Hi guys n gals,
I've been using WP for a year and everything has been peachy, until a few days ago when I got an email from Bluehost advising that my site has been taken down due to "site causing performance problems". Having been away (and recently getting engaged - Yes I'm telling everyone!) I've only just got around to getting in touch with them to find out why and I got told the following:
Your account is being used for a ddos attack against (184.108.40.206 1under.com).The malicious script is creating numerous wget requests to the site in question. You need to remove the malicous code, remove any script s not being used and update the script s they intend to keep justsand 12119 0.0 0.0 10804 532 ? S May18 0:15 sh -c while [ 1 ]; do wget -O /dev/null --user-agent='Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)' http://www.1nder.com/sites/default/files/acquia_slate_logo.jpg; done > /dev/null 2>&1 & [b-u-rchaudhry@box438 rchaudhry]$ sudo ls -al /home1/justsand/public_html -rw-r--r-- 1 justsand justsand 15409 Apr 24 23:18 shit.php -rwxr-xr-x 1 justsand justsand 15409 Apr 24 23:23 shit.php.pgif -rw-r--r-- 1 justsand justsand 15409 Apr 24 23:18 shit.php.pgif(64) : eval()'d code
Now I've tried doing my best "Hmmm yes, I see" face at the screen and looking all clever, but that's getting me nowhere. I deleted the offending php scripts off of the public_html server, but I'm sure it's not that simple at all. Can anyone advise me how to sort all this mess out?
The only help bluehost have provided is a rather generic:
1. Change the Admin Email on your account.
2. Change the Password on your account.
3. Change the Credit Card on file on your account.
4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
5. Fix any loose file permissions (this may be the most common exploit vulnerability)
6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
7. Remove any Access Hosts by clicking the "Remote Mysql" icon and clicking the Remove Red X by each entry if there are any entries.
8. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings.
9. Check your home/work computers for any viruses, trojans, or keyloggers.
Some of these are fairly self explanatory, but others just raise further questions. Also I'd really like to know how on earth this was able to happen, I leave my assistant editor in charge for a week and I come back to all this. I'm not sure if it's worth noting that the site has one administrator, one editor, two writer accounts and one contributor. I can account for my passwords being random generated 50 digit ones, but I'm not sure about the other users - I suppose it's too early to be pointing fingers anyway.
Thanks in advance for any light anyone can shed on this situation.