09-02-2013, 08:02 PM
I have a shared hosting plan, hosting a half dozen different domains. A couple use Wordpress, and a couple others use the ModX CMS. For the past 6 months or so, I've had a variety of issues with my account...not sure if they're all related or not, but they're becoming quite a hassle, and I'm looking for a good, permanent fix.
The first issue was one of my wordpress sites that was spiking CPU usage on my server to 100%, resulting in my hosting account getting shut down (was able to get it reinstated). That CPU usage typically is fine most of the time, but every couple of days I'll notice that it's pegged at 100% again, so I kill the process that's doing it, and CPU usage returns to normal. Wordpress and plugins are all updated.
The more recent issue (within the past 2 weeks) is that my Modx sites are now showing evidence of some sort of hack. The sites themselves will serve up a PHP error, preventing the site from loading. I re-loaded fresh and current copies of the CMS, and that takes care of the issue for a day or two. I've discovered that there is apparently a single file used by the CMS that the hackers have injected some PHP code into...replacing this file with a fresh copy brings the site back immediately, but they seem to keep doing it.
The php code in this most recent example points to a dynamic DNS service in the UK, with other pointers to a russian webservice of some sort. There's a 'block IP' address function in my control panel, but I don't know that it would do anything to block a dynamic IP address that's masked with a dynamic DNS service.
My guess is that the hackers haven't gained access by guessing a password, but instead are exploiting some security hole in Wordpress or ModX. They appear to have ongoing access, and I'm not sure what will actually shut them out completely. My fear is that they've uploaded some innocuous looking file or saved something to one of my databases that gives them a back door into my server. I don't quite know where to begin in searching for and fixing that security hole, as we're talking about thousands and thousands of files on my server and probably hundreds of thousands of rows across various databases.
Move my sites to a different host? Change all my passwords? Rebuild all sites with fresh copies of the CMS? All of these seem like they might help, but there are significant drawbacks to going any of these routes, as I've noted. Just trying to figure out how to lock down my server and not have to worry about ongoing issues related to this hack. Any ideas?
The first issue was one of my wordpress sites that was spiking CPU usage on my server to 100%, resulting in my hosting account getting shut down (was able to get it reinstated). That CPU usage typically is fine most of the time, but every couple of days I'll notice that it's pegged at 100% again, so I kill the process that's doing it, and CPU usage returns to normal. Wordpress and plugins are all updated.
The more recent issue (within the past 2 weeks) is that my Modx sites are now showing evidence of some sort of hack. The sites themselves will serve up a PHP error, preventing the site from loading. I re-loaded fresh and current copies of the CMS, and that takes care of the issue for a day or two. I've discovered that there is apparently a single file used by the CMS that the hackers have injected some PHP code into...replacing this file with a fresh copy brings the site back immediately, but they seem to keep doing it.
The php code in this most recent example points to a dynamic DNS service in the UK, with other pointers to a russian webservice of some sort. There's a 'block IP' address function in my control panel, but I don't know that it would do anything to block a dynamic IP address that's masked with a dynamic DNS service.
My guess is that the hackers haven't gained access by guessing a password, but instead are exploiting some security hole in Wordpress or ModX. They appear to have ongoing access, and I'm not sure what will actually shut them out completely. My fear is that they've uploaded some innocuous looking file or saved something to one of my databases that gives them a back door into my server. I don't quite know where to begin in searching for and fixing that security hole, as we're talking about thousands and thousands of files on my server and probably hundreds of thousands of rows across various databases.
Move my sites to a different host? Change all my passwords? Rebuild all sites with fresh copies of the CMS? All of these seem like they might help, but there are significant drawbacks to going any of these routes, as I've noted. Just trying to figure out how to lock down my server and not have to worry about ongoing issues related to this hack. Any ideas?