Easy there, Hack Repair Guy. I don’t take payment until the job is finished.
Everyone: I think the hackers have access to the database server(s) at webhostingpad. I did a Google search for the site title that the hacker keeps putting in. There are quite a few results:
https://www.google.com/search?q=%2BADw-%2Ftitle%2BAD4-Hacker+By+Hacker+alajman
Then I started looking at the host where each hacked site resides. See a pattern?
https://dns.robtex.com/sonsof.com.html#records
https://dns.robtex.com/theshyam.com.html#records
https://dns.robtex.com/shajey.com.html#records
https://dns.robtex.com/socialwatchtower.com.html#records
https://dns.robtex.com/stonegatemediaresearch.com.html#records
There are plenty more that are hosted on 69.65.3.x. Some have other IPs; they may use CDNs like Cloudflare or maybe they’re hosted elsewhere and the hacker struck there too. But I see:
– multiple independent sites, who are suffering an identical hack, hosted in the same place
– the hack is occurring without any modified files
– the hack is occurring without any illegitimate activity in the HTTP access logs or FTP logs
Mass compromise of a host is something I’m very hesitant to consider, but in this case I think the evidence certainly points to it.
