Site Hacked Daily

On the surface all looks fine but within the source code of my site that serves 10,000 page views daily there’s a link to a virus.

The site is Befuddle and it looks like a script is inserting some code into the foot of all the WordPress (version 2.6) files that end index.php. Each day I’ve edited each of the files affected but three days on the bounce it returns at approximately 8:50pm.

The code includes a list of urls and begin

text block fishka

div name=fishka id=”fishka

I viewed one of the links via Firefox and Norton Inernet Security immediately popped up saying ‘A recent attempt to attack your computer was blocked’. This came from softwareclicks2.com.
I’ve been made aware of these hacks as I noticed that the last login dates and times for my sites don’t tally with when I’ve actually last looked at them.

I’ve since changed my ftp password but am wondering if there’s a flaw with one of the plug-ins. Here are the list of files compromised.

  • /index.php
  • /wp-content/index.php
  • /wp-content/plugins/headspace2/modules/page/noindex.php
  • /wp-content/themes/default/index.php
  • /wp-content/themes/classic/index.php
  • /wp-content/themes/befuddle/index.php

I’ve been in touch with my host and they say that ‘an account can easily be exploited due to insecure script/backdated scripts’.

I’ve seen all my WordPress sites hacked at some point but this one is persistant and I’m not sure of how to get rid of it.

Blog Widget by LinkWithin

24 Responses to “Site Hacked Daily”

  1. Hello,
    I am having the very same problem on two websites of mine (nicolucci.eu and nokappa.it). I see that you too are on Servage, and at this point I think that the problem is with them. Some probably got root access on their system, so they don’t even need the passwords to edit the index.php files, and that’s the only way to run a script that crawls all index.php files.
    I am moving away from Servage in the next few weeks, as this is not related to any php package: those websites of mine don’t use any third-party php, just my own code.
    (If you want to follow-up on this matter, please email me. I don’t have much time to follow blogs, unfortunately.)

  2. Hi,

    I have the same issue, and guess what I’m also hosted with servage.net! I agree with you Daniele this points to someone having a higher level of access to the sites hosted on the servage network. I have lodged a support ticket so we’ll see what they have to say.
    My site is also custom coded so shouldn’t be open to the same threats as off the shelf software.

  3. Sounds like Daniele may have found the root of the problem, i’ve been checking my wordpress sites and not found anything amiss nor nothing on the wordpress grapevine.

  4. I have the same problem and i’m on servage too… 🙁 Please email me too if you can solve..It’s second time

  5. I’ve got the same problem with the “fishka” script on my personal website, aarongrando.com.

    I’m with servage as well, and seeing this post makes me believe that it is related to servage’s hosting. Thanks for posting this!

  6. Also, looking further into this issue, i can see that there were a number of suspicious, random FTP accounts created in my account. You should check out your account in the CP to make sure there’s nothing suspicious.

    You might want to check this. I’ll keep you updated with this if you’re still experiencing the problem!

  7. This happened to me this morning, the only reason we noticed was the formatting on our opening page had gone to rats.

    The site had been compramised and that all index.php files and two in the fc editor had additional txt added, the opening tag is “” and the end tag is “” with a huge stack of links in between.

    Having removed this from each of the files affected all touch wood seems to be running ok now.

    And yes we are with servage and its a little annoying as they have been a fantastic company to be with so far.

    Off to let my blood pressue drop a little.

  8. well, I’m on servage too… I have about 30 sites with them and got the exploit on all of them…
    so it seems the issue is entirely on Servage’s end!

  9. same her, and I’m on Servage too

  10. 1. I have servage.net as well
    2. I noticed a USER added to my account
    3. I noticed many index.php files are modified 17/11/08

    Servage sucks on security. Evertytime they say it are vunerable scripts but that is bull ..

    they have serious issues

  11. Hi all, I fixed this by deleting the rogue FTP accounts that were spotted accessing the accounts. Change your FTP passwords and delete the FTP accounts that don’t belong to you.

    Regards,
    Ray

  12. hey,
    I’m also on servage and this has affected all of my sites, until it got blocked by Google safe search and the government internet filters.

