Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post

    Website being hacked?

    i have a small web site and my hosting provider keeps finding what they allege are malware infected files. typically when i get a warning email from them, i just delete the files in question and forget about it. but recently they deactivated my site because of too many infected files, and that was a PITA to deal with. of course they have some add-on packages and services they will sell me that will prevent this type of thing from happening.

    so my question is, how are these files getting on my web site and are there easy solutions i can implement myself? the web site is pretty much all static HTML except for two wordpress blogs. what exactly is being hacked that would allow these files to be created? i'm on a shared server, so how do i know it's my web site that is being hacked as opposed to the server itself?

    lee

  2. #2
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Have you read this topic yet? It might be of some help to you.

  3. #3
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Do you keep your site up to date in terms of plugins and WordPress versions? It is probably all you need to do to keep it safe. If you do it and it still gets infected, then it's the host's fault.

    Anyway, probably the question that should be asked is: where are the infected files they claim to have found? Did they list the files for you?
    Rui
    -------
    R4

  4. #4
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by satrow View Post
    Have you read this topic yet? It might be of some help to you.
    thanks for the reference -- unfortunately, i don't see much there that helps. the alleged malware files that are appearing show up in directories that are not even in the wordpress directory tree.

  5. #5
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by ruirib View Post
    Do you keep your site up to date in terms of plugins and WordPress versions? It is probably all you need to do to keep it safe. If you do it and it still gets infected, then it's the host's fault.

    Anyway, probably the question that should be asked is: where are the infected files they claim to have found? Did they list the files for you?
    yes, generally update the wordpress stuff within a couple of days of the update becoming available. the last time this happened (today) all my wordpress stuff was up-to-date.

    typically the infected files are in their own directory -- couple of times the directory was named ".config". and within the directory would be a PHP file with what appears (to me at least) to be gibberish PHP code. and then there will typically be a PHP generated error_log file, where this PHP file apparently was executed and generated an immediate error.

  6. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    So how does the host explain the files showing up, above the base folder for WordPress?
    Do you have any feature or plugin, somewhere in your websites, that accounts for file uploading? If a web server is patched up and properly maintained, files cannot show up out of nowhere?!
    Rui
    -------
    R4

  7. #7
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by ruirib View Post
    So how does the host explain the files showing up, above the base folder for WordPress?
    Do you have any feature or plugin, somewhere in your websites, that accounts for file uploading? If a web server is patched up and properly maintained, files cannot show up out of nowhere?!
    i haven't really pressed the host on the why's and wherefore's yet. was trying to educate myself a bit before challenging them on the issue.

    no file uploading anywhere. in fact, on both blogs, commenting is disabled.

    and with my limited knowledge of web servers, i was also under the impression that files cannot be uploaded out of nowhere. that said, i suppose they could have hacked my FTP user id and password somehow -- since the latest problem, i've changed that info. but if they had that info, i would think they would be doing a lot more than uploading buggy PHP files.

  8. #8
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Yeah, with no file uploading plugins, with update code, with no dodgy Wordpress plugins, you should be safe. Of course, they could have indeed hacked your FTP info. If you changed it, and none of the mentioned situations is present, you should ask the host why they say it's your site to blame for the situation.
    Rui
    -------
    R4

  9. #9
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post
    question -- as a shared web site, i don't have access to any FTP logs (at least that i'm aware of). but would the host server itself have FTP logging info? is there anyway that i could tell if my FTP user info had been hacked? i'm the only FTP user, so if there were logging info available i could tell by the IP address of the FTP client whether it was me or not.

  10. #10
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    What permissions are on the .config directory? Try restricting write access for a while.

    cheers, Paul

  11. #11
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by lhite View Post
    question -- as a shared web site, i don't have access to any FTP logs (at least that i'm aware of). but would the host server itself have FTP logging info? is there anyway that i could tell if my FTP user info had been hacked? i'm the only FTP user, so if there were logging info available i could tell by the IP address of the FTP client whether it was me or not.
    With the host blaming you for the situation, it should be expected that they would keep FTP logs.
    Rui
    -------
    R4

  12. #12
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by Paul T View Post
    What permissions are on the .config directory? Try restricting write access for a while.
    i just deleted it.

  13. #13
    Lounger
    Join Date
    Jan 2010
    Posts
    49
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by ruirib View Post
    With the host blaming you for the situation, it should be expected that they would keep FTP logs.
    thanks -- i'm going to talk to them today to find out exactly why they are holding me accountable here.

  14. #14
    New Lounger
    Join Date
    Oct 2010
    Location
    Cambridge, UK
    Posts
    17
    Thanks
    1
    Thanked 4 Times in 4 Posts
    Some hosts have had similar issues with FTP being broken or just plain inherently insecure. Perhaps ask them to enable sFTP and disable FTP or ask them to disable FTP it unless you've selected to open it for a period. My hosts do that. I need to login to their control panel and unlock FTP whereupon it remains unlocked for 24 hours and then is automatically disabled afterwards.

  15. #15
    New Lounger
    Join Date
    Mar 2014
    Posts
    16
    Thanks
    1
    Thanked 0 Times in 0 Posts
    If you have changed your password to a very strong password and this continues to happen then the host is at fault. You are almost certainly on a shared server. Someone has gained access to the entire server. Request that your account be moved to a different server (this will not affect your site) or take you business elsewhere.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •