hacked by hacker

Yep – and I stand by it. ?? The initial break-in point was down to one hosted client site. Within that narrow definition, Netregistry are correct but they should not be avoiding the point that their poor security / server administration allowed the hackers to roam far beyond that one site which then turned this into a mass incident instead of just 1 defaced site.

As for HostPapa, I’d like to see them come up with some real evidence before issuing claims like that.

I understood the source of the statement when I replied.

I was trying to carefully elicit a little more information from you in an attempt to understand – despite your apparently like-minded views on where the responsibility probably rests – why you seemed to disagree. I’m just curious like that. ??

Hi my site has been hacked yesterday and displayed the “hacked by hackers message” I have a Joomla 1.5 template…not wordpress…Unfortunately despite advice I did not make a back up of my site and now face losing months of work…
Using the wordpress fixes I found on the net for people with the same problem I changed the following which I confirmed first had been infected. “The index.php has been replaced with the correct back up and the index html deleted “both these files had been infected with the “hacked by hacker” message in the root directory… The last infected file to be found was the “index php” file in the ” \templates\theme_photography “….. WordPress users reporting that it was the Header file in the same directory that was infected in their sites….I have restored this to the original file contained in the theme folder as it was the only one I had.
I have now managed to get rid of the “hacked by hackers” message from my website and instead this is now all that is shown.
the error message displayed is
“Fatal error: Call to a member function getCfg() on a non-object in /home/sigru087/public_html/index.php on line 12.”
I have managed to temporarily log into the Control panel and checked the error logs and am saw that I had multiple error messages relating to the favicon in the theme root directory…I replaced it with the original from the original template but it made no difference.
I really would appreciate any help as I am only a keen amateur when it comes to web sites etc. Simply running a small part time photography business and struggling to make ends meet as it is….I really do not see the need for hackers to hit the little guys like me…By all means make your point if you feel the need to corporate entities but please at least think of the individual who could quite easily fold as a result of such an attack….
Thanks in advance for any help
My site is.. sigrundyphotography.co.uk

garyjwilson: the HostPapa forum has someone else who recovered a Joomla install from this hack so check there:
https://forum.hostpapasupport.com/index.php/topic,2197.15.htmlDon’t think anyone here knows anything about Joomla but this confirms that the hack is not really WordPress releated but rather a server issue that *may* have originally started with a hacked WordPress (or may not have) but spread due to other security issues on the Cpanel server.

@garyjwilson: Please refer to the instructions provided near the start of this topic. And next time (and as per the Forum Welcome) please post your own topic.

On source of the problem: there are current active threads on CPanel.net, which include someone who appears to be working for a hosting company who needed directions on how to set FollowSymLinksIfOwned.

A user was able to use the bad server connection to insert scripts into multiple other user directories.

This was followed by several other small operators reporting the same problem and observing that fixing the httpd.conf setting cured it. One unfortunate soul reported he had to leave FollowSymLinks open because Joomla requires it and the WordPress customers were victims of badly designed Joomla <laugh>.

So it all may be coincidence, but it is not unreasonable to speculate that the current “hacked by hackers” is directly the responsibility of the hosting companies. It might also indicate that someone has written a script to automatically locate and exploit the loose SymLinks setting since several hosts are having the problem.

The point is both views are correct vis. scripts and servers, but if a server is badly configured, even the best scripts become victims.

When fixing your site also make sure you look for fake admin users and passwords. I don’t make wordpress logins with a user id of “admin” and I have been finding new “admin” users and deleting them.

So far all affected sites that I know of are on hostpapa and not all of them have older versions of wordpress.

some of my client “client themselves” installed sites have had this happen to them…

all my big installs / own sites ive created for clients have betterwp security plugin installed and configured pretty tight – NONE of these sites have been hacked

so my suggestion is remove / replace the 3 files as mentioned above

index.htm [ remove ]
index.php [ replace from a downloaded version of wp 3.4.2 ]
header.php [ replace from a downloaded version of your theme from inside the theme of the themes folder ]

AND then install and configure betterwpsecurity plugin….

just my 2 cents worth…

by the way – all seemed to be twenty eleven or twenty ten – does this help with diagnosing for the super tech heads out there? [ might be unrelated as most client installs themselves prob use this theme anyway… ]

aussiewpking this was a Cpanel Exploit. Betterwpsecurity may have provided some protection in terms of file permissions, renaming the wp-content folder and admin account but the hack itself was server side … this has been confirmed by both Net Registry and HostPapa and the Cpanel forums which discuss the exploit in detail.

