my data base is used to mirror site

  • Hello!
    I’ve noticed, that my site was completely mirrored on another domain. The second i publish post, it appears on another domain. Moreover i can login on their domain with my login and password. They just changed my theme a bit to add advertising.
    I tried to change password for Mysql, but as soon as i change my wp-config, mirror site works fine.
    So… i guess they got access to my wp-config and mysql. Any ideas how i can fix it?

    Got dedicated server.

    used
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    at my .htaccess, tried placing wp-config at top folder, but that doesnt help. Got 644 permissions on wp-config. Tied set 600, but my site goes blank page then.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator bcworkz

    (@bcworkz)

    Wow! That’s a different twist to the usual hack a site to inject back links and ads. I suspect the root cause is the same though. I believe your site was hacked and some sort of spyware installed that detects wp-config.php changes and relays such to the mirror. Thus the cure is the same as for any hacked site – work through the steps in FAQ My site was hacked.

    Thread Starter mwwarden

    (@mwwarden)

    My server admin is pretty sure that site is simply getting grabbed, and its not about getting hacked.

    First change your db password , and change PRIVILEGES assigned to db.

    Moderator bcworkz

    (@bcworkz)

    Unless the server is horribly mis-configured there would be no way to get updated DB credentials off of wp-config.php unless there is privileged access to the sever or DB. Assuming you’ve just changed all related passwords, not only DB, but FTP and cPanel access as well, the only privileged access left is code running on the server. Code running on the server that is lifting DB credentials would be due to a hack.

    bukge brings up a good point, be sure there are no unauthorized users added to your DB admin or FTP access.

    Thread Starter mwwarden

    (@mwwarden)

    Im pretty sure now, that they just made real-time mirror of my site.
    When user visits any page of their site, their server gets code of my page with same adress. Then it replaces all my domain in html code by their domen and shows it, adding advertisement code.
    The problem is, they use cloudflare. And after i ban their ip, they change it after few hours…

    Moderator bcworkz

    (@bcworkz)

    So then you can see them crawling your entire site in your access logs? While their IP will change, there’s likely something consistent about their requests that can be detected by an .htaccess rule. For example the user agent. You may need to alter your access log format to include more data to identify the common factor. If that’s not possible you could temporarily add in a PHP based logging script that’s triggered only during any request from cloudflare.

    For that matter, while their IP changes, it’s still probably within 2-3 IP blocks assigned to cloudflare. You might consider blocking those entire ranges. They’re likely all servers. If your site is meant for only humans and search bots, neither of those are likely coming from those IP ranges.

    Thread Starter mwwarden

    (@mwwarden)

    Thank you! Your post really gave me idea where to start!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘my data base is used to mirror site’ is closed to new replies.