We recently got numerous reports that people who had sites that were hosted with several hosting networks got hacked by a “Bulk Injection” and are now being infected.
People who got infected before were told by one of the hosting providers to change their cPanel/FTP password, because they suspected that the problem was due to poor authentication measures customers had set. However, we got one report that even after one customer changed his login details, he got hacked again in the next wave of attacks.
Go Daddy, BlueHost, DreamHost, and BizLand are all working hard to find ways to prevent any further attacks on their customers. We will continually update everyone as we get more information, meanwhile we have a list of things you can do to attempt to prevent any further attacks on your sites. These are not just for customers the hosting service providers, but globally great ideas for people who want to keep their sites secure:
- Change all passwords to include characters that can’t be guessed or brute-forced. It should be around 14 characters and should include upper and lowercase letters (a-z/A-Z) and numbers (1-9). Feel free to be extra secure and include other characters, for GoDaddy they would be: (asterisk *, hyphen -, underscore _, equal sign =, and period .).
- Keep your site directories clean and uncluttered – carefully go through and delete old/unneeded files.
- Keep everything UPDATED! If you are nervous about updating your static or WordPress site, you can hire our wordpress security specialists to do that for you. Why risk getting hacked?
- Check your database for integrity, make sure the passwords are secure and that the database is clean and uncluttered as well. You can also hire our wordpress security specialists to help you with this.
We got a report from Websense with the following information regarding the hosting network providers:
“During the first week of September 2010, the number of affected websites ranged from 22,000 to about 39,000 depending on the day. According to the data collected by Websense, BlueHost was the most affected hosting company and accounted for 38% of compromised websites. It was followed by DreamHost with 28%. BizLand and Go Daddy acquired the third and fourth spot with 19% and 12% respectively.”
Please feel free to comment below with your opinions and other comments/questions!
Securely,
Michael Schultz
WordPress Security Specialist
WPSecurity Lock Team Member
http://twitter.com/mykeschultz
References:
- Websense article – http://community.websense.com/blogs/securitylabs/archive/2010/09/07/mass-injection-targets-sites-serviced-by-famous-web-hosting-companies.aspx
- Hacked September 17 – https://wpsecuritylock.com/godaddy-resolves-myblindstudioinfoonline-malware-hacked-websites/
- Hacked September 21 – https://wpsecuritylock.com/go-daddy-fixing-hacked-websites-for-customers/
MY website (based on wordpress) got hacked and use to create a fake paypal website. It hosted at atbhost.net
Daniel Fenn
MTA
Hey Daniel!
We will email you shortly about your site with a solution to fix it.
Thanks!
-Michael Schultz
Hey,
Thankyou. I just downloaded my raw access logs and it got all the requests that the user made but when I went to check to see if the files are still there, they been deleted.
Daniel Fenn
MTA
Daniel,
Sorry to hear you got hacked. Do you know anyone else hosted at atbhost.net that got hacked? Or do you think it’s an isolated incident?
What’s weird is when I try to open http://www.atbhost.net it’s having problems loading the page in Firefox and when it loads in IE it takes forever. Does their website load okay for you?
I’m currently a Admin for the forums so I need to be careful with what I give out. I can say that the server is rather slow, the owner (Jorge) is aware of it. Yesterday I felt that it was a once off incident on my account, but last night I got hacked into again.
The server was just fine yesterday as far as the load go.
I also discovered that there was a hacking site on the server (I won’t give the full url in it but it had wplogin as part of the url ( (I discovered that from my raw access logs) and the website also had my cpanel username as part of the address.
Other thing: I found that it the same person (or group of people) doing their dirty thing this time around. They used the same email address as last time to reset the password for my wordpress site.
As far as other people getting attacked, I really don’t know yet.
I just want to make it clear that I can’t do much as I don’t have full access to the server just yet. Also I want to make it clear that this is not a official statement from atbhost, this is just my personal experience.
Daniel Fenn
MTA
I completely understand and thank you for what you have provided us. Our goal is to help others stay safe.
We have found a Security Alert statement released at ATBHost and have posted the security alert here on our website as well to help spread awareness and stop the hackers in their tracks.
Obviously malicious hackers have technical skills, you would think they’d like to do positive things with them instead of being a cyber criminal. One day they’ll burn in the gates of hacker hell and wish they’d done good in their life instead.
Just an update:
We got more news/ details that can be release to the public.
You can see then there: http://atbhost.net/forums/thread-4033.html
Daniel Fenn
MTA
Thank you so much for your update! We will make a new post about this very soon.
Welcome anytime 🙂
Daniel Fenn
MTA
Which characters can’t be “brute-forced” ? Can’t all of them?
Any password can be brute forced, because hackers use programs that guess every possible combination of letters, numbers, and characters. It’s just a matter of time – but the longer your password is, the longer it will take a hacker to figure it out. Here’s a time chart based on the current technology hackers have access to: https://wpsecuritylock.com/passgen2b
Hope that helps!
I have an Alpha reseller’s account w/ Empire Resellers and one of my blogs was hacked within the last couple weeks- spammy links were put into my header. Fixed it and changed all the passwords, etc.
I’m sorry you got hacked! I’m glad you were able to recover though – great job. Great thinking with the password changes as well.