My friend's web server has been hacked.

W

webdunce

New member
I don't know if this is even something that y'all discuss here...my apologies if it isn't (or if I've put it in the wrong section).

My friend is has a reseller account with hosting24 (and I'm pretty sure it's a shared host). It's very small...just a handful of sites. He contacted me because one of his sites was not displaying correctly in IE. It was a wordpress theme I had thrown together for him as a favor. He figured it was a CSS issue and was busy so he was hoping I could fix it for him.

I studied the theme files...they were all fine.

But when I viewed source, there is this huge obfuscated javascript inserted at the beginning of the HTML...even before the doctype. Also, when viewing the site's DOM (for example, Google Chrome's "Inspect Element" option), I discovered that there was a mysterious iframe element and that all the elements that should be in the head were in the body.

The iframe contains a site that antivirus software blocks and/or warns about. The domain in the iframe is a known source of malware/spyware.

I eventually figured out that the javascript code had been inserted into the index.php file in the site's root folder. This is a file that one rarely deals with in a wordpress environment.

Then I discovered that, actually, it was inserted into every index.php or index.html file in every site's root folder.

But, if I remove it, it just reappears a few hours later (in all his sites). Suspecting that either my PC or my friend's PC had malware (a keylogger, for example) that watches us enter the password to his cpanel.

So, I advised that we both only access his cpanel while running our PCs from a linux liveCD. This we did, and changed his cpanel password and removed the strange javascript again.

Woke up this morning and the javascript is back.

This, to me, means, the attack is outside of our PCs...possibly on the server itself (perhaps a sql injection?), or some script is monitoring the http traffic from my friend's computer (I rarely interact with his sites).

He asked his hosting company to check the server itself for malware, but their response was that their servers run linux and thus cannot be infected.

Frankly, my next step would be to rent server space with another server, and rebuild each site by copying-n-pasting the content (so that one ended up with brand-new wordpress databases), and delete everything (including databases) off his current host.

But, I was hoping, somewhere out there is someone who has encountered this issue and knows an easier solution...

And I fully understand if this is not an issue this forum deals with...I'll try others, if not.

(I can provide an example link to one of the infected sites if requested to do so...I don't want to appear like I'm linkbuilding...and it's possible that no links are necessary and that only a description of the issue is needed.)

Thanks.
--Will
 
Here is one (there's like 10 or 15)...

wellnesscandles.com

The above site is an HTML site and not a wordpress site...my friend apparently removed the javascript from the site I designed...so it's gone for now.

Be warned, that there is a hidden iframe...if your antivirus doesn't block it, you are exposing your PC to malware.
 
Whats the site name where code is reappearing ? I did a quick reverse ip check and looked into 10 - 15 sites none were infected.
 
That is one of them...well...it redirects to the .net domain...forgot about that...but if you view source, you will see that the very first thing in the HTML is...

<script>if(window.document)aa=/s/g.exec("s")...
Click to expand...

I keep removing that script and it keeps coming back....it'll stay gone for a few hours, but it always reappears....
 
well I know that but I was talking about other websites on same server. can you paste whats inside .htaccess file?
 
Will,

His provider needs to run a scan regardless if it's Linux or not. I have a question though where did you get the wordpress package from? I'm curious if you downloaded it from a random site. A lot of bored programmers tend to play jokes and imbed little scripts inside of packages/executables that install malware in several places. From your statement above it seems as if his host doesn't care much to even take the time to look into this issue which would make me leave in a heartbeat if I was the client.
 
The javascript's apparent result is the creation of a malicious iframe (that is hidden) for a domain that is known to be a portal malware.....shown below but kind of separated so as to not make it no way a link or even easy to copy-n-paste into a browser or anything...

tds73 (dot) 4mydomain (dot) com/stds/go.php?sid=1
Click to expand...
 
@aim2colo,

Well, i created one theme for him...he uses fantastico to install wordpress...no idea where he gets other themes, plugins, and such.
 
Thats not issue of where you get script, the issue pertains is what makes it executable at a certain interval of time. Surely the above mentioned site is not a wordpress. So we have to look what makes it to execute. If you have a .htaccess file then paste whats inside it.
 
