WordPress.org

Ready to get started?Download WordPress

Forums

Malware redirect hacks - specific question regarding vulnerabilities (12 posts)

  1. zanzaboonda
    Member
    Posted 2 years ago #

    Hi all-

    I've read through many of the topics but couldn't find what I was looking for, so my apologies if this duplicates anything.

    Here's my situation:

    I had several (read: 20+) sites on shared hosting (with GoDaddy). At least one of them got hacked with a redirect; they all wound up infected.

    After trying for weeks to correct the problem, I gave up and gutted everything. So there were no files in my hosting account (except for a few website statistics ones that my host verified were okay).

    I reinstalled one website. Sucuri checks it as fine. I started working on the second one, and it was infected in less than 12 hours! Thankfully, my first one is still testing fine per Sucuri.

    I deleted everything from the second site, of course - wiped it clean and reinstalled.

    I was experimenting with plugins on it initially and had assumed it was a plugin or theme issue, so I kept track of what I had installed on the hacked site and compared it with what was on my other website. (Presumably, the ones that were on both would be safer.)

    But paranoia derived from hours upon hours of wasted time and frustration (lol) got the best of me, so I decided to take it step by step.

    Unfortunately, even after a fresh installation, there seems to be something wrong, and I don't know what to do.

    Sucuri scans it clean, but with no plugins or anything other than the Twenty Eleven theme (completely fresh install), if I go to http://indieaz.com/wp-login (I realize it should be wp-login.php. I discovered this occurrence by accident), I get a redirect error from Comodo that tells me "emisacbannortim.ru does not exist" (even after clearing my cache and history, etc.).

    I.e., it's trying to redirect from WP to that site. (I've yet to try this on my first website. Too terrified to find out. lol)

    So my question is, how can this be happening?

    I've read tons of articles during the weeks when I tried to fix it before, and it seems to me that there can only be four possible sources of this problem (although please, please correct me if I'm wrong):

    1. The computer I'm using is infected with malware, which is thereby infecting my sites.
    2. The other website on my shared hosting is infected with malware.
    3. My hosting provider's server is infected with malware.
    4. There is a security issue with the WordPress core software itself.

    Responses:

    1. I have Comodo and Adaware on my computer. I scan it on a semi-regular basis, and so far it's come up clean.

    2. My other website is still scanning clean (per Sucuri), was only installed a few days ago, and has several security plugins, which were installed immediately.

    But 3. and 4. seem highly unlikely...

    I verified everything that exists on my hosting account. They currently are:

    1. My first website I redid - http://k-mo.info - which tests clean, per Sucuri.
    2. The fresh install of WP on my second website - http://indieaz.com.
    3. A bunch of folders from my previous website installations - all empty.
    4. A "stats" folder from GoDaddy that they confirmed as being safe/legitimate when I called them.

    I'm so confused!

    Any help would be greatly appreciated. Thanks in advance for your time and assistance.

    Best wishes,
    Kristen

  2. redleg-too
    Member
    Posted 2 years ago #

    Have you checked the .htaccess file(s) for anything suspicious??

  3. zanzaboonda
    Member
    Posted 2 years ago #

    As far as I can tell, they both look clean. (I'm not sure if I should post it here or not?) When I got hacked before, the changes to the .htaccess files were pretty obvious (lots of extra spaces, etc.).

    The second one has what looks like a standard one for WP. The first has that exact same code plus a mod from the Hide Login security plugin that I have installed on there.

    I just don't understand how it could get infected so quickly or how a fresh install would have that redirect (not picked up by Sucuri) in less than five minutes. :(

  4. redleg-too
    Member
    Posted 2 years ago #

    Usually with the redirect to emisacbannortim.ru/upday/index.php the hackers place a backdoor on the site that allows them to upload files to the site. They use the backdoor to write the redirect back to the .htaccess over and over. The file is not part of your WP installation so it may not normally get over-written on a fresh install. You might scan through your access logs for requests for a php file that seems out of place. Sometimes it will have a file name consisting of a bunch of numbers .php but it can be most anything. Also check for additional .htacess files there can be more then one on a site located in diffrent directories.

  5. zanzaboonda
    Member
    Posted 2 years ago #

    After I de-installed WP on all my sites, I went in via ftp and removed every file in there. I did leave the blank folders, but I made sure to delete everything else.

