Page 1 of 2 12 LastLast
Results 1 to 25 of 26
  1. #1

    My sites on hostgator keeps getting hacked

    I have been very happy customer of hostgator for more than 2 years now and still have no issues with them except the one below.

    My sites (wordpress) keep getting hacked. Its same thing all the time, hacker adds one iframe script code to end of index.php

    I checked the permissions of index.php and its always 644 (standard).

    Is it just my site or its common at hostgator?

    (by the way I changed my password, but its still same old same old)

  2. #2
    Join Date
    Jul 2008
    Location
    Eta Carinae
    Posts
    2,672
    are you using any plugins that may be exploitable? I highly doubt it's common with hostgator since it just happens to your wordpress sites - usually happens when you have a plugin that's vulnerable to getting hacked. and wordpress is a common cms to get hacked - phpBB is the forum cms that gets hacked a lot (i know phpbb2 had a lot of issues)

    if you truly believe that it's hostgator you could always try out another company and see how that goes.

  3. #3
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    7,223
    Have you done a virus scan on your PC/laptop etc? There are various viruses still circulating that steal FTP info when you connect when infected. This normally results in iframe hacks. Seen it many time in the last 3 months.
    Laurence Flynn @ HostNEXUS.com
    Managed WordPress Hosting Solutions
    Focused on speed. Obsessed with security.

  4. #4
    If this was common at HostGator, considering our large their client base is, I'm sure the forum would be full of threads like yours.

    It's only you You're running a plugin that is out of date/exploitable, or you're running an out of date version of wordpress. You need to always run the latest version of wordpress, as well as all plugins. If you're running plugins that haven't been updated for a while, chances are, the author dropped the plugin and isn't updating it any more, so get rid of it as well.

  5. #5
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Quote Originally Posted by NexDog View Post
    Have you done a virus scan on your PC/laptop etc? There are various viruses still circulating that steal FTP info when you connect when infected. This normally results in iframe hacks. Seen it many time in the last 3 months.
    I'm with this option, I saw a lot of people having the same problem, when we check the ftp logs, we found that an IP from Ukraine logged in in 1 attempt with the username/password of the account and downloaded/uploaded the files with the iframe on it.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  6. #6
    Join Date
    Mar 2009
    Location
    India
    Posts
    1,233
    I do not think it is common with Hostgator.

  7. #7
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Have you updated your copy of WordPress? There have been some exploits discovered that would allow access to your account.

    Also if they did gain access and uploaded a shell .php script (that looks like a part of wordpress) they could continue to access your account even after you upgrade WordPress.

    I would suggest you download your entire /public_html and then run a virus scanner on it and delete any files it labels as malicious or backdoors and then re-uploading and updating your WordPress installation.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  8. #8
    Join Date
    Nov 2007
    Location
    England
    Posts
    239
    It will definitely be some kind of plugin you are using.

    If you are changing the password every time and it still happens, then they are coming in through the plugin.

    Try removing some plugins on a try&test method, you may find the culperate eventually.

  9. #9
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by VPSRight View Post
    It will definitely be some kind of plugin you are using.

    If you are changing the password every time and it still happens, then they are coming in through the plugin.

    Try removing some plugins on a try&test method, you may find the culperate eventually.
    It could be *ANY* script installed even WordPress itself... I've seen it numerous times.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  10. #10
    Join Date
    Nov 2007
    Location
    England
    Posts
    239
    True. I've never dealt with Wordpress so I can't comment.

    However, I do know that many sites are hacked through applications/plugins etc.

  11. #11
    Quote Originally Posted by MikeDVB View Post
    Have you updated your copy of WordPress? There have been some exploits discovered that would allow access to your account.

    Also if they did gain access and uploaded a shell .php script (that looks like a part of wordpress) they could continue to access your account even after you upgrade WordPress.

    I would suggest you download your entire /public_html and then run a virus scanner on it and delete any files it labels as malicious or backdoors and then re-uploading and updating your WordPress installation.
    Along with this, I would suggest you to remove any password which you may saved in your FTP client to avoid Gumblar attack, if any.

  12. #12
    Join Date
    Mar 2009
    Location
    Texas
    Posts
    942
    I just had a client get his Wordpress site hacked as well. Wordpress released an update not long ago, and he didn't update. Have you updated to the latest version of Wordpress?

  13. #13
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,785
    Quote Originally Posted by Jedito View Post
    I'm with this option, I saw a lot of people having the same problem, when we check the ftp logs, we found that an IP from Ukraine logged in in 1 attempt with the username/password of the account and downloaded/uploaded the files with the iframe on it.