@bullten

here is the .htaccess file in the root, but each site has its own .htaccess

RewriteEngine on

RewriteCond %{HTTP_HOST} ^mydesigngraphics.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.mydesigngraphics.com$
RewriteRule ^freeseo$ "http\:\/\/mydesigngraphics\.com\/DG\/free_marketing\-seo\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.mydesigngraphics.com$
RewriteRule ^seo$ "http\:\/\/mydesigngraphics\.com\/DG\/marketing\-seo\-website_optimization_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.mydesigngraphics.com$
RewriteRule ^marketing$ "http\:\/\/mydesigngraphics\.com\/DG\/marketing\-seo\-website_optimization_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.mydesigngraphics.com$
RewriteRule ^marketing\/seo$ "http\:\/\/mydesigngraphics\.com\/DG\/marketing\-seo\-website_optimization_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^custom\-websites$ "http\:\/\/mydesigngraphics\.com\/DG\/custom_websites\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^custom_websites$ "http\:\/\/mydesigngraphics\.com\/DG\/custom_websites\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^customwebsites$ "http\:\/\/mydesigngraphics\.com\/DG\/custom_websites\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^referrals$ "http\:\/\/mydesigngraphics\.com\/DG\/referral_program\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^FreeSEO$ "http\:\/\/mydesigngraphics\.com\/DG\/free_marketing\-seo\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^links$ "http\:\/\/mydesigngraphics\.com\/DG\/search_link_directory\/links\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^portfolio$ "http\:\/\/www\.mydesigngraphics\.com\/DG\/portfolio_online\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^customgraphics$ "http\:\/\/mydesigngraphics\.com\/DG\/custom_business_card_design\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^index\.html$ "http\:\/\/mydesigngraphics\.com\/" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^resume$ "http\:\/\/mydesigngraphics\.com\/DG\/resume_online\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^freebacklinks$ "http\:\/\/mydesigngraphics\.com\/DG\/free_oneway_backlinks\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^backlinks$ "http\:\/\/mydesigngraphics\.com\/DG\/oneway_website_backlinks\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^contact$ "http\:\/\/mydesigngraphics\.com\/DG\/contact\.php" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^DG\/hosting\-domain_features\.html$ "http\:\/\/mydesigngraphics\.com\/DG\/web_site_hosting\-domains_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^DG\/marketing\-seo_services\.html$ "http\:\/\/mydesigngraphics\.com\/DG\/marketing\-seo\-website_optimization_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^hosting$ "http\:\/\/mydesigngraphics\.com\/DG\/web_site_hosting\-domains_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^domains$ "http\:\/\/mydesigngraphics\.com\/DG\/web_site_hosting\-domains_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^domain$ "http\:\/\/mydesigngraphics\.com\/DG\/web_site_hosting\-domains_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^DG\/web_hosting\-domains_services\.html$ "http\:\/\/mydesigngraphics\.com\/DG\/web_site_hosting\-domains_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^onlinemarketing$ "http\:\/\/mydesigngraphics\.com\/DG\/marketing\-seo\-website_optimization_services\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^payments$ "http\:\/\/mydesigngraphics\.com\/DG\/custom_website_payment_plans\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^web\/backlink\-membership\-email\-log\-in\/$ "http\:\/\/mydesigngraphics\.com\/web\/wp\-admin" [R=301,L]

RewriteCond %{HTTP_HOST} ^mydesigngraphics\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydesigngraphics\.com$
RewriteRule ^freewordpresstheme$ "http\:\/\/mydesigngraphics\.com\/web\/website\-design\-development\-pensacola\/custom\-wordpress\-theme\/" [R=301,L]


SetEnvIf CF-IPCountry CN BuzzOff=1
SetEnvIf CF-IPCountry RU BuzzOff=1
SetEnvIf CF-IPCountry IN BuzzOff=1
Order allow,deny
Allow from all
Deny from env=BuzzOff
Click to expand...

The last 6 lines was an attempt we made to block traffic from countries we thought might be doing this...something I found online somewhere...I'm not a htaccess guru, but it didn't look like it would harm anything...it certainly didn't help.