    But I'll double check, thanks. And thanks for all your help. :)

  6. redleg-too
    Member
    Posted 2 years ago #

    As you are hosted on GoDaddy if you have not read through this thread

    http://www.google.com/support/forum/p/Webmasters/thread?tid=5ed4ca0696a2e5ad&hl=en

    probably should scan through it.

  7. zanzaboonda
    Member
    Posted 2 years ago #

    LOL Wow... I've been a customer of theirs for, idk, 12 years now, I believe. Apparently, I need to rethink that. I was going to switch before for ethical concerns but I'd prepaid for a year. Which is up in a week or so. :)

    How do I find a good host that's not too expensive? (I'd be glad to use a referral link if there's anyone you recommend.)

    Thanks so much again for your help. You've been very generous with your knowledge and time. I really appreciate it. :)

  8. zanzaboonda
    Member
    Posted 2 years ago #

    Spent some time talking with GoDaddy yesterday. The rep was nice, but (after talking with some higher-up tech people) told me the same, that it's impossible. I asked him to check with someone else. He wrote to me later:

    Hello Kristen:

    In double checking another resource, that resource was in agreement that a third party directory cannot supercede the root directory. If you have any other questions, please let me know. Thank you.

    [removed for privacy]
    Customer Care Center

    I'm sending him some links to other articles, including the one above and this one:

    http://www.google.com/support/forum/p/Webmasters/thread?tid=51cc151590a97a0d&hl=en&start=40

    Based on my interactions thus far and on those of others, I don't expect to get an straight or accurate answer. I really, really, really don't want to, but I'm probably going to try this all one more time and spend another 40+ to fix just one of my site. 20+ more to go.

    If it happens again, I'm done with them.

  9. zanzaboonda
    Member
    Posted 2 years ago #

    Not sure if you're following this thread still, but get this:

    I cleaned out my websites again as they both wound up hacked. Did the WP uninstall through GoDaddy and deleted every folder I have on there, even though they were all empty, except for the STATS folder, which I cannot delete and which they verified for me were all correct. It is empty, as in empty.

    And yet, even after deleting browser cache, history, and everything, when I put my url in (directly, not redirecting from Google, etc.), I *still* get redirected.

    I did have something show up in my AV scans on my computer, which I cleaned and restarted. Did the same thing... made sure everything empty, deleted all history, etc., and it's still redirecting. It even redirects on the (xScope) browser on my phone, which I had never used to visit any of my websites before, so it can't be anything to do with browser cache, etc.

    So my question now is, can it be anything other than GoDaddy? Anything at all??

  10. redleg-too
    Member
    Posted 2 years ago #

    Sorry to hear this is still happening, I know it must be very frustrating. The issue with GoDaddy and the .htaccess certainly kinda leaves you in limbo. As you have deleted everything there are not a lot of other possibilities. Here are a couple of more links on the Google form

    http://www.google.com/support/forum/p/Webmasters/thread?tid=34a0198f8400bdae&hl=en

    http://www.google.com/support/forum/p/Webmasters/thread?tid=61c2f6b272287c1a&hl=en

    http://www.google.com/support/forum/p/Webmasters/thread?tid=703ea962ad70b07a&hl=en

    The bottom line in all of them is basically the same. Maybe contact GoDaddy again, explain that you have deleted everything and requests still redirect, ans send them links to the threads.

  11. zanzaboonda
    Member
    Posted 2 years ago #

    Aww, thanks for posting again and thanks for sharing all of your time and knowledge.

    The first link seems to be broken, but I think the other two probably have enough information.

    I'm going to contact them again.

    I mostly wanted to keep you updated as, unless they have a better explanation, this seems like definitive proof for me that the problem is on their end.

    Thanks again. You're very kind.

  12. zanzaboonda
    Member
    Posted 2 years ago #

    As an update, I called GoDaddy, and they talked to their Advanced Hosting Services department. They came back several minutes later and said they found an .htaccess file on my server. They renamed it (thereby rendering it useless), and I have left it on there for now.

    However, this was not there before, neither in Filezilla or on their Hosting Manager. I even took screenshots earlier of Filezilla to show it was blank, so it is my belief that it was uploaded some time in the last hour or so.

    I'm not going to reinstall my websites just yet. I'm going to wait and see if another one gets uploaded. But I'm pretty sure this is not from me! lol

Topic Closed

This topic has been closed to new replies.

About this Topic