I’ve been hacked by Ghost61

Received yesterday an email from the hosting company :

Dear Customer,

This afternoon we discovered some hacked customer sites. Since then we have been looking for the reason of the issue and are logging all affected sites.  We expect to restore all original sites around 22h. We continue to investigate the cause and we will also take further action.

We apologize for the inconvenience.

But I was busy experimenting with ubuntu server on another machine, so I read the mail this morning. Surfed to my sites and yes, me too.


What this guy or group did was pretty harmless : they replaced all index.php or index.html files by a custom index file. And not only my site was defaced as they called it, probably the whole server has been done. Luckely I have backups, I just have to replace all index files, sounds easy, but how many index files do you think you have ?
Lots of them 🙂
This blog contains about 13 index files. That is manual labor at the moment. And sometimes I install a plugin and don’t keep a copy offline. Lesson learned. Have to figure out how to sync an offline copy.