I don't know where all the other lines come from...neither me nor my friend know anything about htaccess (I can do some simple redirects if I move a page, but that's about it).
 
Last edited:
wellnesscandles.com has htaccess of...

RewriteEngine on

RewriteCond %{HTTP_HOST} ^wellnesscandles\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.wellnesscandles\.com$
RewriteRule ^(.*)$ "http\:\/\/wellnesscandles\.net\/$1" [R=301,L]
Click to expand...

wellnesscandles.net has htaccess of ...

RewriteEngine on

RewriteCond %{HTTP_HOST} ^wellnesscandles\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.wellnesscandles\.net$
RewriteRule ^specials$ "http\:\/\/wellnesscandles\.net\/specials_wellness_candles_real_soy\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^wellnesscandles\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.wellnesscandles\.net$
RewriteRule ^fragrances$ "http\:\/\/wellnesscandles\.net\/fragrances_wellness_custom_soy_candles\.html" [R=301,L]

RewriteCond %{HTTP_HOST} ^wellnesscandles\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.wellnesscandles\.net$
RewriteRule ^pricing$ "http\:\/\/wellnesscandles\.net\/pricing_wellness_candles_real_soy\.html" [R=301,L]
Click to expand...
 
hmmm.. There is nothing wrong in both the htaccess file. If you are comfortable pm me the cpanel details for this website wellnesscandles.com. leme analyse and provide you a solution
 
Well, I appreciate the offer, but what I'm going to do right now is put a javascript at the end of each index file that removes the iframe element (since none of his sites should have an iframe)...that's what the malicious javascript does is insert the iframe. so, i'll just remove it and they can keep their javascript there for now.

edit:
Actually, this might be useless...their script will always execute first...creating the iframe element...possibly infecting the user's computer before my script removed the iframe element.

:(
 
Last edited:
My problem is that files are being edited on the web host by some script.

What are some things that can cause this?

1. Spyware that captures our cpanel login info, then uses that to access the host.

2. HTTP traffic is being monitored somewhere between my friend's computer and his host...his cpanel login is being captured

3. one of the above methods has been used to capture his username...brute force is used to figure out the password (unlikely that his host would allow unlimited login attempts)

4. His host, despite Hosting24's opinions about Linux, has been infected with a malicious script that routinely checks and edits the files.

5. What else????

Can SQL injections do this? Seems like they would be limited to affecting the wordpress site using the SQL database. But we are having plain html sites being affected, too.
 
Definitely an exploit within the site. A full investigation needs to be run to find out latest files modified and latest files uploaded and accessed. Your web host should be able to assist with this if you don't know how.

A malware scan needs to be run on the server to find where the injection is happening.

Since you're dealing with wordpress, a lot of people have found exploits in the UPLOADS folder. Check that area for any unusual files. Check the tables to make sure there's only ONE administrator etc.

The web host claiming that it's Linux and therefore can't be infected is incorrect. They really need to run an investigation on their end - and you really need a new host that doesn't ignore the issue at hand.

Check the uploads folder, check the plugins (make sure they're up to date), disable W3Cache (if you have it enabled), check cron jobs, scan http logs to see if any odd files are being executed.

There's a TON that your host can be doing to help, but if they're taking the lazy approach and saying "no, can't be us" and not providing any assistance, you need a new host!
 
@Will

Now I understand why you cant share login for that website (http://mydesigngraphics.com/wellnesscandles.net/)

I dont know why webmasters keep 10-20 websites under single cpanel username?

You are the one making it more risky. A single site hacked and its gona infect all the other website. Its not problem with your web server providers, its just you who have been hacked.

Check all the other site hosted under that cpanel username and you definitely need your web host provider assistance.
 
I noticed in the logs, only other "person" to access one of the affected files was wp-cron.php...hmmmm.

Specifically...

{base url}/wp-cron.php?doing_wp_cron=1329752927
 
Last edited:
You must log in or register to reply here.

Latest posts

Forum supporters

Members recently online

Total: 16

Forum statistics

Threads
81,051
Messages
248,679
Members
20,690
Latest member
JohnMuller
Top