Jump to content

[Answered] Hacked Site


washuu

Recommended Posts

Hi,

 

I'm quite new at Heliohost, I created my account a few weeks ago. I created my first website, based on latest wordpress 3.4.2, without any additional plugins. I added just a few test themes, added some notes, and I didn't published the website's address nowhere yet.

 

Yesterday (22nd of Nov, at 19:26 to be precise), my main index.php was deleted and replaced by index.html, containing some turkish video on YT, and words "Rea_pErz Was Here". Also the hacker added wordpress theme "This Is Rea_pErz's Shell", written in PHP (of course, I downloaded the files and deleted from the account immediately after). Now, I'm starting to reinstall wordpress and database, change passwords, check all my computers against trojans and viruses, etc.

 

I found, that there was such case on heliohost before - see http://www.helionet.org/index/topic/12493-wordpress-blog-hacked-by-rea-perz/

 

I have several thoughts on that:

 

- I know that website stats are disabled, but can I access some apache logs? Perhaps I could find out, how someone managed to hack my website?

- My password was of medium strength, but it wasn't dictionary word. I guess, that hacker managed to enter the site by some SQL Injection rather, than by password guessing.

- how can I protect myself against such attacks, apart from not using plugins in wp, having strong passwords and making backups?

- I wonder, how the attacker got address of my website - it was parked domain, made from SeveralConcatenatedPolishWords.pl - there is very small chance someone just guessed the name.

- I tried to use user_logs ftp account, to see if I can access some logs, but server dropped the connection with message "home directory not found". I also see, that /var on stevie is 99% full.

- I know I have unpaid account, but can I make support request out of this? Such cases can influent more people than me - the hacks could be because of my misconfiguration, but also because of some features of heliohost.

 

I'm not blaming anyone, just I am thinking what do do next.

Link to comment
Share on other sites

- I know I have unpaid account, but can I make support request out of this?

We don't even offer paid accounts. Everybody here has a free account, so yes. :)

 

WordPress seems to have quite an issue with being hacked. What you said is a good start: Frequent backups, avoid random plugins, use long passwords. Also, keeping it updated is essential. WP's website has a few anti-hack plugins listed, but I'm not sure how well (or even if) they work.

 

- I wonder, how the attacker got address of my website - it was parked domain, made from SeveralConcatenatedPolishWords.pl - there is very small chance someone just guessed the name.

If you're not on search engines yet, the WHOIS database is a good possibility. Since you have your own domain, you're probably listed in there. I know that WHOIS is often scoured by bots that harvest emails and URLs for hackers, spammers, etc. to abuse.

 

- I know that website stats are disabled, but can I access some apache logs?

An admin will have to advise on this one, but I don't believe HH offers access to these.

Link to comment
Share on other sites

Hi again,

 

I played around today with collected hacking scripts from my defaced site. In one of them I found references to site with database of hacked sites, where hackers can compare their "perfomance" with others.

 

This database allows sorting/filtering by hacked IP, so I filtered it by heliohost IP... and guess what...? 59 hacked sites from one heliohost server during last two years, and five sites in the last two days.

 

See for yourself:

http://www.zone-h.org/archive/ip=216.218.192.170

 

The same stats apply to Johnny and rest of HH servers.

 

Also, this database shows that every minute some sites in the world are hacked right now. It's scary...

Link to comment
Share on other sites

Also, this database shows that every minute some sites in the world are hacked right now. It's scary...

 

If you ever thought otherwise now you know. Also I'd like to mention that themes are just as common as attack vectors as plugins, in fact it's "easier" because you can create a popular theme with a trojan hidden as a part of the package. Then it's like fishing, hang the bait and check what you catch every now and then.

 

59 hacked sites from one heliohost server during last two years, and five sites in the last two days.

 

This actually makes me feel relatively safe, consider the sheer volume of accounts on HelioHost, and that most hacks use plugin/theme/add-ons as attack vectors, it means the service itself is highly secure. If someone installs an Angry Birds theme or something thinking it looks cool, then in retrospect learns one of the files contains malware, there's really nothing we can do to prevent that as we give users free reign over their accounts. All we can urge is that you keep regular backups and check them, and that you be smart shoppers when looking for script add-ons and scan files before installing them on a live site.

Link to comment
Share on other sites

The other thing to mention is that probably 90% of the "malware" that we've found since we began scanning user files a week or so ago has been the exact thing described above, hidden back doors in themes that would give hackers free reign to change files or gain control of the account.

 

When we find a known back door like that the account is suspended to protect the data from attackers and it notifies the account owner that something is wrong. Then we give the account owner 24 hours to get their account fixed on their own, and if they fail to get it fixed themselves we even delete those back door access for hackers to get in for the (possibly) clueless account owner.

 

It can be slightly annoying for an account to suddenly get suspended like that, but hopefully it will help reduce the number of hacked accounts and lost data since if an account is suspended it locks out the hackers as well as everyone else, and then when the owner is ready to clean things up they can do so.

 

It might actually be useful to monitor that database and if we see one of our IPs get hacked we can suspend those accounts too until the owner can take are of it. Interesting find anyways.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...