jtoronto

Furthermore Net Registry is incorrect with the statement that it was clients permissions on files that were incorrectly set.

World readable files are the default permissions (644) when you upload a file or install any type of website. These permissions made it easier for the hacker to traverse accounts on the Cpanel server – but in reality the hacker is not supposed to be able to do that at all!!

Anything you upload will always have permissions of 644 and the server configuration is supposed to sandbox all accounts to not allow a different users to follow a symbolink link into a another users account.

So while changing your permissions to 600 does solve the problem in some way – the back door still remains open. The proper course of action which both hosts are working towards I presume is to patch Cpanel so a hacker with access to one account can’t override symbolic links to view the files in the home directory of another account.

I would assume mosts hosts have applied such a patch which is why this “hacked by hacker” issue has remained isolated on the a small handful of hosts.

mvandemar The CEO of Net Registry (Larry Bloch) posted this on the Whirlpool Forums regarding “hacked by hacker”:

Before everyone gets too hysterical, here is the REALITY of this incident – and remember, this is a cPanel issue that can happen to any cPanel host or hosting account on cPanel if customers do not have secure permissions.

This is the background as to what has occurred.

Some clients have been exploited with website vulnerabilities and the hacker utilised symbolic links to gain access to other accounts on this cPanel server. Netregistry protects against this as much as possible by only allowing symlinks if the owner matches, however the hacker modified the vulnerable website htaccess file and overrode this setting.

You can read the full post here:
https://forums.whirlpool.net.au/archive/2010093#r36568056

Furthermore the symbolic link Cpanel Vulnerability issue is discussed in great detail on the Cpanel forums. Some of the posts describe exactly what happened to HostPapa and net Registry and confirm what Larry Bloch from net Registry was saying (and also confirm that there are multiple ways to patch Cpanel to avoid this in the future).
https://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242.html

Finally this is the reply I got from HostPapa Support on the issue:
Hello,
Hack by hacker ran scirpts on the server accessing WP config files to get the credentials of the user then hack into the account. We ran a script to adjust personal client configurations of WP. We are dealing with the issue.

Both these companies “Marketing Teams” are trying to save face by calling it a WordPress vulnerability – however their Systems Administrators and even CEO know that it is a Cpanel Vulnerability and an issue that should have been fixed over a year ago. Based on the Cpanel forum conversation many Cpanel hosts have applied patches or workarounds as early as last year.

aussiewpking this was a Cpanel Exploit. Betterwpsecurity may have provided some protection in terms of file permissions, renaming the wp-content folder and admin account but the hack itself was server side … this has been confirmed by both Net Registry and HostPapa and the Cpanel forums which discuss the exploit in detail.

garyjwilson: the HostPapa forum has someone else who recovered a Joomla install from this hack so check there:
https://forum.hostpapasupport.com/index.php/topic,2197.15.htmlDon’t think anyone here knows anything about Joomla but this confirms that the hack is not really WordPress releated but rather a server issue that *may* have originally started with a hacked WordPress (or may not have) but spread due to other security issues on the Cpanel server.

1. HostPapa has quietly set the permissions on all wp-config files to 600 (rw——-)
– This most likely means that the hackers were somehow able to access wp-config files across the server once they compromised one account if the files were word readable.

2. By Default a world readable config file 644 (rw-r–r–) should not be an issue because the home directory of each account is supposed to have basedir protection enabled and be inaccessible by any other user.

3. NetRegistry (another host who got hit with the same “hacked by hacker” hack) has indicated that once one account on the server got compromised (through a legitimate WordPress vulnerability) the hacker was able to use a Cpanel symlink issue with .htaccess files to read the wp-config files of every other account on the server.

This Cpanel issue is discussed in detail on the Cpanel forum and if you scroll to the last couple of days you can read posts that are probably from HostPapa or NetRegistry admins who describe exactly what happened.

https://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242.html

stuzphotography:
1. That’s the easy answer for Hostpapa
2. They clearly had issues that night which resulted in many many websites getting hacked all at once – across multiple accounts. My chats with their support team confirmed this to some degree. But it still could be an outdated script … this ones a mystery since Hostpapa won’t release log files or tell anyone what exactly happened.
3. So you should push back a bit – let them know you were not the only one that night and it’s crazy they don’t have a backup for you.
4. Before you delete everything make a backup of your current files and database from Cpanel / PHMySQL and FTP. Because the hack only modified a few files most of your data is intact and could be saved.
5. The Hack Repair Guy who posted earlier in the thread could prob get you back up and running without a full account reset or getting HostPapa involved.
6. This response from HostPapa is probably a good reason to look elsewhere for hosting at some point. I know I will be.

NONE of the sites I cleaned yesterday with the “Hacked by Hacker” had Timthumb vulnerabilities ..

Viscosity: alkeiyasings.com is hosted by HostPapa according to WHOIS.

Most of these hacked sites seem to be hosted there.

Looks like you got some stylesheet / style issues.

No one said apocalypse.

There’s a trickle of info coming in on this hack which escalated today. Obviously hasn’t affected many people. But enough to warrant talking about it. It seems if your WordPress site was hosted on the aforementioned hosts you were likely to run into this hack today.

I sense sarcasm from you guys .. whereas I’m just trying to throw some observations out there to see if they click with others who are dealing with this as well.

Since there’s no traces in log files it would be nice to know how it happened is all.

https://twitter.com/search/realtime?q=%22hacked+by+hacker%22&src=typd

None of the sites I’ve fixed today have Contact Form 7 …

The only common denominator I have seen is that they are all on Cpanel and multiple sites on the Cpanel server (under different accounts) get hacked at the same time when it happens.

This was the case with HostPapa hosted sites which seem to have the most hacks today .. and a company called NetRegistry according to some other forum I have been following … and a company called Syrahost …

No solid answers yet ..

Jan this appears to be a new hack. I know cleaning the files does not close the door but the door is not obvious yet.

I’ve cleaned up many WordPress installs over the years but have not found the culprit yet on this one (which has been reported starting today on many many wp sites across multiple hosts) … i guess if it’s something new it will keep growing … otherwise hopefully someone will be able to report what the exact backdoor is to this one ..

https://www.atmayogi.com/2012/11/wordpress-vulnerability-hacked-by-hacker/

Here some more info on it:

As of yet there is no information about the exploit vector.