Results 1 to 25 of 26
-
06-26-2009, 12:05 AM #1New Member
- Join Date
- Jun 2009
- Posts
- 1
My sites on hostgator keeps getting hacked
I have been very happy customer of hostgator for more than 2 years now and still have no issues with them except the one below.
My sites (wordpress) keep getting hacked. Its same thing all the time, hacker adds one iframe script code to end of index.php
I checked the permissions of index.php and its always 644 (standard).
Is it just my site or its common at hostgator?
(by the way I changed my password, but its still same old same old)
-
06-26-2009, 12:11 AM #2Web Hosting Master
- Join Date
- Jul 2008
- Location
- Eta Carinae
- Posts
- 2,672
are you using any plugins that may be exploitable? I highly doubt it's common with hostgator since it just happens to your wordpress sites - usually happens when you have a plugin that's vulnerable to getting hacked. and wordpress is a common cms to get hacked - phpBB is the forum cms that gets hacked a lot (i know phpbb2 had a lot of issues)
if you truly believe that it's hostgator you could always try out another company and see how that goes.
-
06-26-2009, 12:19 AM #3Web Hosting God
- Join Date
- Dec 2001
- Location
- Above The Clouds
- Posts
- 7,223
Have you done a virus scan on your PC/laptop etc? There are various viruses still circulating that steal FTP info when you connect when infected. This normally results in iframe hacks. Seen it many time in the last 3 months.
██ Laurence Flynn @ HostNEXUS.com
██ Managed WordPress Hosting Solutions
██ Focused on speed. Obsessed with security.
-
06-26-2009, 12:28 AM #4Disabled
- Join Date
- Sep 2005
- Location
- A box
- Posts
- 2,051
If this was common at HostGator, considering our large their client base is, I'm sure the forum would be full of threads like yours.
It's only you You're running a plugin that is out of date/exploitable, or you're running an out of date version of wordpress. You need to always run the latest version of wordpress, as well as all plugins. If you're running plugins that haven't been updated for a while, chances are, the author dropped the plugin and isn't updating it any more, so get rid of it as well.
-
06-26-2009, 12:42 AM #5Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
06-26-2009, 12:53 AM #6UNMETERED SPECIALIST
- Join Date
- Mar 2009
- Location
- India
- Posts
- 1,233
I do not think it is common with Hostgator.
-
06-26-2009, 12:58 AM #7Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
Have you updated your copy of WordPress? There have been some exploits discovered that would allow access to your account.
Also if they did gain access and uploaded a shell .php script (that looks like a part of wordpress) they could continue to access your account even after you upgrade WordPress.
I would suggest you download your entire /public_html and then run a virus scanner on it and delete any files it labels as malicious or backdoors and then re-uploading and updating your WordPress installation.█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
06-26-2009, 12:59 AM #8Disabled
- Join Date
- Nov 2007
- Location
- England
- Posts
- 239
It will definitely be some kind of plugin you are using.
If you are changing the password every time and it still happens, then they are coming in through the plugin.
Try removing some plugins on a try&test method, you may find the culperate eventually.
-
06-26-2009, 01:01 AM #9Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
06-26-2009, 01:17 AM #10Disabled
- Join Date
- Nov 2007
- Location
- England
- Posts
- 239
True. I've never dealt with Wordpress so I can't comment.
However, I do know that many sites are hacked through applications/plugins etc.
-
06-26-2009, 01:19 AM #11Disabled
- Join Date
- Apr 2009
- Posts
- 38
-
06-26-2009, 01:20 AM #12Web Hosting Master
- Join Date
- Mar 2009
- Location
- Texas
- Posts
- 942
I just had a client get his Wordpress site hacked as well. Wordpress released an update not long ago, and he didn't update. Have you updated to the latest version of Wordpress?
-
06-26-2009, 01:24 AM #13Web Hosting Master
- Join Date
- Aug 2004
- Location
- Canada
- Posts
- 3,785
We saw this happening maybe 8 months ago or earlier and I hadn't seen many posts about it at the time. It seems to be really catching steam now almost daily posts about x host and a users site continually getting hacked. It's changed a little bit recently but still the same thing. Tough to explain to a user it's their computer with a virus resulting in the ftp passwords being stolen that's for sure.█ Tony B. - Chief Executive Officer
█ Hawk Host Inc. Proudly serving websites since 2004
█ Quality Shared and Cloud Hosting
█ PHP 5.2.x - PHP 8.1.X Support!
-
06-26-2009, 01:38 AM #14Disabled
- Join Date
- Apr 2009
- Posts
- 38
-
06-26-2009, 01:38 AM #15Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
Yep - most clients automatically assume that if their account is compromised that it's the host's fault for not securing their server properly.
Even when you explain there are hundreds of domains on the same server and that only their account was compromised, and you show them evidence of how it happened and why it happened... Many still blame the host in the end.
I don't know how many times I've even had somebody transfer in and then claim that their site was hacked on one of our servers - when I look at the backup file from when they transferred in - the backup contained the files that were already compromised!
Oh well.█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
06-26-2009, 01:49 AM #16Web Hosting Evangelist
- Join Date
- Jan 2003
- Posts
- 512
It's not HostGator, it's your out-dated and/or insecure scripts. When you use a popular web script like Wordpress and vulnerability is going to be well know; and weak scripts are easy to find and exploit. I work for a large host and we see Wordpress compromised a lot. Keep your stuff up-to-date and keep good backups. Often times by the time you see a site has been compromised the hosts backups do not go far enough back to restore from a "clean" version.
