steve-d

I guess those of us on share-hosting services are supposed to be responsible for application-layer security now?

Sheesh

Thanks I’ll check out the info in the forums.

songdogtech

This is all the scan offers in File/Dataset column.

_transient_feed_0675461f3898ec6c3480cb7871cc6d88:_transient_feed_0675461f3898ec6c3480cb7871cc6d88

I’ll check the page source as suggested. Report back A.M.

Nope I use Theme Factory Pro products and no cssjockey plugins.

Not comfortable with an iframe linking to a download.

Any suggestions on what files I might peak at? Or could I find this with a Firebug exam of my site??

easysale . .

Yes CHMOD was acting very strangely this weekend. Permissions we’re not setting properly. As of this moment I’m back via SFTP and index files appear to be clean. And my platform appears to be reset. I just added File Monitor a few minutes ago to my project blog. I’m still going to be spending all day today double checking things. I have a bottle of Advil, weeks supply handy here on the desk.

If something like this happens again in the short term, I am most definitely going to have to seriously consider other options.

songdogtech . . . . .

What is ironic is I use WordPress but my project isn’t even about blogging or tech. Or even myself for that matter. It’s a general media delivery platform. I’ve spent 4 weeks on and off hardening security. Hackers will realize quick this isn’t going to be easy or worth their time. Anyway I’m still a month away from deployment.

Never expected to get hacked from the freaking inside!

I back up the database every night and all the WordPress files once weekly. Those are downloaded for storage. Just checked my account and all looks clean on the server. Now we’ll find out if any time bombs are getting ready to go off again.

We’ll see if NS has “fixed it” soon enough. Moving is a real possibility if they don’t get it together. Which I EXPECT. Not “hope” for.

@songdogtech

. . . Change hosts. Period.

I don’t think even that’s enough security now days. To many abandoned and poorly secured sites on line, etc., etc.

@cacoline

I can’t even get into NS via SFTP this morning either I get a critical error. Not even sure if I want to log in and look at my NS account at this point although I do have good security on my end.

Really frustrating.

@useshots

I have been checking permissions. I have found many of my permissions compromised and set to 660. When I set them back to 640 and come back later they are back at 660. And also I was not able to change my passwords on my datatbases. I’ve come to the conclusion I’ve been totally and completely compromised.

I’ve checked the backup I downloaded this morning at 10:30 AM. It’s clean. This latest attack occurred about 2:43PM today. I’ve been clean up until this afternoon.

All my index files on the NS server affected have 2:43 PM as the modified time and are loaded with this ugly script. Also my Simple Machines Forum index files are hacked with the same nasty code.

I wonder if NS is going to even be able to control this thing at this point. They say they’ve fixed it and they attack again.

easysale

index.php
wp-content/index.php
wp-content/themes/index.php
wp-content/plugins/index.php
wp-admin/index.php

This is exactly where they hit me also.

Plus I haven’t even deployed my Website yet. In development. Plus I took extra precautions to secure it. I’m not public yet but developing on a NS shared hosting setup.

Complete the equation.

bottleneck

Thanks I appreciate it. Guess I best call NS. This is turning into a real nightmare. I thankfully got a back up download early this morning which is clean. Looks like this latest attack started around 2:30 PM.

Appreciate your assistance.

Sorry about the formatting on the above post.

I am on NS also. I think I am getting hit.

I backed up my project site this morning.

Here is the index.php form that . .
This below was my index.php from this mornings backup.

[Encoded hack script removed.]