[wp-hackers] Black Hat Chinese Hackers - Looking for your input

MLR mlrichard at gmail.com
Mon Jun 2 21:55:52 GMT 2008 

Is Bluehost a good place to host blogs? (historically)

Currently my list is:

1and1 - The Best
Dreamhost - People seem to recommend it a lot but haven't used it yet.

Never worked for me:

A small orange
Yahoo Small Business Host

Marie-Lynn

On Mon, Jun 2, 2008 at 5:45 PM, Jason Webster <jason at intraffic.net> wrote:
> On a hilarious aside: About a year ago, the CEO of Bluehost's blog hacked /
> spam injected.
>
> MLR wrote:
>>
>> Well of course it's on shared hosting as most other WP installations.
>>
>> I am reinstalling my way (not the fantastico way) from scratch and we
>> will see what happens in the next 24 hours. I have documented that all
>> necessary precautions are taken so when it becomes hacked again
>> Bluehost will not be able to hide its head in the sand.
>>
>> Thanks for all your help today, espescially George (Pearce) who walked
>> me through a lot of checks I had not thought about.
>>
>> Marie-Lynn
>>
>> On Mon, Jun 2, 2008 at 5:34 PM, Jason Webster <jason at intraffic.net> wrote:
>>
>>>
>>> Shared hosting has the potential to get ugly, fast.
>>>
>>> Basically, you are potentially vulnerable to script insecurities on other
>>> domains hosted there. I think it is very safe to say it had nothing to do
>>> with WP.
>>>
>>> MLR wrote:
>>>
>>>>
>>>> Hi Dave,
>>>>
>>>> The database has been picked over and is clean.
>>>>
>>>> Either this is a brilliant WP Hack or it is not even a WP Hack.
>>>>
>>>> We also think it is Bluehost specific.
>>>>
>>>> Thanks for your input!
>>>>
>>>> Marie-Lynn
>>>>
>>>> On Mon, Jun 2, 2008 at 5:23 PM, MLR <mlrichard at gmail.com> wrote:
>>>>
>>>>
>>>>>
>>>>> The only odd thing I found was a file in the /wp-content/ called
>>>>> index.php which has an encrypted javascript call.
>>>>>
>>>>> removing it didn't change anything.
>>>>>
>>>>> ---
>>>>> ---
>>>>>
>>>>>
>>>>> On Mon, Jun 2, 2008 at 5:19 PM, George Pearce
>>>>> <pearce.gs at googlemail.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> I've been talking to Marie, and from what I can see there are no
>>>>>> affected
>>>>>> Wordpress files, there are some silly 777's, but all the files have
>>>>>> either
>>>>>> been refreshed or checked manually. Nothing seems to be in the
>>>>>> directory
>>>>>> that the blog is, either.
>>>>>> It's strange.
>>>>>> How else would that 404 be achieved, without editing any files. Also,
>>>>>> a
>>>>>> javascript tag has attached itself to the bottom of the </html> on
>>>>>> each
>>>>>> page.
>>>>>>
>>>>>> (I'm replying because I've been talking to Marie for the last half
>>>>>> hour
>>>>>> :) )
>>>>>>
>>>>>> George
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: wp-hackers-bounces at lists.automattic.com
>>>>>> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason
>>>>>> Webster
>>>>>> Sent: 02 June 2008 22:16
>>>>>> To: wp-hackers at lists.automattic.com
>>>>>> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for your
>>>>>> input
>>>>>>
>>>>>> Here's a few things that would be useful to know:
>>>>>>
>>>>>> Are you sure Wordpress was the point of entry for the attack?
>>>>>>
>>>>>> What kind of hosting? ie, shared/dedicated.
>>>>>>
>>>>>> MLR wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Hi Guys,
>>>>>>>
>>>>>>> I have noticed two things:
>>>>>>> - The combination of the Words WordPress and Hack mostly return
>>>>>>> topics
>>>>>>> about making WP do cool things (the spirit of this mailing list)
>>>>>>> - Most requests for info about fixing hacked blogs are dead ends on
>>>>>>> wordpress.org
>>>>>>>
>>>>>>> Today I am trying to fix a hacked blog without simply starting over.
>>>>>>> I
>>>>>>> want to know what happened to create the following problem:
>>>>>>>
>>>>>>> All request in the address bar to ANY wp-admin files returns a 404
>>>>>>> error.
>>>>>>>
>>>>>>> the .htaccess file seems clean.
>>>>>>>
>>>>>>> All files were at 2.5.1
>>>>>>>
>>>>>>> I have already overwritten all files in sequence to spot which one
>>>>>>> would have rogue code.
>>>>>>>
>>>>>>> I checked the theme it seems fine (no encoded bits of javascript or
>>>>>>> rogue
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> code)
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> I have removed the javascript functions at the bottom of the
>>>>>>> index.php
>>>>>>> that a bot inserts everyday on the site.
>>>>>>>
>>>>>>> Your pointers will definitely help me understand the source of the
>>>>>>> issue.
>>>>>>>
>>>>>>> What is your opinion on the usefullness of this plugin?
>>>>>>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>>>>>>>
>>>>>>> (I know this is easely done the classic way but don't we all have a
>>>>>>> gazillion blogs to manage!?!)
>>>>>>>
>>>>>>>
>>>>>>> Thanks a lot,
>>>>>>> Marie-Lynn
>>>>>>> http://www.friendly-webmaster.com
>>>>>>> _______________________________________________
>>>>>>> wp-hackers mailing list
>>>>>>> wp-hackers at lists.automattic.com
>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>> No virus found in this incoming message.
>>>>>> Checked by AVG.
>>>>>> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date:
>>>>>> 02/06/2008
>>>>>> 07:12
>>>>>>
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list