| 9:39 pm on Jun 29, 2011 (gmt 0)|
Sounds like your wordpress is the problem have u cleaned the server up and updated to the newest version?
| 1:38 am on Jun 30, 2011 (gmt 0)|
|There are roughly 20 domains on my hosting. All are now locked to one single ftp account for which I have changed the password. |
Everyone who uses that FTP account should do thorough antivirus scans (on their personal computers, not on the compromised server). Then change the password again.
|Im guessing that the way forward is to clean every domain on the hosting. |
Yes, clean, and upgrade all CMS and their plugins to latest versions.
|How is this problem able to place a htaccces in the root folder, do you think the ftp is still comprimised? |
Yes, or else there is a backdoor PHP script hidden somewhere in one of the sites. The hacker calls the PHP script with their browser. The web page gives them a user interface, and the PHP code translates their commands to server actions, giving them the ability to download/upload/edit files on the server without having to know any passwords. Sort of like CKEditor or TinyMCE, except without any requirement to log in first.
|Also If I clean each domain one at a time, is it possible for another domain to reinfect the cleaned one? |
Yes, especially if the server runs PHP as an Apache module rather than as CGI/suPHP.
If SSH is enabled, turn it off.
Since this is a recurring problem, the hacking activity might be getting thoroughly logged in one or more of your server logs.
| 4:54 pm on Jun 30, 2011 (gmt 0)|
Yeah it's entirely likely
1 - the malware was injected into WordPress
2 - you collected the malware via browsing/working with your sites
3 - you are the one re-infecting the sites unknowingly.
Also note this important thread [webmasterworld.com] if you use FileZilla. By default it stores the FTP passwords on your computer as plain text in an XML file.
| 11:26 am on Jul 4, 2011 (gmt 0)|
So what steps do I need to take to get cleaned up ? There are 20 domains. Where should I start ?
| 2:01 pm on Jul 5, 2011 (gmt 0)|
Are all 20 domains yours and under your control, or are you a hosting reseller?
Have all admins done AV scans with an AV program different from the one they were using at the time of the compromise?
Was malware found on any of the PCs?
| 3:21 pm on Jul 6, 2011 (gmt 0)|
Currently all 20 domains are mine and under my control through 1ftp and 1 controll panel.
I have done system rootkit scan. System av scan and system malware scan. All is clean.
Yesterday I thouroughly cleaned 1 domain. Removing all files and folders in that domain and relacing with a clean install of wordpress. Today the htaccess of that domain was hacked again and a redirect set up through that hack.
Looking at the files through ftp. The htaccess file is the only file changed. All the other files appear untouched since I cleaned them yesterday.
Am I right in assuming that 1 of the following 3 options is the case ?
1. The ftp is still compromised.
2. The control panel is comprimised.
3. One of the other domains is compromised and the are able to get in there and alter htaccess in all the other domains ?
How should I proceed from here ?
Many thanks for your help so far.