Website hacked

the fact is that the hosting company…. tell the server is updated with the last software….
what I’ve seen by now is that only wp is infected…. other CMS have not this problem….
we are cleaning 2 sites disabling (phisically cancelling them) all the plugins… and changing all the password again (FTP WP e Mysql)..to see if they will be infected again…
every bloh has is own …. space….as a single user….is a shared server buy managed only by us (not shared with other resellers)…

every bloh has is own …. space….as a single user….is a shared server buy managed only by us (not shared with other resellers)…

I mean you can’t access websapce2 and mysql2 from webspace1 and mysql1

You can if the permissions are not set correctly. Check the permissions of all your files (specially the wp-config.php). If they are not set properly, the attackers will just read the new pass from there and hack again.

*Also check for backdoors, which is very common in this type of attack.

wp-config.php was set to 444, so more secure of that ??
we will chek alsoother files… to see., if all the permissions are ok…

Do you know that 444 = Read permissions to the owner, group and EVERYONE? ??

On shared hosts, I really recommend 400 or 440 to the wp-config.php, otherwise everyone can read it.

thanks,

if you put 440 or 400 … wp simply doesn’t work.

Just wondering, who’s your web host, Pubblivori ?

pubblivori – You get only a couple options.

1) Your PC is hacked, and by using insecure methods to access your site to edit it (i.e. you’re NOT using SFTP or SSH), you keep giving your password to the hackers.

2) Your SERVER is insecure.

Honestly, we saw a LOT of #2 over the last year. I would talk to my webhost ASAFP. Just because YOU are only seeing WordPress affected does not mean that’s all that’s impacted.

And perhaps they just use a WP-related script (for example looking for database tables starting with wp_), that still doesn’t mean that it has to be WP, they’re just on your server doing their thing, most likely automated. And just because each website has its own passwords, doesn’t mean that they can’t go from one website to another. Once on the server, it’s easy to search the entire server, just as easy as it is to find other user’s files on a PC harddrive.

Just wondering, who’s your web host, Pubblivori ?

is an italian company but usually they are serious…. I heve other work server with etem and never had a problem.

Ipstenu –

1)
I exlude this opion…. yes I use windows…. but I’m pretty sure it has not problem ion it. I scan it regularry and I use text email reader… to read email so no strange code could executed.

2)could be I can’t exlude it since i don’t directly manage it. The fact is that I?ve spoken with them and they say there is not problem by their side (that coudl be not true).

What is saying Roy is correct, I’ve seen some of the websites hosted on the same server…. and only the ones with wp were effected.

Now we are installing 2 test wp (clean install, all file with right permissions, one without plugins and one with some installed but not actvated)… with different settings…on the same machine with old domains (so they could be reached) and we will wait to see what happens.
If the ip is regularry checkked for clean sites to be infected and there is an hole… somewhere they will be infected again so we can suppose the problem is the server.

All my WP sites have had this happen. Multi domain names, all cpanel SQL generated strong passwords, not using wp_ tables, config.php in top level folder (non-web viewable), sites without plugins and all on the same shared host have all had this injection. One I even cleaned last night changed all passwords for WP and SQL and now its hacked again.

This has to be a host problem but how to get them to listen and figure out why/how this is happening is the problem.

In my case it was a host problem.

The host said that another user on the server had allowed a hacker to upload some malicious files which were doing all the damage.

My host has told me that they will be installing some extra security on my host to not allow this to happen any more.

Same EXACT case of PUBBLIVORI.
I was studing log files and in differents website i found this strange log:

10.0.100.44 - - [15/Mar/2011:23:52:59 +0100] "POST /wp-cron.php?doing_wp_cron
HTTP/1.0" 200 - "-" "WordPress/2.9.2; https://www.mysite.com"

Any idea?

don’t look the wp version. Here another log:

10.0.100.44 - - [16/Mar/2011:12:57:49 +0100] "POST /wp-cron.php?doing_wp_cron HTTP/1.0" 200 - "-" "WordPress/3.0.1; https://www.mysecondsite.com"

Sorry…It’s seem a normal thing :-(.
This file simply execute a scheduled job for your wordpress and sometime it execute itself…

So, in the log file there are not strange things.