I was hit by a defences1(dot)com injection into a config file today (18 June 2016).
I think the source is the CDN (W3 Cache or CloudFlare or …)
” … Some Content Delivery Networks (CDNs) enable fraudsters to deploy phishing attacks with valid SSL certificates. Not only does this make the fraudulent sites appear more credible, but they also benefit from the fast response times provided by the CDN. …”
https://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html
I’ve been suffering from a series of different attacks, mostly bots that started when my site was hosted on a shared server at HostGator. Other sites on my server were infected for months before I was infected. My first symptoms was a slow site, so I signed up for CloudFlare, then for SiteLock. My site went down and I restored it 3 times, before I moved to another web host with a dedicated IP.
” … The traffic between the original web server and CloudFlare remains unencrypted unless the web server owner has his own certificate installed on his machine. Almost everyone who browses a https domain reached from CloudFlare is unaware that just half of the route is encrypted. When they see the padlock on their screen, they feel that everything is safe. This is why phishers love CloudFlare’s SSL. It’s easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars. …”
https://www.crimeflare.com/cfssl.html
I canceled my CloudFlare and SiteLock when I left HostGator, but I cannot stop SiteLock from scanning my domain and suspect CloudFlare is similar. I suspect there is something still living amongst my WordPress files on my new server.