.) We are having a “login section” for a database that is kept on the website

    2.) Anyone can register on this database by completing a form. We have updated recently the Captcha section which is supposidly preventing robot programs from completing the form

    3.) For the last few month we receive every day 4-6 false applications with totally bogus names, addresses etc. etc. These originate from all over the world – especially from the Eastern block countries. This is simply annoying and I would really like to know if this can be stopped

    4.) Just recently I got 2 emails adressed to the webmaster email attached to our website from Holland and from Germany. Both of them received soliciting emails requesting personal data. One pretended to be a bank. Therefore I presume that they somehow got hold of our email account.

    Well, have we been hacked or what is happening?

  3. We have been hacked.  I am lost as to the next steps.  Google is hopelessly complex.  There are pages that I cannot localte to delete.  How can you help?    Do I take it offline?  Will you delete my site?

  4. As a professional cyber incident responder, I would like to add my 2 cents. A hack is usually the result of many factors, and resolving the hack will not resolve the reasons for it in most cases. 

    Consider this: was it your behaviour as a webmaster which resulted in your website being badly maintained? Did you not ask for security from your web developers? 

    Think about these and when fixing the hack, try to resolve the vulnerabilities which led to it in the first place. 

  5. hi , our institution website is hacked.  it displays

     

    # Hacked by bRpsd~!

    IT Huh?? , Contact me on [email protected] for real IT (:

     

    i have the admin rights oly. but server is maintained by some other company.. I can enter into admin page… how to restore my website ??

     

    1. Hello Prabha,

      Sorry for the problem with the hack! If you’re a customer of InMotion and you have a backup, then I would suggest restoring the non-hacked backup of your site. Follow the recommendations of our article on recovering from a hack. If you don’t have a backup, then I highly recommend speaking with a developer/programmer to go through your website code to help recover it.

      I hope this helps to answer your question, please let us know if you require any further assistance.

      Regards,
      Arnel C.

  6. [Jacob M] Hello Francois, my name is Jacob M.  Thanks for contacting us today! 
    [Francois] hello Jacob
    [Jacob M] You could add a capcha that they have to type letters and numbers in order to post.
    [Francois] This is already the case, I even went to the code Cpanel/edit) of my page and intentionaly added an error in the link, so the page isn’t accessible but they still come through.
    [Jacob M] You might need to have a developer look into this. You can make a post here to have our developers take a look: https://www.inmotionhosting.com/support/questions/ask-a-question

    [Francois] ok i’ll try that

    1. Hello Francois,

      Thank you for your question. I looked at your site and noticed a really weak capture system in place. I recommend using a stronger captcha system, such as Google’s re-CAPTCHA. “reCAPTCHA frequently modifies its system, requiring hackers to frequently update their methods of decoding, which may frustrate potential abusers.” (source)

      Although this is a better method, it is still not 100% uncrackable.

      If you have any further questions, feel free to post them below.

      Thank you,
      John-Paul

  7. I also had my email account hacked last week and i managed to get some information at https://www.hackedemails.com/help-emails-hacked/ hope it helps others like it did for me

     

  8. My client’s website homepage also says “Hacked by bRpsd” — and InMotion was at the top of the list on Google for a search by that phrase. Is there something here that makes it vulnerable? This is a Drupal website, but so far it looks like they achieved access through CPanel or FTP, as opposed to hacking the Drupal admin (I may be wrong about that, just in the early stages of checking into it).

    1. Hello Lark,

      There are many reasons a hack can occur. The most often is due to the hacker gaining access to credentials through various means. Our article on what to do after a hack will help secure your site against a repeat incursion.

      Kindest Regards,
      Scott M

  9. My website, hosted by Inmotion, has been hacked this day:

    It says ‘Hacked by bRpsd!

    Can you help me fixing the problem, please?

    1. We recommend that you change any and all passwords, and then restore from any backups you may have been making. After doing so, be sure to check over all of your code for vulnerabilities and keep Drupal up to date at all times to ensure that security flaws are not present within the restored site.

  10. Focus on backups – that’s your best defense against hackers.

    I always say, “never trust your web host when it comes to backups.”

    Embrace a good backup methodolog, so that when these events occur, you’ll not lose hours of life attempting to recover from them. Enjoy!

    Jim Walker
    The Hack Repair Guy

  11. don’t you keep your websites virus free???????

    My website is not working…. WHAT am I PAYING FOR ???

    REally?   It has been over 2 hours since my email,,,, still aint heard from you AND

    have seen some bit on your help(less) page that says you don’t remove the virus?

    WTF

    I want a credit for my business site being non functional!  

    1. Hello angry, and sorry for the troubles.

      InMotion Hosting runs Mod Security rules on the server to help prevent websites from being attacked, and we also run scans for known malicious files and scripts.

      Unfortunately website attacks and hacking attempts are at all time highs, so it is imperative that you keep any website software that you’re running on your website up to date with all of the latest security patches.

      We keep the server up to date and secure, but unfortunately if you’re running older versions of software with known exploits in the wild available, it could only be a matter of time before your site could be hacked.

      I’ve written guides on both how to reinstall WordPress after a hack, as well as how to fix Joomla hacks and upgrade for security.

      However in your case it looks like you possibly are using some different website software called Soholaunch that we don’t have specific documentation for.

      It looks like you had your index.php file updated last on 3/14/2014 02:18 EDT. The file itself appears to be encrypted with this text:

      <?php // This file is protected by copyright law & provided under license. Copyright(C) 2005-2009 www.[SITE].com, All rights reserved.
      $OOO0O0O00=__FILE__;$OOO000000=urldecode

      I didn’t want to link to the [SITE] so I’ve replaced that above, but it looks like they’re a Chinese Micro Shield provider that encrypts PHP scripts. I took that encrypted code over to UnPHP.net and it defintely looked like a malicious file.

      It looks like they attacker also placed a /css/help.txt file on your account that stored the IPs of some search engines like Google. Then if those search engine requested your site, it would serve them the /images/index1.php script also uploaded maliciously, and this file was a spammy handbag page.

      They placed a copy of your original page at /css/index.php to serve to human visitors so that Google wouldn’t catch on to their hack. However it looks like with the encrypted script they were using it was failing to execute properly.

      I went ahead and cleaned up the hack, and restored your original index.php file to its proper location.

      I would recommend updating any of your passwords, especially related to your Soholaunch software to ensure an attacker isn’t just logging directly in. Then I’d work on transitioning away from the Soholaunch software, as it’s no longer being maintained and could lead to further security exploits down the road for you.

      – Jacob

Was this article helpful? Join the conversation!

Questions about our MailChannels Deployment? We have answers and are here to help!Learn More
+