+- MacResource (https://forums.macresource.com)
+-- Forum: My Category (https://forums.macresource.com/forumdisplay.php?fid=1)
+--- Forum: Tips and Deals (https://forums.macresource.com/forumdisplay.php?fid=3)
+--- Thread: Recurring issues with websites being target of hacking attacks...[long] (/showthread.php?tid=157152)
Recurring issues with websites being target of hacking attacks...[long] - clay - 09-02-2013
I have a shared hosting plan, hosting a half dozen different domains. A couple use Wordpress, and a couple others use the ModX CMS. For the past 6 months or so, I've had a variety of issues with my account...not sure if they're all related or not, but they're becoming quite a hassle, and I'm looking for a good, permanent fix.
The first issue was one of my wordpress sites that was spiking CPU usage on my server to 100%, resulting in my hosting account getting shut down (was able to get it reinstated). That CPU usage typically is fine most of the time, but every couple of days I'll notice that it's pegged at 100% again, so I kill the process that's doing it, and CPU usage returns to normal. Wordpress and plugins are all updated.
The more recent issue (within the past 2 weeks) is that my Modx sites are now showing evidence of some sort of hack. The sites themselves will serve up a PHP error, preventing the site from loading. I re-loaded fresh and current copies of the CMS, and that takes care of the issue for a day or two. I've discovered that there is apparently a single file used by the CMS that the hackers have injected some PHP code into...replacing this file with a fresh copy brings the site back immediately, but they seem to keep doing it.
The php code in this most recent example points to a dynamic DNS service in the UK, with other pointers to a russian webservice of some sort. There's a 'block IP' address function in my control panel, but I don't know that it would do anything to block a dynamic IP address that's masked with a dynamic DNS service.
My guess is that the hackers haven't gained access by guessing a password, but instead are exploiting some security hole in Wordpress or ModX. They appear to have ongoing access, and I'm not sure what will actually shut them out completely. My fear is that they've uploaded some innocuous looking file or saved something to one of my databases that gives them a back door into my server. I don't quite know where to begin in searching for and fixing that security hole, as we're talking about thousands and thousands of files on my server and probably hundreds of thousands of rows across various databases.
Move my sites to a different host? Change all my passwords? Rebuild all sites with fresh copies of the CMS? All of these seem like they might help, but there are significant drawbacks to going any of these routes, as I've noted. Just trying to figure out how to lock down my server and not have to worry about ongoing issues related to this hack. Any ideas?
Re: Recurring issues with websites being target of hacking attacks...[long] - mattkime - 09-02-2013
I think you need to find a Wordpress or ModX forum. The problem you're experiencing are very specific to those pieces of software.
Re: Recurring issues with websites being target of hacking attacks...[long] - M A V I C - 09-02-2013
Who's the host? Hosts like Dreamhost have scripts which will cleanse your site files.
Your sites can get hacked for a number of reasons. Sometimes the host is at fault. But there's a good chance moving your stuff to another host will just be moving your exploits to another host.
A few things to try:
- Install http://wordpress.org/plugins/p3-profiler/ to figure out what's sucking down the CPU in WordPress
- Install the free version of http://wordpress.org/plugins/wordfence/ and have it scan for exploits
- Go through your own files and look for any potential exploits. Sometimes just searching through the files for "base64" is a good start. Take an especially close look to code at the ends of the files.
- Once you've scrubbed all your files and make sure they're not infected, change your passwords.
- It's good to segment sites out so they're each on their own user, rather than all the sites being run under one user. It's easier to figure out where the source of the exploit is.
- Plugins. First of all, use the least amount of plugins you can. "plugins are all updated" isn't all you need to think about as far as updates. When was the last time each plugin was updated by the developer? Depending on the plugin, if it's more than a year old, I'd find a replacement.
- Setup the sites with Google Webmaster tools. It may seem odd, but if you use the meta tag for authentication, a lot of hackers will stay away from sites with that tag because they know instances of malware will be reported more quickly.
Re: Recurring issues with websites being target of hacking attacks...[long] - clay - 09-03-2013
good ideas, Mavic. I'll start working through them...