My hostgator sites were hacked

22 replies
  • SEO
  • |
I was horrified to find my hostgator sites were hacked today. Someone managed to hack my server, and insert a malicious iframe code at the bottom of each html page, on every single website on my shared hosting account (which allows addon domains). I was just wondering, is this a hostgator security issue? Or do you think the hacker got into my server via Wordpress, and was able to hack the html after that? Is that possible?

Also, do you think its worth moving to another host, possibly liquidweb? I hear they have much better security and hosting practices than hostgator. Any advice would be appreciated. Thanks.
#hacked #hostgator #sites
  • Profile picture of the author online only
    Contact with the Hostgator support ASAP.
    They will most likely fix this issue within minutes.

    I think it's more because of your themes and plugins (that might be outdated). Make sure you delete every single theme and plugin that you no longer use. And don't download paid themes from free sources.
    {{ DiscussionBoard.errors[8102680].message }}
  • Profile picture of the author boosters
    Only you can't blame hostgator. Viruses in the computer can even inject the code in your servers. One of my collegue site also hacked when they not used or scanning their system. Make sure to change the password in every 7 days. Ask hostgator and they will remove the code.
    {{ DiscussionBoard.errors[8102814].message }}
    • Profile picture of the author webby0031
      Originally Posted by boosters View Post

      Only you can't blame hostgator. Viruses in the computer can even inject the code in your servers. One of my collegue site also hacked when they not used or scanning their system. Make sure to change the password in every 7 days. Ask hostgator and they will remove the code.
      Thats not hostgator Newb, wordpress plugin
      {{ DiscussionBoard.errors[8103052].message }}
      • Profile picture of the author palms
        You are actually very lucky you're hosted on HostGator...they are EXCELLENT at virus removal.

        This is what sometimes happens... (and it happened to me)

        1.) A trojan gets in your LOCAL machine.

        2.) This trojan scraps your FTP client for login userID/password info and sends it to the mothership.

        3.) The mothership uses the scraped login info to upload a base64-encoded iframe to certain pages of all your WP sites that are listed in your FTP client, usually to the index.php page.

        The reason this virus is so insidious is that webmasters try to attack the problem by first removing the javascript from the WP sites, but this will only fix the problem temporarily because the WP sites keep getting re-infected. Remember, the mothership has your FTP login info.

        The REAL problem is on your LOCAL machine. Clean the LOCAL machine first, then change all passwords to your WP sites. THEN remove the iframe javascript from the WP sites.

        Five of my WP sites were hit with this last year. (Note to self: On brand new Win7-64 machines, make sure NIS is set to scan incoming Thunderbird emails)

        I found the long base64 javascript at the bottom of each page on my WP sites within a few minutes of the infection, but I wasn't sure what I was looking at. (The high-end theme I use had a previous problem where the developers where testing the output of the theme's settings for troubleshooting purposes in base-64 also at the bottom of each page, so I initially thought that was happening again.)

        I called the guys at Hostgator and they were on it in no-time flat. They cleaned all the iframes off of all 5 sites, and gave me a tutorial on how the virus worked. They even included a clip of my FTP logs to show me exactly when the mothership ftp'd in the infections to each site.

        After HG cleaned the sites I made sure my local machine was clean then immediately changed all my passwords and every thing was back to normal again, EXCEPT Google had spidered my main site while all this was going on and marked it as "This page may be harmful to your computer."

        The whole episode from infection to Google removing the warning was over in 26 hours, thanks in no small part to HostGator.
        {{ DiscussionBoard.errors[8103119].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by boosters View Post

      Only you can't blame hostgator. Viruses in the computer can even inject the code in your servers. One of my collegue site also hacked when they not used or scanning their system. Make sure to change the password in every 7 days. Ask hostgator and they will remove the code.
      There is no reason to change your password ever if you use a strong one.

      My password is something like fi2R72&KlUhHa9 and no brute force attack could ever crack it online.

      Keep everything on your site up to date, and use a plugin or two to thwart an attack.

      I use Wordfence as a primary defense, it will look for outdated and dangerous code on your server, and stop most attacks.

      If you want to go farther add either Better WP Security or BulletProof Security
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[8103270].message }}
  • Profile picture of the author Oranges
    Do what "Palms" said.

    Check if your wordpress theme has timthumb script for image thumbnails. They usually deface wp sites through timthumb.php exploit or may be through a mysql injection.
    Signature

    {{ DiscussionBoard.errors[8103209].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by Oranges View Post

      Do what "Palms" said.