@aussiewpking – where did you see either HostPapa or Netregistry confirm that it was an issue on their end? Last I knew NR was blaming it on clients having the wrong permissions:

@mvandemar It was clients permissions on files that were incorrectly set, not only software vulnerabilities.

— netregistry (@netregistry) November 15, 2012

And HostPapa is still calling it a “WordPress vulnerability”:

@ericahughes Your site is definitely not affected by the WordPress vulnerability. Please let us know if you have any other concerns!

— HostPapa (@HostPapa) November 16, 2012

mvandemar The CEO of Net Registry (Larry Bloch) posted this on the Whirlpool Forums regarding “hacked by hacker”:

Before everyone gets too hysterical, here is the REALITY of this incident – and remember, this is a cPanel issue that can happen to any cPanel host or hosting account on cPanel if customers do not have secure permissions.

This is the background as to what has occurred.

Some clients have been exploited with website vulnerabilities and the hacker utilised symbolic links to gain access to other accounts on this cPanel server. Netregistry protects against this as much as possible by only allowing symlinks if the owner matches, however the hacker modified the vulnerable website htaccess file and overrode this setting.

You can read the full post here:
https://forums.whirlpool.net.au/archive/2010093#r36568056

Furthermore the symbolic link Cpanel Vulnerability issue is discussed in great detail on the Cpanel forums. Some of the posts describe exactly what happened to HostPapa and net Registry and confirm what Larry Bloch from net Registry was saying (and also confirm that there are multiple ways to patch Cpanel to avoid this in the future).
https://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242.html

Finally this is the reply I got from HostPapa Support on the issue:
Hello,
Hack by hacker ran scirpts on the server accessing WP config files to get the credentials of the user then hack into the account. We ran a script to adjust personal client configurations of WP. We are dealing with the issue.

Both these companies “Marketing Teams” are trying to save face by calling it a WordPress vulnerability – however their Systems Administrators and even CEO know that it is a Cpanel Vulnerability and an issue that should have been fixed over a year ago. Based on the Cpanel forum conversation many Cpanel hosts have applied patches or workarounds as early as last year.

Furthermore Net Registry is incorrect with the statement that it was clients permissions on files that were incorrectly set.

World readable files are the default permissions (644) when you upload a file or install any type of website. These permissions made it easier for the hacker to traverse accounts on the Cpanel server – but in reality the hacker is not supposed to be able to do that at all!!

Anything you upload will always have permissions of 644 and the server configuration is supposed to sandbox all accounts to not allow a different users to follow a symbolink link into a another users account.

So while changing your permissions to 600 does solve the problem in some way – the back door still remains open. The proper course of action which both hosts are working towards I presume is to patch Cpanel so a hacker with access to one account can’t override symbolic links to view the files in the home directory of another account.

I would assume mosts hosts have applied such a patch which is why this “hacked by hacker” issue has remained isolated on the a small handful of hosts.

We run small hosting setup using cPanel and were hit by “hacked by hacker” about a month ago on one of our servers. Most of the accounts were compromised WordPress or otherwise.

The solution for us was to install the cPanel SecureLinks Module from this company: https://www.cloudlinux.com/docs/securelinks.php

This vulnerability and solutions for it have been around for quite some time and discussed on the cPanel forums as others have stated.

There are other methods to patch this cPanel vulnerability as well. cPanel has not done a great job in informing us about it though so I assume hosts typically learn about it and patch it after they have been hacked once.

Lucky for us we are small. Unlucky for the hosts mentioned in this thread I suppose.

My post is directed to the hosting administrators in which the responsibility of this hack lies and not end WordPress Users which were victims of an insecure cPanel setup.

thanks for all your advice above….

out of interest my cPanel hosting provider said this

“Our cPanel servers have always been patched and as such its actually not a symlink issue as claimed by Larry.”