    We saw this happening maybe 8 months ago or earlier and I hadn't seen many posts about it at the time. It seems to be really catching steam now almost daily posts about x host and a users site continually getting hacked. It's changed a little bit recently but still the same thing. Tough to explain to a user it's their computer with a virus resulting in the ftp passwords being stolen that's for sure.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and Cloud Hosting
    PHP 5.2.x - PHP 8.1.X Support!

  14. #14
    Quote Originally Posted by TonyB View Post
    Tough to explain to a user it's their computer with a virus resulting in the ftp passwords being stolen that's for sure.
    Guys, what do you do in this scenario? How do you explain the users?

  15. #15
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by TonyB View Post
    We saw this happening maybe 8 months ago or earlier and I hadn't seen many posts about it at the time. It seems to be really catching steam now almost daily posts about x host and a users site continually getting hacked. It's changed a little bit recently but still the same thing. Tough to explain to a user it's their computer with a virus resulting in the ftp passwords being stolen that's for sure.
    Yep - most clients automatically assume that if their account is compromised that it's the host's fault for not securing their server properly.

    Even when you explain there are hundreds of domains on the same server and that only their account was compromised, and you show them evidence of how it happened and why it happened... Many still blame the host in the end.

    I don't know how many times I've even had somebody transfer in and then claim that their site was hacked on one of our servers - when I look at the backup file from when they transferred in - the backup contained the files that were already compromised!

    Oh well.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  16. #16
    It's not HostGator, it's your out-dated and/or insecure scripts. When you use a popular web script like Wordpress and vulnerability is going to be well know; and weak scripts are easy to find and exploit. I work for a large host and we see Wordpress compromised a lot. Keep your stuff up-to-date and keep good backups. Often times by the time you see a site has been compromised the hosts backups do not go far enough back to restore from a "clean" version.
    cPanel Hosting
    Site5.com - Best support in the hosting business!

  17. #17
    More often than not, disabled plugins are left in the plugin directory. Unfortunately, this can be a security risk. So, be sure to remove any disabled or unnecessary plugins.
    SUPPORT FACILITY | 24/7 TECH SUPPORT
    SERVER MANAGEMENT | WEB HOSTING SUPPORT | WP EXPERTS

  18. #18
    Join Date
    Mar 2005
    Location
    Athens, Greece
    Posts
    1,763
    - do you use the latest wordpress code?
    - is your pc clean? there is an exploit on popular software (like adobe reader or flash player) that a trojan scans your pc for ftp passwords.


    Be sure you are running the latest of WP, you upgrade your pc's software, check for virus, clean your pc, change all passwords in hostgator.
    Managed.gr cloud hosting, paas, vps, dedicated, domain registration on global datacenters.

  19. #19
    Join Date
    Apr 2009
    Posts
    643
    It's not HostGator, it's your out-dated and/or insecure scripts.
    That's why this recommended to follow up for the web application application upgrates and install them in time
    ASPnix Web Hosting - ASP.NET, MS SQL, AJAX, Hyper-V
    Microsoft Hosting and Virtualization

  20. #20
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by TonyB View Post
    We saw this happening maybe 8 months ago or earlier and I hadn't seen many posts about it at the time. It seems to be really catching steam now almost daily posts about x host and a users site continually getting hacked. It's changed a little bit recently but still the same thing. Tough to explain to a user it's their computer with a virus resulting in the ftp passwords being stolen that's for sure.
    It's an extremely easy 'cop-out' to pass the buck off to the end-user and blame their system for being the potential flaw in the loop. I'd highly recommend you audit your WHMCS logs and confirm that your database hasn't been stolen & all of the passwords (that users tend to leave as the default) being the actual root cause of the issue.

    Just because you're seeing it pop up more frequently doesn't necessarily mean it isn't on the provider's end.

  21. #21
    Join Date
    Mar 2001
    Posts
    1,446
    If it's your index.* pages, it's almost *always* your FTP u/p that was compromised from an infected PC (yours, your designer/developer, etc...) We are seeing these a lot lately, and a quick look at the FTP logs for the server will confirm this. Hackers collect FTP u/p from infected PC's by stealing this information that is saved in FTP clients on the PC, then launch bots that download all index.* and main.* pages, insert iframe or js script code (we've seen that looks almost like Google Analytics) and re-upload those pages. It's easy to spot when the host (or you if you have access) looks at the FTP logs.

    I am willing to bet it's not your Wordpress plugins/version that was compromised, rather your FTP u/p. Scan your computers (use something like malwarebytes.org) and then change your FTP password.

    - John C.

