Look at the url?
See this:
http://frenchtofluency.com/~uieducat/
did you look at where that goes? I would say if thats not a directory you created, your web space has already been exploited.
Thread Starter
sulis
(@sulis)
My word – yes, you are right. I did not create that directory. I just wonder why they bothered doing this. What should I do now? And more importantly is there anything I could have done to prevent this from happening?
Many thanks
I just wonder why they bothered doing this.
there is a store link, and it looks like that clicks through a real live site (i didnt check). I imagine he wanted traffic?? Hell if i know, really.
do you have anything else besides wordpress running on your site? Any store scripts, gallery scripts?
It looks like you were running 2.6.3 prior to upgrading (thats what google’s cache shows you at dec 3)? Sound about right?
Thread Starter
sulis
(@sulis)
I didn’t have a store on my site but it seems they have installed one. No, I am not running anything else – it was basically just a standard personal blog.
Yes, I think it was 2.6.3. I upgraded to 2.7 today.
I am rather concerned about the fact I cannot find the /~uieducat/ directory at all. I have searched through my file manager in CPanel but cannot find any of the stuff the hackers have put on my site. Any ideas what to do now and how to get rid of it?
Are you on some shared hosting? ~uieducat usually means that it’s a homedir of user (may as well be another hosting client on that server) uieducat on a server, and due to some ways to configure shared hosting server other hosting clients can be accessible like this (through ~xxx urls) through any other domain parked on that server.
uieducat is not your username for hosting, right? It’s probably some other user being compromised if you’re on shared and not dedicated hosting. They use your url to access files on that other account just as one among many other ways to cover their tracks.
EDIT: folder structure available through yoursite/~uieducat points into direction of what I suspected. Contact your hosting provider and tell them “uieducat” account has been compromised.
she is ON shared hosting, and if you look at the first page she linked to, that was the directory named for ALL the hacks that this particular individual is taking credit for — so no, its not her name.
Sulis, if you like, drop me an email and I will take a look at your files for you.
whoo @ my domain.com
and my domain == village-idiot.org
