Results 1 to 20 of 20
  1. #1
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Domain hijackers or what??
    Wow. I just went to one of my websites I haven't checked in the last week or two. When I click on any of the nav links (it's a WordPress blog) or category links, my browser times out and I get a message:

    "Network Timeout. The server at .... is taking too long to respond."

    The problem is -- the IP address in the space where I gave "..." in the quote is NOT an IP address for my server??

    It's an IP address that I searched on and found this:

    "Hostname: 200.13.erx-lhm.eidsiva.net"
    "... is found in Norway."

    Anybody else had this problem? Anybody know what the Norway site might be?? Okay -- I just went to "Eidsiva.net" -- it's a broadband company in Norway. The site's in Norwegian, so I don't know what it says or what to do from here??

    I have an emergency support ticket in to my VPS hosting company right now and will let you know what I find out.
    Generate more fake news.

  2. #2
    Moderator
    Join Date
    April 6th, 2006
    Posts
    2,689
    Ackk.. ignore my initial comment, just saw it's your nav links... not the site itself.

    Sounds like your site may have been compromised.. check your version of WP, could be an upgrade is required...

  3. #3
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Gary,
    Check the Online Auctions link on the first site in your sig. Nothing to do with your problem, but it needs a look.

    Bad deal on the creep infection.


  4. #4
    ABW Founder Haiko de Poel, Jr.'s Avatar
    Join Date
    January 18th, 2005
    Location
    New York
    Posts
    21,609
    Sounds like yes it was hijacked. The site is an ISP in Norway.
    Continued Success,

    Haiko
    The secret of success is constancy of purpose ~ Disraeli

  5. #5
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Yup. Just got response from my host. They found the spurious IP address in my .htaccess file. When I tried to download and look at that .htaccess file, it showed there were 407 Kb in the file -- but the file appeared empty in my text editor?

    I discovered that many of the files on the site, including WP system files, have had the first letter in the file name turned into an underscore (_) symbol.

    When I tried to access wp-login.php after swapping out the .htaccess file for a good one, I got an error message on line 414. So I called up wp-login.php in my text editor and found TONS of javascript lines just above the line 414 error, and also TONS of javascript lines (several hundred in both cases) near the end of the wp-app.php file.

    I discovered two URLs or partial URLs in the javascript code:

    http://www. 3njx.ru
    and
    http://www. aspx46.com

    When I put those into my Firefox browser, it blocked them and gave me an "Attack site" warning message.

    Guess I get to revamp that website after all, just as I had been thinking of doing. The bad news is, I'll lose a ton of links in Google to 404 errors and have to get the "new, improved" (and hopefully more secure!) site indexed all over again.

    Ah, such fun. LOL!
    Last edited by Haiko de Poel, Jr.; September 24th, 2008 at 04:31 PM. Reason: unlinked sites
    Generate more fake news.

  6. #6
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Sacramento, CA
    Posts
    1,263
    Isn't that a pisser... I recently found one of my IPB forums had been hacked at one point. Nothing bad done to it, but I saw that I was running out of space on the server and, after digging for a while, I found that there were several directories containing hundreds of porn pages (html & php). Permissions had been changed, so I couldn't delete them myself... I got the host to handle that and had Invision upgrade the forum, so now it's all better. Best of all, I didn't need to upgrade my hosting plan again
    Hi, I'm a signature.

  7. #7
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Doing a G search for 3njx.ru shows a ton of results with sites marked with "This site may harm your computer" by Google.


  8. #8
    ABW Ambassador Boom or Bust's Avatar
    Join Date
    February 3rd, 2008
    Posts
    3,955
    If permissions are set correctly, how can a hacker do this? Are there WP vulnerabilities that are being exploited?



    X

  9. #9
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    If permissions are set correctly, how can a hacker do this? Are there WP vulnerabilities that are being exploited?
    Those are questions that hopefully Gary's support guys will tell us.

    I am using the same server provider and really want to know where these bads get in. Is it forms, WP, firewall weakness or what?


  10. #10
    Moderator
    Join Date
    April 6th, 2006
    Posts
    2,689
    These open-source CMS/Blog platforms are more susceptible than the average site, unfortunately.

    I hope it all gets sorted out for you, Gary.