    I asked if it was a problem on servage end but the claim that my problem is that the FTP passwords were not secure.

  13. Hi

    Guess what? I’m on servage too – got about 20 sites with them – all hacked! and guess what too – apparently it’s all my fault, not theirs! I have tried what Ray suggested about the ftp accounts but it is still happening on one of my sites. Servage support team are not very helpful I’m afraid with generic replies to my questions and little in the way of a solution. They did move my files to a new cluster though, but stil one site is infected….

  14. I thought I was going crazy when I noticed these links on my Joomla sites hosted on servage.

    The strange thing is that it has also affected other sites that are pure html too.

    Have found and deleted rouge ftp account and changed ftp and cp passwords. hopefully this will work.

    I havnt noticed the issue with a Joomla 1.5 site that I have been working on but then again, this site was not uploaded until 18 November.

    Just glad that I perform file backups weekly.

  15. Make sure you also check all .htaccess files and suspicious folders. I’ve had to delete a ‘web’ folder and clean up .htaccess files. Also deleted a ftp account which I have not created.

  16. I’m also one of the victims. I’ve found it also creates a new folder in one of the wordpress’ directories and uploads an index.php file. Remember to find and remove it.

  17. Hi,

    I guess I am having the same problem. I am with Servage and one of my websites was hacked – as it appears on December 17 – I only noticed it today.
    I do NOT have WordPress on the site.
    But I do have a PHP forum and some other third party PHP scripts for link exchange.

    I have deleted ALL php code from the site.
    I guess the problem is with PHP. It only affects WordPress because WP relies on PHP.

    After carefully anaylzing the modification dates of the files I saw that the PHP files were modified first – then the htmlfiles with the code snippet “text block fishka” and many links pointing to the same website.
    (I did a DNS lookup with domaintool and could see who owns it – but maybe this is just another hacked site – so they hack one site and point links to another hacked site… just a guess)

    I will notify Servage of the problem.
    I don’t know if moving to another host might hurt my rankings which have built over the last 3 years..It is a PR 4 site so I am not sure if I should just move to another host.

  18. There are many sites hacked this way on Servage:
    fishka or .htaccess hack

    It does not depend on ftp credentials being stolen, but ONLY on ROOT dirs being writable by everyone (777).

    First of all you need to CHMOD (755) your directories…especially the root !!!
    Then…
    You just need to clean the added lines in your index page and your .htaccess file. Carefully check for added subdirs the “hackers” created to upload their scripts and delete them, otherwise those bad scripts would still be active 😉

  19. Hi
    All the same problems as you, I am no longer a customer. Bored of being hacked then ignore by servage, and then all the downtime. Here is my story, its a long blog post, but then its a long story.
    http://blog.lottomad.info/ab-personal-updates/servagenet-hosting-stay-away

  20. count me in.
    this is for the second time that all my servage-hosted websites were infested. new index.php apearing…

  21. Hello … Servage here. I would like to take the opportunity to inform you on the GeoIP feature we have added to our control panel. This enables you to lock your controlpanel to geographical areas. Read more on: https://www.servage.net/blog/2009/01/27/geoip-security-for-your-peace-of-mind/

    Please also make sure you remove your ftp-account and create a new one in order to increase security.

    But I agree with other postings here that proper file/folder permission is vital if you placing content on the Internet.

    Do not hesitate to contact our customer support if you have any more issues. We are glad to help you.

  22. They -Servage- have the balls to imply after all these testimonials that is still OUR FAULT for fucking up our attributes on folders?
    Cheesuz chrysler, wtf are these people thinking? They get hacked nearly 24/7 and they think the users are the ones to blame?

  23. I have tried what Ray suggested about the ftp accounts but it is still happening on one of my sites.As an I.T student and mcdst holder
    Servage support team are not very helpful Im afraid with generic replies to my questions and little in the way of a solution.

  24. This is ridiculous …I was with servage over 2 years ago and I’ve only just noticed that I had all of this code on one of rarely updated sites!! I left Servage at the time because they kept lying to me about technical issues and their communication levels were appauling …having now found this just shows that SERVAGE ARE AWFUL, AWFUL WEB HOSTS

Leave a Reply