      Check if your wordpress theme has timthumb script for image thumbnails. They usually deface wp sites through timthumb.php exploit or may be through a mysql injection.
      Any current code has the timthumb code vulnerability patched.
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[8103280].message }}
  • Profile picture of the author G0nzalez
    Banned
    Contact the support, they are the best at resolving this kind of issues.
    {{ DiscussionBoard.errors[8103670].message }}
  • Profile picture of the author intellg
    I hope that hostgator staff can solve this issue even if you feel that your website Hacked from with bad malware then scan your website from online malware scanner such as Hacker Ninja. You can scan and remove infection free there.
    {{ DiscussionBoard.errors[8410332].message }}
  • Profile picture of the author munstersg01
    I was hacked a few times.

    I contacted Hostgator staffs and they were able to assist.

    For your information

    Danny
    {{ DiscussionBoard.errors[8410380].message }}
  • Profile picture of the author andishm
    No self promotion but if your website is hacked we have a good article on the same at
    Email id hack / website hack issue - Powered by Kayako Fusion Help Desk Software

    Which also includes major security steps which you shall take as well as Wordpress / Joomla hacking related issues to how to defend them.
    Signature
    Backup.Countryâ„¢ - Automated cloud backups for PC, Laptop & Servers
    Logon to https://backup.country/
    31% Off Coupon code: WORLDBACKUPDAY
    {{ DiscussionBoard.errors[8412821].message }}
  • Profile picture of the author Cobaki
    Michael,

    That's a lesson learned. The more painful the experience is, the greater chance of us remembering the lesson for a long time.

    Kidding aside, did you change your default WordPress accounts' username from "admin" or "administrator" to something else?

    I always install this LimitLogInAttempts plugin to my WordPress sites. I observed that most of those automated (or manual? I don't know) attempts to hack my sites use "admin" and "administrator" when they attempt to get into my sites. Just Google what this plugin can do for you. I'm not promoting it, by the way.
    {{ DiscussionBoard.errors[8413502].message }}
  • Profile picture of the author kpmedia
    WP could be the entry. Or its plugins. Or themes.
    Weak passwords
    Unprotected server with exploitable code.

    There's a number of potential ways that servers get hacked.
    {{ DiscussionBoard.errors[8416078].message }}
  • Profile picture of the author vishwa
    Yes! It might be a Hosgator issue Because They had recently migrated there servers. There are thousands of wordpress sites are hosted on Hostgator account But the hacking cases was very low.
    Signature
    WebInfopond- Blogging, Technology, and Digital Marketing
    {{ DiscussionBoard.errors[8416473].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by vishwa View Post

      Yes! It might be a Hosgator issue Because They had recently migrated there servers. There are thousands of wordpress sites are hosted on Hostgator account But the hacking cases was very low.
      The migration occurred during July/August. The OP's site was hacked AND fixed back in May.
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[8418479].message }}
  • Profile picture of the author yukon
    Banned
    Seriously folks, hackers don't like to work, they go after the easy links like free themes & free plugins. The free themes & free plugins are usually hacked before the webmaster downloads the files.

    Cracking passwords is work & I seriously doubt hacked passwords is a big problem for anyone that has created a unique password.
    Signature
    Hi
    {{ DiscussionBoard.errors[8419359].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by yukon View Post

      Seriously folks, hackers don't like to work, they go after the easy links like free themes & free plugins. The free themes & free plugins are usually hacked before the webmaster downloads the files.

      Cracking passwords is work & I seriously doubt hacked passwords is a big problem for anyone that has created a unique password.
      I have never seen or heard of a hacked site that was attributed to a vulnerability specific to a free theme or plugin hosted on WordPress.org.

      Plugins or themes from other sites or especially pirated/nulled plugins or themes are not vetted and can and often contain malware.


      And BEFORE the webmaster downloaded it? Impossible!!! (see the edited comment in green above)

      Can you cite an occasion or credible report?
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[8419660].message }}
      • Profile picture of the author kpmedia
        Originally Posted by RobinInTexas View Post

        I have never seen or heard of a hacked site that was attributed to a vulnerability specific to a free theme or plugin.
        And BEFORE the webmaster downloaded it? Impossible!!!
        Can you cite an occasion or credible report?
        Use Google. You'll get thousands of results. Most "nulled" themes are completely full of crap like this. The plugins are usually just poorly programmed. I've found several weak ones over the years, and re-released them myself pre-patched (and later the original ones WAS exploited).

        Even the ones on WordPress.org are NOT immune. It's happened many times.
        {{ DiscussionBoard.errors[8419689].message }}
  • Profile picture of the author chawk
    make sure the hack is just on your site. I've seen this issue where links are being displayed due to malicious code on your browser. I about shit my pants when this happened to me, but luckily this was all it was.
    {{ DiscussionBoard.errors[8419779].message }}

Trending Topics