Website being hacked?

Topic

New Reply

i have a small web site and my hosting provider keeps finding what they allege are malware infected files. typically when i get a warning email from them, i just delete the files in question and forget about it. but recently they deactivated my site because of too many infected files, and that was a pain to deal with. of course they have some add-on packages and services they will sell me that will prevent this type of thing from happening.

so my question is, how are these files getting on my web site and are there easy solutions i can implement myself? the web site is pretty much all static HTML except for two wordpress blogs. what exactly is being hacked that would allow these files to be created? i’m on a shared server, so how do i know it’s my web site that is being hacked as opposed to the server itself?

lee

Reply | Quote

Replies

Have you read this topic yet? It might be of some help to you.

Reply | Quote

Have you read this topic yet? It might be of some help to you.

thanks for the reference — unfortunately, i don’t see much there that helps. the alleged malware files that are appearing show up in directories that are not even in the wordpress directory tree.

Reply | Quote

Have you read this topic yet? It might be of some help to you.

Hi Satrow, just to let you know I saw this thread title and came in to see if I could help out…only to see you’d already linked poster to my issue. Hope it helped!

Linda

Reply | Quote

Do you keep your site up to date in terms of plugins and WordPress versions? It is probably all you need to do to keep it safe. If you do it and it still gets infected, then it’s the host’s fault.

Anyway, probably the question that should be asked is: where are the infected files they claim to have found? Did they list the files for you?

Reply | Quote

Do you keep your site up to date in terms of plugins and WordPress versions? It is probably all you need to do to keep it safe. If you do it and it still gets infected, then it’s the host’s fault.

Anyway, probably the question that should be asked is: where are the infected files they claim to have found? Did they list the files for you?

yes, generally update the wordpress stuff within a couple of days of the update becoming available. the last time this happened (today) all my wordpress stuff was up-to-date.

typically the infected files are in their own directory — couple of times the directory was named “.config”. and within the directory would be a PHP file with what appears (to me at least) to be gibberish PHP code. and then there will typically be a PHP generated error_log file, where this PHP file apparently was executed and generated an immediate error.

Reply | Quote

So how does the host explain the files showing up, above the base folder for WordPress?
Do you have any feature or plugin, somewhere in your websites, that accounts for file uploading? If a web server is patched up and properly maintained, files cannot show up out of nowhere?!

Reply | Quote

So how does the host explain the files showing up, above the base folder for WordPress?
Do you have any feature or plugin, somewhere in your websites, that accounts for file uploading? If a web server is patched up and properly maintained, files cannot show up out of nowhere?!

i haven’t really pressed the host on the why’s and wherefore’s yet. was trying to educate myself a bit before challenging them on the issue.

no file uploading anywhere. in fact, on both blogs, commenting is disabled.

and with my limited knowledge of web servers, i was also under the impression that files cannot be uploaded out of nowhere. that said, i suppose they could have hacked my FTP user id and password somehow — since the latest problem, i’ve changed that info. but if they had that info, i would think they would be doing a lot more than uploading buggy PHP files.

Reply | Quote

Yeah, with no file uploading plugins, with update code, with no dodgy WordPress plugins, you should be safe. Of course, they could have indeed hacked your FTP info. If you changed it, and none of the mentioned situations is present, you should ask the host why they say it’s your site to blame for the situation.

Reply | Quote

question — as a shared web site, i don’t have access to any FTP logs (at least that i’m aware of). but would the host server itself have FTP logging info? is there anyway that i could tell if my FTP user info had been hacked? i’m the only FTP user, so if there were logging info available i could tell by the IP address of the FTP client whether it was me or not.

Reply | Quote

question — as a shared web site, i don’t have access to any FTP logs (at least that i’m aware of). but would the host server itself have FTP logging info? is there anyway that i could tell if my FTP user info had been hacked? i’m the only FTP user, so if there were logging info available i could tell by the IP address of the FTP client whether it was me or not.

With the host blaming you for the situation, it should be expected that they would keep FTP logs.

Reply | Quote

With the host blaming you for the situation, it should be expected that they would keep FTP logs.

thanks — i’m going to talk to them today to find out exactly why they are holding me accountable here.