    On a similar topic, Joomla 1.5.5 has a serious bug that allows hackers to reset the Admin password using a basic keystroke combination (they gain access when you click "lost password" link). My new site got hit last month, but I was lucky.. instead of clicking lost pw, I upgraded to secure version & deleted default Admin account.

    Is your WP a hosted version, or your own installation..?

    Hopefully there will be a way to manage your own upgrades - it's one more thing to remember, but definitely worth the extra effort.

  11. #11
    Visual Artist & ABW Ambassador lostdeviant's Avatar
    Join Date
    September 7th, 2007
    Location
    Cuautitlán, Edo. de México
    Posts
    1,725
    Why do you need to lose links? did they actually insert stuff into your database?

    If not, you can just wipe the contents of your website directory and then just re-upload wp, your themes, and your plugins, then just make sure your wp-config is good.

    You do have a backup of your site on your computer, don't you?

    Quote Originally Posted by writerguy

    Guess I get to revamp that website after all, just as I had been thinking of doing. The bad news is, I'll lose a ton of links in Google to 404 errors and have to get the "new, improved" (and hopefully more secure!) site indexed all over again.

    Ah, such fun. LOL!

  12. #12
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Quote Originally Posted by lostdeviant
    Why do you need to lose links? did they actually insert stuff into your database?

    If not, you can just wipe the contents of your website directory and then just re-upload wp, your themes, and your plugins, then just make sure your wp-config is good.

    You do have a backup of your site on your computer, don't you?
    Hmm. Uh, well. I promised myself after I lost several WP sites with a different host's failure of redundant backups that I would ALWAYS have current db backups for my WP installs.

    BUT -- This was a site I actually forgot to set up to auto backup. Grrrrrr. I haven't any backups of the db. If I had, it might have worked to do as you suggested. Groan.

    @Boomers:

    They apparently simply figured out my FTP password, or something?? My support people had no real suggestions about how they got in. They simply urged me to set stronger passwords and "keep them safe."

    Truth is, I've been very lax about setting strong passwords. I just spent most of the evening using an auto-password-generator program to reset passwords for everything.

    As for file permissions -- I tend to use a lot of WP plugins. The good news is functionality. The bad news is, many plugins require you to grant full write access to various folders and files for them to work. Hence, if someone gets past your password, they often can mess with the files.

    Truth is, I don't understand a great deal about WP security, security risks, etc.

    Living a 1996 Internet presence in our 2008 Internet world, I guess. Grrr.
    Generate more fake news.

  13. #13
    Visual Artist & ABW Ambassador lostdeviant's Avatar
    Join Date
    September 7th, 2007
    Location
    Cuautitlán, Edo. de México
    Posts
    1,725
    Quote Originally Posted by writerguy
    Hmm. Uh, well. I promised myself after I lost several WP sites with a different host's failure of redundant backups that I would ALWAYS have current db backups for my WP installs.
    So they did insert info in your database?

  14. #14
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Quote Originally Posted by lostdeviant
    So they did insert info in your database?
    You know, I never really figured out that the db itself might have been all right -- until AFTER I had discovered I had no backup on that db and -- I had already deleted it.

    Agggghhh.

    Anyway, I have a full week ahead of me this week. LOL!
    Generate more fake news.

  15. #15
    ABW Ambassador 2busy's Avatar
    Join Date
    January 17th, 2005
    Location
    Tropical Mountaintop
    Posts
    5,636
    When you're getting it set up again, take a look at
    http://codex.wordpress.org/Hardening_WordPress
    There's other info out there via search. WP is a two-edged sword, but on their own site there's lots of info.

  16. #16
    Life is Supposed to be Fun! Rexanne's Avatar
    Join Date
    January 18th, 2005
    Location
    Los Angeles
    Posts
    12,360
    Yikes Gary - what a nightmare!

    Was this WP that you downloaded or are you running on their server?

    Kinda scary to think anyone can hack WP.
    Peace,

    Rexanne

    Rexanne.com
    Loving Everyone's Child Creates Magic


  17. #17
    Visual Artist & ABW Ambassador lostdeviant's Avatar
    Join Date
    September 7th, 2007
    Location
    Cuautitlán, Edo. de México
    Posts
    1,725
    This thread is another great reminder to keep backups of your websites at least on your computer harddrive WP or not.

    Any site can be hacked if the server permissions are not restricted. See Post #12.