-
06-26-2009, 09:42 AM #17Support Facility
- Join Date
- Jun 2009
- Posts
- 2,335
More often than not, disabled plugins are left in the plugin directory. Unfortunately, this can be a security risk. So, be sure to remove any disabled or unnecessary plugins.
-
06-26-2009, 09:46 AM #18Web Hosting Master
- Join Date
- Mar 2005
- Location
- Athens, Greece
- Posts
- 1,763
- do you use the latest wordpress code?
- is your pc clean? there is an exploit on popular software (like adobe reader or flash player) that a trojan scans your pc for ftp passwords.
Be sure you are running the latest of WP, you upgrade your pc's software, check for virus, clean your pc, change all passwords in hostgator.▌ Managed.gr cloud hosting, paas, vps, dedicated, domain registration on global datacenters.
-
06-26-2009, 09:47 AM #19Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 643
It's not HostGator, it's your out-dated and/or insecure scripts.ASPnix Web Hosting - ASP.NET, MS SQL, AJAX, Hyper-V
Microsoft Hosting and Virtualization
-
06-26-2009, 06:20 PM #20Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
It's an extremely easy 'cop-out' to pass the buck off to the end-user and blame their system for being the potential flaw in the loop. I'd highly recommend you audit your WHMCS logs and confirm that your database hasn't been stolen & all of the passwords (that users tend to leave as the default) being the actual root cause of the issue.
Just because you're seeing it pop up more frequently doesn't necessarily mean it isn't on the provider's end.
-
06-26-2009, 09:06 PM #21Web Hosting Master
- Join Date
- Mar 2001
- Posts
- 1,446
If it's your index.* pages, it's almost *always* your FTP u/p that was compromised from an infected PC (yours, your designer/developer, etc...) We are seeing these a lot lately, and a quick look at the FTP logs for the server will confirm this. Hackers collect FTP u/p from infected PC's by stealing this information that is saved in FTP clients on the PC, then launch bots that download all index.* and main.* pages, insert iframe or js script code (we've seen that looks almost like Google Analytics) and re-upload those pages. It's easy to spot when the host (or you if you have access) looks at the FTP logs.
I am willing to bet it's not your Wordpress plugins/version that was compromised, rather your FTP u/p. Scan your computers (use something like malwarebytes.org) and then change your FTP password.
- John C.
-
06-26-2009, 11:56 PM #22Web Hosting Master
- Join Date
- Aug 2004
- Location
- Canada
- Posts
- 3,785
When we first started seeing these we went through logs after logs trying to find a link. Once we had resellers users who don't even have a billing system and sell to local users only it became apparent where these were coming from. Can say the same thing about even another level where a VPS user has a problem with one user getting hacked over and over again. Also started playing around with giving the info back vs just changing it in our systems as well. Giving the user their FTP information again resulted in attempts to change all the files from another random IP.
It's been growing in size thats for sure. When we first started seeing these there was very little discussion. Now there are guides on how to remove the infected pages and also the possible cause.█ Tony B. - Chief Executive Officer
█ Hawk Host Inc. Proudly serving websites since 2004
█ Quality Shared and Cloud Hosting
█ PHP 5.2.x - PHP 8.1.X Support!
-
06-27-2009, 01:33 AM #23Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,196
You are making the assumption that a full investigation into each case wasn't made. I've seen a few accounts compromised and of course there has always been a full and thorough investigation. Usually it's a compromised script that allowed the attacker to upload a "shell script" that was able to modify files and add/remove files etc.
There was only one case where a password was actually compromised and that was when the user shared the root password on their VPS with WebHostingTalk and after the WHT hack within about a week their VPS was compromised via SSH using the password with no failed log-in attempts.
I can say without any shadow of a doubt that all of the few incidents of a client's account being compromised it was due to an out-of-date script or an insecure script. It's not a cop-out but merely the results of the thorough investigation. After cleaning the accounts and updating the scripts the accounts have been pristine ever since.
Although it is nice to see somebody from the other side of the "fence" presenting the other possibility - realistically if somebody had obtained a copy of a WHMCS database I would think they would do more than compromise a single account on a single server - but maybe not.
Who knows? Nobody when you speculate.█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
06-27-2009, 02:15 AM #24Web Hosting God
- Join Date
- Dec 2001
- Location
- Above The Clouds
- Posts
- 7,223
██ Laurence Flynn @ HostNEXUS.com
██ Managed WordPress Hosting Solutions
██ Focused on speed. Obsessed with security.
-
06-27-2009, 06:50 AM #25Newbie
- Join Date
- Jun 2008
- Posts
- 18
It's often possible to determine whether a password stealing PC virus is the top suspect, by doing a web search on the domain that is referenced in the malicious iframe.
Gumblar started out inserting iframes that referenced a domain called gumblar, then martuz, then geno, and by now there are probably more, but people are talking about them on the web, so a web search on: TheDomainYouFound gumblar has a good chance of turning up any discussion about that domain in the context of gumblar.
Similar Threads
-
Hostgator password hacked by Evilzone dot org
By nomzz in forum Hosting Security and TechnologyReplies: 6Last Post: 12-04-2008, 03:48 PM -
My experience with HostGator In the last 24 hrs after site has been hacked
By doc125 in forum Web HostingReplies: 14Last Post: 06-12-2007, 12:52 AM -
My RZ sites hacked!
By lindmar in forum Reseller HostingReplies: 16Last Post: 07-29-2006, 09:50 PM -
sites hacked/ need advice
By kami in forum Dedicated ServerReplies: 6Last Post: 12-28-2004, 01:40 AM -
Sites Hacked
By idolhost in forum Web HostingReplies: 17Last Post: 07-27-2003, 05:35 AM