My site - westnorfolkrspca.org.uk - suddenly went down yesterday. I am on holiday in Brazil and I got a txt from the centre saying they couldn't access. I got back to my son's apartment and logged on. Browser gave message site not available server error. It is on a hosted system. I ftp'd and found it had been wiped and there were a new set of files there casper.txt, ckrid1.txt, gue, psy.tar.gz amongst others. On trying to edit the index.php file there I found it contained a message that this site has been blocked and it aslso contained another address. kangnung.org/zb/bacok.txt. I set up a virtual host on my managed vps, changed the A record in dns to point to it and put up a page to explain to visitors what has happened. That was not accessible but also another site which I had on that vps - www.jogle2010.org.uk, a site raising money for a hospice by a long distance cycle ride, suddenly went down as well. FTP shows that everything is still there, but it's inaccessible now via the web.
I don't know what to do. It seems like the domain name westnorfolkrspca.org.uk is poisoning dns. Please can anyone offer help and advice. The hosted site - I have no real root access to do a thorough cleansing and the managed vps is such that I cannot do a reformat etc. The vps is running Centos

Complain loud as hell to your provider if you've no root access. It's probable _they_ were hacked, not you. Move the site if they don't come onside at once. They should have logs, and know who was scanning them. Also probable they were running old software so they made the hacker's job handier.

Your dns is weird. I am getting 62.128.158.10 for westnorfolkrspca.org.uk. I'm in Ireland. Here's my traceroute to westnorfolkrspa.ork.uk
traceroute to 62.128.158.10 (62.128.158.10), 30 hops max, 46 byte packets
1 83.147.165.1 13.321 ms 11.200 ms 9.815 ms
2 83.147.162.22 11.675 ms 22.785 ms 11.552 ms
3 213.242.106.77 115.676 ms 198.302 ms 189.415 ms
4 4.69.136.98 27.579 ms 33.356 ms 36.061 ms
5 4.68.117.84 27.411 ms 27.357 ms 4.68.117.148 31.227 ms
6 195.50.91.138 28.528 ms 27.267 ms 27.698 ms
7 62.128.145.141 28.596 ms 26.099 ms 27.513 ms
8 62.128.145.173 46.751 ms 28.978 ms 37.162 ms
9 62.128.145.193 29.113 ms 28.422 ms 38.338 ms
10 62.128.158.10 29.294 ms 28.540 ms 29.664 ms

if that helps any, it seems dns is ok; at least I can reach the ip.
bash-3.1$ traceroute -ni wlan0 www.jogle2010.org.uk
traceroute to jogle2010.org.uk (95.130.77.135), 30 hops max, 46 byte packets
1 * 83.147.165.1 10.534 ms 10.834 ms
2 83.147.162.22 110.646 ms 59.584 ms 11.339 ms
3 213.242.106.77 161.051 ms 203.248 ms 204.098 ms
4 4.69.136.98 40.119 ms 35.831 ms 36.155 ms
5 4.68.117.148 28.230 ms 27.412 ms 27.798 ms
6 195.50.91.138 31.332 ms 32.579 ms 28.607 ms
7 62.128.145.141 29.204 ms 27.896 ms 29.160 ms
8 62.128.145.173 31.126 ms 41.163 ms 32.617 ms
9 62.128.145.193 31.290 ms 29.192 ms 28.871 ms
10 95.130.77.135 32.535 ms 29.306 ms 28.814 ms

1 members found this post helpful.

I'm gonna have to agree with business_kid on this one. Your options are highly limited if you've no root access. Every share on that machine is possibly impacted. Call up your hoster ASAP. I've actually been in this situation before...it sucks!

1 members found this post helpful.

Many thanks for the replies. I am moving to a vps elsewhere. I am also going to sort my own nameservers out and so no longer be reliant on the previous supplier. Will post update when/if I find an answer to what has really happened

In addition to what's been said before, finding an IRC bot package, "Casper Bot Search", related and other files on your system means somebody managed to find and exploit a vulnerability in some software you run. Meaning your web stack is as solid as the holes in Swiss cheese. Meaning doing something like restoring a recent backup elsewhere is a waste of time. Before resurrecting your site elsewhere please ensure you run the latest version of the software you use and harden your O.S. and web stack properly.