Our website hacked

Viruses and worms
1

Hello!

Our website http://www.leadingpractice.com/ has been hacked. When I first came to the frontpage, it was blank, and there was a short scroll text in the tab of my browser window (chrome), saying something like “Hacked by Peyman Sayhiri” (not sure if I got that name right).

I noticed that there had been a 4kb index.html uploaded to our root directory on the shared server on which our website is hosted, so I downloaded it and tried to open it (but avast stopped the process, thankfully).

Here is what Avast says about the file (it was moved to the virus chest):

Original file name: index.html
Size of the file: 3983
Category: infected files
Virus description: HTML:Defacement-V [Trj]

I tried deleting the file, but that did not open on the frontpage.

So what can I do about this?

PS: I will use the wordpress.org forums as well as our webhost to try and fix this problem, just thought I’d ask here too since I reckon there are some knowledgable people in here.

Thanks for any help you can provide!

2

Sucuri: http://sitecheck.sucuri.net/results/www.leadingpractice.com/

3

First let us take a look here: http://www.site-scan.com/eng/show_headers.php?REQUEST=GET&URL=http://www.leadingpractice.com/&MODIFIED=0
Was it being detected by avast contact.php | {gzip}
Defacing a website simply means that we replace the index.html file with the defacement file.
The attacker finds a target website via searching for and finding vulnerability points on websites.
Also php shell/web defacement tools can be used,
Keeping the CMS software up to date (free plyg-ins, vulnerable themes) and use input and output validation can prevent a lot of awe.
Here I cannot see anything bad: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.leadingpractice.com&ref_sel=Google&ua_sel=ff&fs=1
To be more secure you can ask for the webserver software to have a better header security configuration.
I scanned here: http://cyh.herokuapp.com/cyh
Check all missing and warnings and see instructions in detail.
This is the only header properly configured:
Content Content-Type text/html; charset=UTF-8 Use ‘text/html;charset=utf-8’
http://whois.domaintools.com/leadingpractice.com You are on there with 918 other domains.
DNS report: http://www.dnsinspect.com/leadingpractice.com/1415606023

polonus