    When working with WordPress, you should also use the WP-DBManager plugin which can be set up to automatically e-mail you a copy of your database.
    Keeping a copy of your themes and plugins on your computer (or your entire site, like I do) will also ease the pain from a huge burden to just a deletion of the directory on the server and a re-upload.

    You can use Phpmyadmin to see if your database has been hacked in case you lost your database backup e-mail (sent by the plugin)

  18. #18
    ABW Ambassador ladidah's Avatar
    Join Date
    October 15th, 2007
    Location
    MA
    Posts
    1,888
    Gary, sorry to hear this happened to you. I am wondering if there is another way to get back your post/data since they were wiped out.

    * Do you let the robot archive.org / ia_archiver crawl your site or has it been disallowed in your robots.txt? If so, maybe you can get some posts back that way. I would hate for you to loose those links and posts.

    * What version WP have you been using?

    * Does your host keep back-ups on their server? A few days ago I messed up my CSS file on my WP blog and thought that the DB-manager would have everything backed up but not the php / css files. I accidentally deleted parts of the css file and the whole blog looked like a train wreck. Spent all night trying to look through my gz files and computer to see if I had any latest copies. Nada. I was beside myself and thought to email my host as last resort. They let me know within couple of minutes of sending a support ticket in the middle of the night that they keep files for 7 days as back-up so I was able to recoup. Eventhough if they may not keep a copy for 7 days, ask them if there is any way you can try to get things back.

    Quote Originally Posted by lostdeviant
    This thread is another great reminder to keep backups of your websites at least on your computer harddrive WP or not.

    Any site can be hacked if the server permissions are not restricted. See Post #12.

    When working with WordPress, you should also use the WP-DBManager plugin which can be set up to automatically e-mail you a copy of your database.
    Keeping a copy of your themes and plugins on your computer (or your entire site, like I do) will also ease the pain from a huge burden to just a deletion of the directory on the server and a re-upload.

    You can use Phpmyadmin to see if your database has been hacked in case you lost your database backup e-mail (sent by the plugin)
    Great tips. After my accidental delete I keep copies of themes/plugins/css/php on my computer and also on disk. I have the wp-dbmanager plugin email me the backups too. I am concerned about this zip file going into email. Do you think it is safe?

  19. #19
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Thanks, all of you guys, for your comments and suggestions. Very helpful.

    I especially want to emphasize what lostdeviant says: BACKUPS BACKUPS BACKUPS.

    Then I suppose I should fall back on that great ender for all arguments my stepmother would often give me when I was a young teenager: "Do as I SAY not as I DO!" LOL!

    I even had that WP-DBManager plugin installed as Chris suggested. Unfortunately, my problem was lack of organization more than ignorance -- when I was setting up several of my blogs to do daily backups and email them to me, this was one of two I forgot to set up and didn't realize I'd forgotten them.

    Fortunately, much of the blog was made up of PopShops posts and pages, and I think I can get it back up and running within a few days. In fact, I wrote down a detailed list of the merchants, products, and even pages I had up before I deleted the site from my server, so that gives me a "blueprint" for recreating it.

    And, I really did want to polish up the appearance of the site, tweak it a bit, etc., so this is my opportunity. (You know the old adage, right? "When life hands you lemons, uh, something, something, something ... and add a little grapefruit juice for some tang.") LOL!
    Generate more fake news.

  20. #20
    Member
    Join Date
    December 3rd, 2007
    Posts
    177
    Quote Originally Posted by writerguy
    Fortunately, much of the blog was made up of PopShops posts and pages, and I think I can get it back up and running within a few days. In fact, I wrote down a detailed list of the merchants, products, and even pages I had up before I deleted the site from my server, so that gives me a "blueprint" for recreating it.
    So sorry to hear what happened to you!

    Even though you deleted your site, you should still be able to view the cached pages in google. A while ago, by accident, I delete a few a my pages and was (thankfully) able to view the cache and copy the info. I have enough trouble writing things the first time - LOL.

  21. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Domain Appraisal Scam Targets Domain Name Owners
    By Dynamoo in forum Domains & Hosting
    Replies: 2
    Last Post: April 10th, 2007, 03:47 AM
  2. STOP Affiliate Commission Hijackers
    By Trust in forum Midnight Cafe'
    Replies: 23
    Last Post: December 4th, 2002, 11:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •