Hacked

[golddiggerguy]

I have many hosting accounts in the UK and US.
One of them at 4am this morning had been hacked and an index.html file uploaded to all the domains in the account.
Most of the sites (99%) were not important when defaced briefly, so not too bothered.

The only data lost was if the site had a index.html file over written, but a restore sorted that out.

I have around 150 + on the account mainly 1 - 2 pagers waiting for Dev using index.html format and also the odd WordPress Install.

So a few questions:

• If all sites both WP and none WP got hacked can I rule out a WP plugin injection code attack. Is this correct thinking this?
  
• I'm guessing they had FTP login details which gain access to all sites in that account. Would this be the obvious method.

Check your sites as I'm sure these are on a spree TBH.

I am in the process of moving all domains to one account in the UK and security on it is really high they way access is granted etc so this just has made me speed the process up.

Live and learn people!

 

[jimm]

More often than not its a password stealer on the computer. Check your PC out would be the first job.

 

[expertc]

Join the club! I had my US account hacked few days ago. Now the interesting thing. I am only accessing my hosting from Linux box. My host, though quite helpful, was trying to convince me on PW issue. Now he is looking to find any *nix trojan to prove it :grin:

I think they had a server-level problem, as only FTP passwords are affected, I did change them all, requested full logs to go through. The case is ongoing.

P.S. Former sysadmin

 

[Admin]

Load and run this on your WP sites:
http://wordpress.org/extend/plugins/antivirus/

 

[golddiggerguy]

think I'll add that to my default install plugins

Cheers :


Looking to find out how or where they gained access so should make an interesting find.

 

[mat]

This works for Wordpress aswell and is a MUST in my opinion...

http://www.acorndomains.co.uk/joomla/65094-securing-joomla.html

 

[Admin]

Or this one:
http://wordpress.org/extend/plugins/paranoid911/

 

[expertc]

Load and run this on your WP sites:
http://wordpress.org/extend/plugins/antivirus/

Does it actually work? Like against php injection? Interesting...

 

[Aaron Clifford]

If it's not a dedicated server I would ask the host if there servers got hacked as I've seen this before and it was actually a server hack not a site specific one. You may find if it's shared hosting it's happened across the board.

 

[Admin]

Does it actually work? Like against php injection? Interesting...

It scans your template files for active code. When it finds something it shows you the line of code and asks you to click if it's a virus or not.

Quick and simple.

 

[newguy]

There was talk a few days back of some phony updates to wordpress plugins getting passed off as the real thing: http://www.theregister.co.uk/2011/06/22/wordpress_trojan_invasion/

Still if all sites got hacked, I would say that can't be to blame. Are there any scripts yo use across all sites that could be responsible for this? ( a php script maybe). Some good suggestions above.

 

[golddiggerguy]

Changed all passwords a few times from noon yesterday and 9 pm last night and all sites seemed good until midnight.

Went to bed just checked sites again and they now have redirects in the index.HTML to an ad that leads to the hackers site.

Scanned computer, no infections and changed passwords on iPad.

I've had no real "oh my god" response from the ISP this needs sorting.

Just we'll do a restore, which I thought was strange!

Going on the above what's it looking like?

I'll be shifting all sites away today anyway now if it been done through access and not hidden code in the sites.

 

[golddiggerguy]

I think the biggest fail for the hosting account/s is that the main login gives access to ALL sites in the account.!

Other ISPs I use like Heart have so much in place to prevent this kind of thing happening it was annoying (at first) but can see why they do this.

 

[retired_member21]

first off - I'm no expert but had it happen to me once before.

it's not your computer/account necessarily - it's the server being hacked via wordpress / some other vulnerable piece of software. Once they get in (if it's a shared host) every index.xxx will have either some javascript code added on , or some hyperlinks added to the hacker(s) sites - proper black hat seo!

Nothing you can do as it may not be your account they are coming in through - it's the entire shared/reseller server - if you do a reverse IP lookup and find some other domains on the same IP/server I'm sure they'll have the same problem.

I only had the problem with US hosting - since moved to UK didn't happen again.

 

[golddiggerguy]

Checked other domains on the same server with reverse look up and don't seem to have been effected. ( the few I have checked )