Reply | Quote

Some hosts have had similar issues with FTP being broken or just plain inherently insecure. Perhaps ask them to enable sFTP and disable FTP or ask them to disable FTP it unless you’ve selected to open it for a period. My hosts do that. I need to login to their control panel and unlock FTP whereupon it remains unlocked for 24 hours and then is automatically disabled afterwards.

Reply | Quote

What permissions are on the .config directory? Try restricting write access for a while.

cheers, Paul

Reply | Quote

What permissions are on the .config directory? Try restricting write access for a while.

i just deleted it.

Reply | Quote

If you have changed your password to a very strong password and this continues to happen then the host is at fault. You are almost certainly on a shared server. Someone has gained access to the entire server. Request that your account be moved to a different server (this will not affect your site) or take you business elsewhere.

Reply | Quote

For a WordPress site, I recommend you install the Wordfence plugin. It is a security plugin that blocks and records failed logins, checks every file against the WordPress posted versions to see if anything has changed, and more. It is free, or there is a premium option. I don’t know that it will find files outside the WordPress directories, but there might be a setting. It has saved me many times since I was hacked once earlier. If Wordfence does not notice something, I would say it would have to be a cracked FTP or a problem with the host’s security.

Reply | Quote

For a WordPress site, I recommend you install the Wordfence plugin. It is a security plugin that blocks and records failed logins, checks every file against the WordPress posted versions to see if anything has changed, and more. It is free, or there is a premium option. I don’t know that it will find files outside the WordPress directories, but there might be a setting. It has saved me many times since I was hacked once earlier. If Wordfence does not notice something, I would say it would have to be a cracked FTP or a problem with the host’s security.

interesting — definitely will take a look at it. thanks!

Reply | Quote

to wrap this one up, i contacted the host company and they skirted around the issue of whether the hack was at the server level (their responsibility) or at the web site level (my responsibility). if it was an FTP hack, i’m guessing they have log files that would shed some light, but they aren’t willing to share those. and if it was some other type of attack, then i suspect it would be much harder to figure out where it occurred. all i know is that i had a strong password on my FTP account, and the only scripts that could have been compromised are WordPress, and all of those were up-to-date. so i find it very hard to believe that the hack occurred at the level of my web site.

the only real inconvenience of having the site disabled for a couple of hours was the loss of email. so this got me to thinking that i should really have the email and web site at two different hosts. it’s just a matter of configuring the DNS records so that the mail goes to one IP address and everything else to the other IP address. that way if this happens again, my mail won’t be disrupted plus i’ll be in a position to easily move the entire operation to the second host and cancel my account with my current host.

sounds easy enough on paper anyway.

Reply | Quote

I have my email hosted at Google, not my website host. All you need to do is set the MX records in the DNS. It was very straightforward to do. Google has detailed instructions for how to route email to their mail servers, and any other email host should also.

Reply | Quote

I have my email hosted at Google, not my website host. All you need to do is set the MX records in the DNS. It was very straightforward to do. Google has detailed instructions for how to route email to their mail servers, and any other email host should also.

but doesn’t Google charge $5/mo/user? i’ve got 20+ email addresses — that’s way out of my league! i can get an entire web site with unlimited email accts for $5/mo.

Reply | Quote

I signed up for Google Apps when you could get a certain number of free email accounts, and I am grandfathered under that policy. I don’t have that many emails, so it works for me. However, email and web hosting are commodities, so there are many options. I would be careful, however, about the very low end providers with many sharing a server. The support is usually limited, and I have had issues on a website that is so slow that sometimes I cannot update a page in WordPress and my backup plugin times out before completing. Not to mention that site was hacked once, and I still don’t know how they got in. I switched to a mid-level provider, about $15 a month before promotions, and I have gotten much better performance and support. I would probably use their email if I exceed the Google free accounts.

Reply | Quote

I would be careful, however, about the very low end providers with many sharing a server. The support is usually limited, and I have had issues on a website that is so slow that sometimes I cannot update a page in WordPress and my backup plugin times out before completing.

i hear what you’re saying, but i’ve never had performance problems at any of the “big” providers, most of whom charge roughly $5/mo for basic services. now support is a whole other issue — i’ve never gotten what i would call “good” support from any provider, regardless of how much i paid.

Reply | Quote