Support » Fixing WordPress » Website repeatedly hacked

  • Resolved cwinkler78

    (@cwinkler78)


    Hi all. I’m hoping maybe someone can help me out with this. I’ve been banging my head My website has been hacked several times in the past week. Last week, it was taken down by:

    +ADw-/title+AD4-Hacker By Hacker alajman +ACo-//+ACop2+AEA-hotmail.com +ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    This week it is:

    +ADw-/title+AD4APA-META http-equiv+AD0AIg-refresh+ACI content+AD0AIg-0+ADs-URL+AD0 http://184.170.132.78:8799/Sw8CNYKqVu+ACIAPgA8-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    They keep inserting a script with document.documentElement.innerHTML = unescape into my WordPress menus. (I have the full code if you need to see it) I have removed the script and gotten the site working again, only to have the problem reappear a few hours later. I have reset all of my passwords, completely deleted and reinstalled WordPress, upgraded my WordPress version, and installed a security plugin (Better WP Security) to close any gaps. But no matter what I do, this latest hack just keeps happening.

    I’m wondering if perhaps its something on my host (webhostingpad.com)? If you Google the title they’ve been inserting there seem to be a large number of sites effected.

    Anyone have any experience fixing this? Tips, tricks, advice.. anything would be appreciated.

Viewing 7 replies - 31 through 37 (of 37 total)
  • @shay

    Thanks – told my security guy what you said and he definitely believes it’s a webhostingpad.com issue. Don’t know if you’ve talked to them but they keep suggesting that I am reloading bad content onto my site. Very annoying! If I can get my security guy to provide some proof – maybe we can provide a united front?

    Easy there, Hack Repair Guy. I don’t take payment until the job is finished.

    Everyone: I think the hackers have access to the database server(s) at webhostingpad. I did a Google search for the site title that the hacker keeps putting in. There are quite a few results:

    https://www.google.com/search?q=%2BADw-%2Ftitle%2BAD4-Hacker+By+Hacker+alajman

    Then I started looking at the host where each hacked site resides. See a pattern?
    http://dns.robtex.com/sonsof.com.html#records
    http://dns.robtex.com/theshyam.com.html#records
    http://dns.robtex.com/shajey.com.html#records
    http://dns.robtex.com/socialwatchtower.com.html#records
    http://dns.robtex.com/stonegatemediaresearch.com.html#records

    There are plenty more that are hosted on 69.65.3.x. Some have other IPs; they may use CDNs like Cloudflare or maybe they’re hosted elsewhere and the hacker struck there too. But I see:

    – multiple independent sites, who are suffering an identical hack, hosted in the same place
    – the hack is occurring without any modified files
    – the hack is occurring without any illegitimate activity in the HTTP access logs or FTP logs

    Mass compromise of a host is something I’m very hesitant to consider, but in this case I think the evidence certainly points to it.

    @ cbouchard

    You mentioned that they were/are uploading malicious files into the upload directory. Are there logs showing that someone is still doing so? If they are, I can provide something that may help you.

    24 later and we’re still hack free, it seems like we’re safe now.
    It looks like the hacker/script is attacking via SQL injection, having the ability to read the tables prefix, change the site title and add a text node with simple html redirection.
    It could be WordPress core or one of the plugins we use, I don’t think it’s related to webhostingpad but only time will tell.

    @shay, i’m looking forward for ur last news. i have the same problem here

    @linhtranphu are you also on webhostingpad?

    Moderator Mark Ratledge

    (@songdogtech)

    Forum Moderator

    Closing this thread; the original poster @cwinkler78‘s issue was reasonably solved and it’s best to start a new thread to address possible issues with webhostingpad itself and not argue about who fixed/didn’t fix what.

    @shay said:

    It could be WordPress core or one of the plugins we use, I don’t think it’s related to webhostingpad but only time will tell.

    It’s much, much more likely to be hosting or a plugin rather than WP core.

Viewing 7 replies - 31 through 37 (of 37 total)
  • The topic ‘Website repeatedly hacked’ is closed to new replies.