Hacked Big Time, Can't Figure Out How

20 replies
I had several dozen sites hacked of the last couple of days.

They injected js scripts and called addonrock.ru on every index page and alienradar.ru on every js page.

It infected WordPress sites and FrontPage sites and the sites had nothing in common. It didn't attack every site, or it just hasn't yet.

I searched the internet and it looks like a pretty widespread attack.

Anyone know how it is getting in? I'm wondering if I should delete my sites and build them over again or just remove all the js calls.

I'm using a HostGator reseller account.

Thanks,

Dennis Graves
#big #figure #hacked #time
  • Profile picture of the author Michael Mayo
    Dennis, You might find Google's info on the subject useful.
    Google Safe Browsing diagnostic page for addonrock.ru

    Also you should contact HostGator if you haven't already done so. They may be able to isolate and repair your sites from with in their Hosts.

    Good Luck. If I find more info I'll send it to you.

    Have a Great Day!
    Michael
    {{ DiscussionBoard.errors[2637456].message }}
    • Profile picture of the author snapcontent
      Originally Posted by Michael Mayo View Post

      Dennis, You might find Google's info on the subject useful.
      Google Safe Browsing diagnostic page for addonrock.ru

      Also you should contact HostGator if you haven't already done so. They may be able to isolate and repair your sites from with in their Hosts.

      Good Luck. If I find more info I'll send it to you.

      Have a Great Day!
      Michael
      I'm surprised Hostgator fell for it. Aren't they usually pretty good at keeping up to scratch?
      {{ DiscussionBoard.errors[2637710].message }}
      • Profile picture of the author rts2271
        Kev hit it I think. We're seeing alot of probing for that exploit. I had my staff stay late as soon as the patch was out 2 nights ago and patch all of our servers.

        Originally Posted by snapcontent View Post

        I'm surprised Hostgator fell for it. Aren't they usually pretty good at keeping up to scratch?
        No, they aren't.
        {{ DiscussionBoard.errors[2637718].message }}
    • Profile picture of the author tpw
      Originally Posted by Michael Mayo View Post

      Also you should contact HostGator if you haven't already done so. They may be able to isolate and repair your sites from with in their Hosts.

      For sure...

      They may be able to investigate and figure out HOW you were hit...

      But more importantly, they will have backups of your websites from before the hack, and they will be able to restore your account to the previous settings...

      It may be a backdoor in an older version of WordPress that allowed them to access your entire root directory... I think I had seen a mention of such a thing about six months ago...

      When you go live again, upgrade all of your blogs to the most up-to-date WordPress install... Then upgrade all of your plugins...

      I cannot imagine that FrontPage is the problem, unless you are hosted on a Windows Server... And I still find that hard to believe, although I know that a Unix/Linux server is generally safer than a Microsoft server...

      Also upon restoration of your websites, change all of your domain cpanel passwords and your root level password...

      HTH
      Signature
      Bill Platt, Oklahoma USA, PlattPublishing.com
      Publish Coloring Books for Profit (WSOTD 7-30-2015)
      {{ DiscussionBoard.errors[2642395].message }}
  • Profile picture of the author ~kev~
    It might be related to the recent exploit found in 64-linux operating system. The exploit was found over the weekend, and servers have been hacked right and left for the past several days.

    Details about the exploit - http://www.zdnet.co.uk/news/security...177/?s_cid=116

    Check with your hosting provider and make sure all of your servers have been patched.
    {{ DiscussionBoard.errors[2637625].message }}
  • Profile picture of the author tecHead
    ... by default; (and most hosts don't change the defaults); your SSH port is set to 22. That's what its set to for a good percentage of hosts on the net.

    If you're on a shared server; might take a little persuading to get the provider to change the port... but, on a VPS or dedicated you can have them change it immediately.

    Change it to some ambiguous port; that's how I have mine set. I see hack attempts all the time and always thank the Gods for my host.

    Changing the SSH port and having your host throw up a firewall around your server will save you from many many headaches. Hackers on that level don't like to work too hard.

    HTH
    PLP,
    tecHead
    Signature
    Learn Everything You Need to Know About CryptoCurrencies
    Automation is the primary conduit to successful relaxation
    {{ DiscussionBoard.errors[2637757].message }}
  • Profile picture of the author David Allen
    I had this problem a while back on several sites - it's very annoying and time consuming fixing them (take regular back-ups of files and databases!!). Turns out a PC I was using had a virus that was reading my ftp client site settings, logging in and infecting files, hundreds of them within a few seconds.

    What's worse though is when you don't realize until someone emails you to tell you Google is saying they will catch a nasty virus if they visit your site - that's like the Online Plague.

    Two things have changed now which have prevented this (other than a better anti-virus). My hosting company now locks FTP as standard, to use it I have to log in to a site's Control Panel and turn FTP on - I can set it for an hour, 2 hours, a day etc and it's a very god security feature.