  22. #22
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,785
    Quote Originally Posted by David View Post
    It's an extremely easy 'cop-out' to pass the buck off to the end-user and blame their system for being the potential flaw in the loop. I'd highly recommend you audit your WHMCS logs and confirm that your database hasn't been stolen & all of the passwords (that users tend to leave as the default) being the actual root cause of the issue.

    Just because you're seeing it pop up more frequently doesn't necessarily mean it isn't on the provider's end.
    When we first started seeing these we went through logs after logs trying to find a link. Once we had resellers users who don't even have a billing system and sell to local users only it became apparent where these were coming from. Can say the same thing about even another level where a VPS user has a problem with one user getting hacked over and over again. Also started playing around with giving the info back vs just changing it in our systems as well. Giving the user their FTP information again resulted in attempts to change all the files from another random IP.

    It's been growing in size thats for sure. When we first started seeing these there was very little discussion. Now there are guides on how to remove the infected pages and also the possible cause.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and Cloud Hosting
    PHP 5.2.x - PHP 8.1.X Support!

  23. #23
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by David View Post
    It's an extremely easy 'cop-out' to pass the buck off to the end-user and blame their system for being the potential flaw in the loop. I'd highly recommend you audit your WHMCS logs and confirm that your database hasn't been stolen & all of the passwords (that users tend to leave as the default) being the actual root cause of the issue.

    Just because you're seeing it pop up more frequently doesn't necessarily mean it isn't on the provider's end.
    You are making the assumption that a full investigation into each case wasn't made. I've seen a few accounts compromised and of course there has always been a full and thorough investigation. Usually it's a compromised script that allowed the attacker to upload a "shell script" that was able to modify files and add/remove files etc.

    There was only one case where a password was actually compromised and that was when the user shared the root password on their VPS with WebHostingTalk and after the WHT hack within about a week their VPS was compromised via SSH using the password with no failed log-in attempts.

    I can say without any shadow of a doubt that all of the few incidents of a client's account being compromised it was due to an out-of-date script or an insecure script. It's not a cop-out but merely the results of the thorough investigation. After cleaning the accounts and updating the scripts the accounts have been pristine ever since.

    Although it is nice to see somebody from the other side of the "fence" presenting the other possibility - realistically if somebody had obtained a copy of a WHMCS database I would think they would do more than compromise a single account on a single server - but maybe not.

    Who knows? Nobody when you speculate.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  24. #24
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    7,223
    Quote Originally Posted by JohnCrowley View Post
    If it's your index.* pages, it's almost *always* your FTP u/p that was compromised from an infected PC (yours, your designer/developer, etc...) We are seeing these a lot lately, and a quick look at the FTP logs for the server will confirm this. Hackers collect FTP u/p from infected PC's by stealing this information that is saved in FTP clients on the PC, then launch bots that download all index.* and main.* pages, insert iframe or js script code (we've seen that looks almost like Google Analytics) and re-upload those pages. It's easy to spot when the host (or you if you have access) looks at the FTP logs.

    I am willing to bet it's not your Wordpress plugins/version that was compromised, rather your FTP u/p. Scan your computers (use something like malwarebytes.org) and then change your FTP password.

    - John C.
    Bingo. The FTP info stealing viruses are huge right now. Normally I'd balame the good ole out of date Joomla extensions but right now that isn't what we are seeing.
    Laurence Flynn @ HostNEXUS.com
    Managed WordPress Hosting Solutions
    Focused on speed. Obsessed with security.

  25. #25
    It's often possible to determine whether a password stealing PC virus is the top suspect, by doing a web search on the domain that is referenced in the malicious iframe.

    Gumblar started out inserting iframes that referenced a domain called gumblar, then martuz, then geno, and by now there are probably more, but people are talking about them on the web, so a web search on: TheDomainYouFound gumblar has a good chance of turning up any discussion about that domain in the context of gumblar.

Page 1 of 2 12 LastLast

Similar Threads

  1. Hostgator password hacked by Evilzone dot org
    By nomzz in forum Hosting Security and Technology
    Replies: 6
    Last Post: 12-04-2008, 03:48 PM
  2. Replies: 14
    Last Post: 06-12-2007, 12:52 AM
  3. My RZ sites hacked!
    By lindmar in forum Reseller Hosting
    Replies: 16
    Last Post: 07-29-2006, 09:50 PM
  4. sites hacked/ need advice
    By kami in forum Dedicated Server
    Replies: 6
    Last Post: 12-28-2004, 01:40 AM
  5. Sites Hacked
    By idolhost in forum Web Hosting
    Replies: 17
    Last Post: 07-27-2003, 05:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •