WordPress.org

Ready to get started?Download WordPress

Forums

Site hacked multiple times (6 posts)

  1. AlisonMooreSmith
    Member
    Posted 1 year ago #

    I have a multisite installed on HostGator.

    Twice in the past month the site has been hacked. Below is the info from HostGator on the latest hack this week.

    One thing I note is the last line. It shows an install of an old version WordPress in the public_html folder that I did not create. That's where all the hacks are.

    I read that the www folder is just a shortcut to the public_html folder. If so, how can the www folder have the current version of WordPress and the public_html folder have an OLDER version?

    Help?

    Also, in case it's helpful, I have been removing a bunch of files added to the root directory of my site that forward to porn or meds sites. I'm also finding a number of files that have only this in them:

    Linux10+cfcd208495d565ef66e7dff9f98764da

    What are these files and should they also be deleted?

    Thanks.

    Hello,

    We have received complaints of malware on your site as referenced below, and upon inspection we found that malware had indeed been injected into your account. The vast majority of injections are done by malicious users who have found exploits in scripts previously (and legitimately) installed on the account. We have taken the below actions to prevent further malicious activities. Please make sure to update your password, and to update all the scripts/plugins on your account to the latest version.

    The following files were removed from your account:
    removed `/home/popcred/public_html/T5login.php'
    removed `/home/popcred/public_html/seo2b5.php'
    removed `/home/popcred/public_html/functoins.php'
    removed `/home/popcred/public_html/welcome.php'
    removed `/home/popcred/public_html/tracking.php'
    removed `/home/popcred/public_html/g0config.php'
    removed `/home/popcred/public_html/xmlrpcbYX.php'
    removed `/home/popcred/public_html/wp-content/plugins/forums/css/style/r.php'
    removed `/home/popcred/public_html/Dxmlrpc.php'
    removed `/home/popcred/public_html/dlogoff.php'
    removed `/home/popcred/public_html/xmlrpcGGm.php'
    removed `/home/popcred/public_html/xmlrpcoMWT.php'
    removed `/home/popcred/public_html/6Klogoff.php'
    removed `/home/popcred/public_html/hthemes.php'
    removed `/home/popcred/public_html/NRbanner.php'
    removed `/home/popcred/public_html/kmain.php'
    removed `/home/popcred/public_html/banneri5TE.php'
    removed `/home/popcred/public_html/wp-xml.php'
    removed `/home/popcred/public_html/popupP6ZV.php'
    removed `/home/popcred/public_html/4info.php'
    removed `/home/popcred/public_html/cookieVqq.php'
    removed `/home/popcred/public_html/Qklogin.php'

    The files were able to be uploaded to the account via an exploit in one of your scripts:
    /usr/local/apache/domlogs/_wildcard_.popcred.net: 78.85.18.135 - - [24/Oct/2012:14:19:33 -0500] "POST /wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php HTTP/1.1" 200 11 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    Please update the following software as newer versions contain fixes to many security and performance flaws:
    Vulnerable Applications:
    ========================================
    Wordpress :: 2.5.1 :: /home/popcred/public_html/data

  2. LunaticC
    Member
    Posted 1 year ago #

    Holy shit,

    I thought using hostgator as a host was save, I guess I need to invest more in to security myself..

  3. esmi
    Forum Moderator
    Posted 1 year ago #

  4. AlisonMooreSmith
    Member
    Posted 1 year ago #

    Thank you. I'm working through the links you gave.

    One question, I read that the www folder is just a shortcut to the public_html folder. But HostGator is telling me that the WordPress in the public_html folder is an OLD version, even though the folder on my site is the current version.

    ???

  5. esmi
    Forum Moderator
    Posted 1 year ago #

    I read that the www folder is just a shortcut to the public_html folder

    That would vary from hosts to host. Could you perhaps have 2 versions installed?

  6. AlisonMooreSmith
    Member
    Posted 1 year ago #

    I did not install two versions.

Topic Closed

This topic has been closed to new replies.

About this Topic