WordPress.org

Ready to get started?Download WordPress

Forums

Hostgator WP sites hacked, links added to wp-blog-header.php (7 posts)

  1. rforeman
    Member
    Posted 4 years ago #

    I have several sites hosted with Hostmonster. Link spam is added to all of my sites' wp-blog-header.php files and displays after the closing HTML tag on all of the site's web pages. Here is a sample: http://empoweryou.ca. As soon as I remove it it reappears.

    And I keep getting an admin account added under the name doctor9. I delete it and it reappears.

    I have asked Hostmonster support for help and they refer me back to WordPress.

    I am using the latest version of WordPress and all plugins are regularly updated to the latest versions.

    Is anyone else having the same problem?

    Thanks
    Ron Foreman

  2. esmi
    Forum Moderator
    Posted 4 years ago #

  3. rforeman
    Member
    Posted 4 years ago #

    Thanks Esmi,

    I had read most of those before posting.

    I was hoping to find a solution more targeted to this specific problem. I have 50 installations and almost all (perhaps all) sites have this same problem. Following the cleanup procedures on every site would take days or weeks.

    I thought perhaps somebody else would have the same problem and I could pinpoint the cause and resolve it.

    Am I the only one with a 'doctor9' administrator in 50 sites on Hostgator that keeps coming back after I delete it?

    And links like these in the wp-blog-header.php that keep coming back after I delete them.

    </body>
    </html><font color="#0099CC">شات</font></font></span><font size="1" color="#0099CC"> </font><font size="1" color="#000000">
    <font color="#0099CC">billiards</font></font><font size="1" color="#0099CC">
    </font>

    <font size="1" color="#0099CC">شات قطر</font>
    <font size="1" color="#0099CC">
    </font>


    <font size="1" color="#0099CC">شات صوتي</font>
    <font size="1" color="#0099CC">
    </font>

    <font size="1" color="#0099CC">كام</font>
    <font size="1" color="#0099CC">
    </font>

    <font size="1" color="#0099CC">شات سعودي</font>
    <font size="1" color="#0099CC">
    </font>

    <font size="1" color="#0099CC">جلسات</font>
    <font size="1" color="#0099CC">
    </font>


    <font size="1" color="#0099CC">طرب</font>
    <font size="1"><font color="#0099CC"> 
    </font>
    <span lang="ar-sa">
    <font color="#0099CC">بنت ابوي</font>
    <font color="#0099CC">
    </font>
    <font color="#0099CC">شات صوتي</font><font color="#0099CC">
    </font>

    <font color="#0099CC">شات كتابي</font>
    <font color="#0099CC">
    </font>

    <font color="#0099CC">عرب سيد</font>
    <font color="#0099CC">

    </font>

    <font color="#0099CC">افلام عربي</font>
    <font color="#0099CC">
    </font>
    <font color="#0099CC">بلياردو</font><font color="#0099CC">
    </font>
    <font color="#0099CC">دردشه</font><font color="#0099CC">
    </font>
    <font color="#0099CC">منتدى</font></span><font color="#0099CC"> 
    </font>
    <font color="#0099CC">قيمزر</font><font color="#0099CC">
    </font>
    <span lang="ar-sa"><font color="#0099CC">
    سعودي كول</font>
    </span></font>

    Thanks for your patience!

    Ron

  4. esmi
    Forum Moderator
    Posted 4 years ago #

    If the hacker is getting back in, there must be a back door somewhere on the server. The last link in the list I gave addresses back doors specifically as they relate to WP sites but it's equally possible that the back door is somewhere else on a shared server.

  5. mvandemar
    Member
    Posted 4 years ago #

    Ron, you mentioned Hostgator in the title and in some posts, and Hostmonster in the first post and others. Which is it? Did you ever get this fixed?

    50 sites might seem like a ton to clean, but probably wouldn't take as long as you think if you approach it right. I am the author of the WordPress cleanup post on the Smackdown blog referenced above, hit me up if you really get stuck.

    -Michael

  6. rforeman
    Member
    Posted 3 years ago #

    Thanks Michael!

    Sorry for the confusion. The problem is with Hostgator NOT Hostmonster and it's back again.

    Here is the explanation I received from Hostgator last time:

    This was a PHP shell that had been missed during the last cleaning. I've removed the content from wp-blog-header.php and I'm removed the PHP shell. I'm very sorry about that. The good new is it does not appear that any of the passwords have been compromised and your WHM is safe at this time.

    Ron

  7. rforeman
    Member
    Posted 3 years ago #

    Update

    Hostgator (not Hostmonster) tell me this:

    The wp-blog-header.php files on several of your sites were being modified via a PHP shell script (comments-popup.php) that had been placed on the accounts. This shell script was placed on the account in May and June, 2010. Unfortunately we do not have logs from this time period, so we can not see exactly how this was uploaded to the account. If you see any modification of your sites occur again, please contact us as soon as possible so that we may investigate further.

Topic Closed

This topic has been closed to new replies.

About this Topic