    I also use John Sikora's Site Warder - Site Warder - Website File Monitoring Script - this little script emails you if any changes have been made to files on your site. Prior to the FTP lock system it notified me 3 times in one day on 2 sites and was correct every time. One site I had just restored was hacked again within 4 hours!!

    Hope this helps for the future but I sympathise with you for now.

    David
    {{ DiscussionBoard.errors[2637837].message }}
  • Profile picture of the author cjseven
    Hi!

    This seems to be a FTP attack. I had it some months ago.

    It should be a trojan in your computer that connect to you hosting with your own username / password (filezilla per example).

    Scan your pc for viruses / trojans and change all your passwords. Otherwise you could be hacked again if remote intruder decide to reactivate that trojan.

    Good luck!
    {{ DiscussionBoard.errors[2640332].message }}
  • Profile picture of the author Peter.J
    Download Spybot - Search and Destroy, its free software that scans your computer for malware, spyware etc....also agree sounds like a FTP attack. Change your passwords, access details the works and do a full system scan for any nasty trojans still lurking around.
    Signature

    Social Networking Where You Can Earn Money From Your Profile, Groups & More - $900 Average Monthly Payout For Members Free To Join - www.looport.com

    {{ DiscussionBoard.errors[2640401].message }}
  • Profile picture of the author Craig McPherson
    It is an FTP issue.

    Do not use FTP to upload pages. They get your password from the ftp you use and get in that way.

    Start by logging into Hostgator and change your password.
    Signature
    {{ DiscussionBoard.errors[2640409].message }}
  • Profile picture of the author TPFLegionaire
    I found this neat plugin for word press that will monitor your site:

    WordPress File Monitor – Matt Walters

    it's free as well...hope this helps.
    {{ DiscussionBoard.errors[2640623].message }}
  • Profile picture of the author ileneg
    I too had my sites hacked a while back (not on Hostgator) and believe they came through via FTP...a shared hosting account.

    ileneg
    {{ DiscussionBoard.errors[2641125].message }}
  • Profile picture of the author sbucciarel
    Banned
    Found this via Google:

    Scripts from addonrock.ru and alienradar.ru get inserted via FTP.

    Some Windows malware picks up the FTP login info from Filezilla and other common FTP clients.

    So basically:

    1) Clean your client machine. 2) Change all passwords on server. 3) Replace all infected files. If you don't have access to a log, just replace all of them.
    {{ DiscussionBoard.errors[2641359].message }}
    • Profile picture of the author Jack Bastide
      UGH I had the Same thing Happen

      All my PHP Files Were Infected

      I had to Restore form Backup

      I'm on Hostmonster by the way

      Jack
      Signature

      If you can drive Biz Op Phone Calls .... I'm Buying

      {{ DiscussionBoard.errors[2641422].message }}
      • Profile picture of the author Aussie_Al
        A couple of my sites ere hacked a few months back - Hostgator did a great job of removing all the malware

        I have to say Google blocked one of my sites and after I contacted them they had it un-blocked in less than 24 hrs
        {{ DiscussionBoard.errors[2641481].message }}
  • {{ DiscussionBoard.errors[2641502].message }}
  • Profile picture of the author AceOfShirts
    HostGator confirms that it came from my computer.

    I remember about 2 weeks I was searching for an artist for a new line of shirts on deviantart.com and my computer picked up the virus and really did a number on my machine. I never clicked on anything and didn't let the ActiveX controller download. I just remember a JavaScript program launch on screen and the rest is history. It took my local computer repair shop about 4 days to clean everything up.

    What really sucks is I don't feel like I did anything wrong. I didn't download anything, click on a bad/stupid link or visit some "questionable" site.

    Oh well, just have to keep moving forward,

    Dennis
    {{ DiscussionBoard.errors[2642146].message }}
  • Profile picture of the author Caleb Spilchen
    Dennis,

    If you want to know what happened... I'm going to have to tell you the story..

    I'm pretty sure you had the exact same as me, since you have confirmed it came from your computer.. So let me explain..

    A friend of mines site got hacked, he had a forum. I decided to go into the vBulletin Admin area, and attempt to fix it. Only to find out, later; that I had downloaded a ton of viruses in that time.

    Then, I left for a couple hours, with my computer on... When I came home, my sites had all been hacked by russian websites.

    Guess what? The only sites that got hacked, were the ones that had saved information in programs like FileZilla for FTP Connection..

    And then guess what? On top of having to hire a guy to repair all the sites/viruses on my server, my computer was completely fried from it..

    I had to reformat, and lose 2-3 months of Internet Marketing work in one day.. I've never seen any of those products again...

    But, hey this was a couple months ago, it's sad to see this bug still going around.

    Lesson Learned? Don't use windows defender.

    Caleb
    Signature

    Canadian Expat Living in Medellin, Colombia

    {{ DiscussionBoard.errors[2642191].message }}

Trending Topics