WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] Website repeatedly hacked (38 posts)

  1. Shay
    Member
    Posted 1 year ago #

    @cbouchard, I do use webhostingpad.com... hmm.. makes me wonder.

    To determine if get re-hacked I'm checking the website's Title tag using the perl script below.

    If you have nagios, run this script like this:
    perl check_title.pl http://your_site_url "The title you are expecting to get"

    Here is the source of the Nagios script:
    #!/usr/bin/perl
    use strict;
    use HTTP::Request::Common qw(GET POST);
    use LWP::UserAgent;
    my $url = shift;
    my $html_title = shift;
    if (!$url) {
    print "URL is missing";
    exit 3;
    }
    if (!$html_title) {
    print "html title is missing";
    exit 3;
    }
    my $ua = LWP::UserAgent->new;
    $ua->agent('Mozilla/5.0');
    $ua->timeout(10);
    my $random = int(rand(9*time));
    my $req = POST $url,
    Referer => $url,
    Content => [
    'r' => $random
    ];
    my $answer = $ua->simple_request($req);
    $answer = $answer->as_string;
    my $tmp = (split(/\<title\>/,$answer))[1];
    $tmp = (split(/\<\/title\>/,$tmp))[0];
    if ($tmp ne $html_title) {
    print "Title is not $html_title!";
    exit 2;
    }
    print "Ok.";
    exit 0;

  2. cbouchard
    Member
    Posted 1 year ago #

    @Shay

    Thanks - told my security guy what you said and he definitely believes it's a webhostingpad.com issue. Don't know if you've talked to them but they keep suggesting that I am reloading bad content onto my site. Very annoying! If I can get my security guy to provide some proof - maybe we can provide a united front?

  3. bradhaas
    Member
    Posted 1 year ago #

    Easy there, Hack Repair Guy. I don't take payment until the job is finished.

    Everyone: I think the hackers have access to the database server(s) at webhostingpad. I did a Google search for the site title that the hacker keeps putting in. There are quite a few results:

    https://www.google.com/search?q=%2BADw-%2Ftitle%2BAD4-Hacker+By+Hacker+alajman

    Then I started looking at the host where each hacked site resides. See a pattern?
    http://dns.robtex.com/sonsof.com.html#records
    http://dns.robtex.com/theshyam.com.html#records
    http://dns.robtex.com/shajey.com.html#records
    http://dns.robtex.com/socialwatchtower.com.html#records
    http://dns.robtex.com/stonegatemediaresearch.com.html#records

    There are plenty more that are hosted on 69.65.3.x. Some have other IPs; they may use CDNs like Cloudflare or maybe they're hosted elsewhere and the hacker struck there too. But I see:

    - multiple independent sites, who are suffering an identical hack, hosted in the same place
    - the hack is occurring without any modified files
    - the hack is occurring without any illegitimate activity in the HTTP access logs or FTP logs

    Mass compromise of a host is something I'm very hesitant to consider, but in this case I think the evidence certainly points to it.

  4. MickeyRoush
    Member
    Posted 1 year ago #

    @ cbouchard

    You mentioned that they were/are uploading malicious files into the upload directory. Are there logs showing that someone is still doing so? If they are, I can provide something that may help you.

  5. Shay
    Member
    Posted 1 year ago #

    24 later and we're still hack free, it seems like we're safe now.
    It looks like the hacker/script is attacking via SQL injection, having the ability to read the tables prefix, change the site title and add a text node with simple html redirection.
    It could be WordPress core or one of the plugins we use, I don't think it's related to webhostingpad but only time will tell.

  6. linhtranphu
    Member
    Posted 1 year ago #

    @Shay, i'm looking forward for ur last news. i have the same problem here

  7. bradhaas
    Member
    Posted 1 year ago #

    @linhtranphu are you also on webhostingpad?

  8. Closing this thread; the original poster @cwinkler78's issue was reasonably solved and it's best to start a new thread to address possible issues with webhostingpad itself and not argue about who fixed/didn't fix what.

    @shay said:

    It could be WordPress core or one of the plugins we use, I don't think it's related to webhostingpad but only time will tell.

    It's much, much more likely to be hosting or a plugin rather than WP core.

Topic Closed

This topic has been closed to new replies.

About this Topic