Major Multiple Website Hacking

Discussion in 'malware problems & news' started by Ross Gardner, Nov 8, 2017.

  1. Ross Gardner

    Ross Gardner Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1
    Location:
    Australia
    Hi everyone. I am in desperate need of help, I am a Wordpress website designer and 2 weeks ago every single website on my American shared server was hacked, roughly around 35 of them. There were different types of hacks, some websites were deleted and a coming soon index file put in place. Some had 100's of trojan viruses uploaded into them, some were just messed up and had the site name removed, admin user changed to either xxx or magico, and the UTF-8 changed to UTF-7, that made the website display a heap of errors. Two websites had subdomains added and were converted into fake internet banking websites that were harvesting banking logins.

    In a few cases, the Cpanel logins were hacked, passwords changed and one client had his email used to buy things online. It took me 4 days to restore all websites and then I woke on day 5 and they were all hacked again. I did some research, restored them all again from backups, I deleted all files except the upload directory and put fresh copies of Wordpress over the top. I deleted all the themes, plugins and re-installed with fresh secure versions and hardened up all the websites with plugins such as login lockdown, Better Wordpress Security, Securi Security, ADL hide wordpress admin and added a Captcha plugin. I put .htaccess files in the includes directory, wp-contents/uploads directory, changed read permissions on the wp-config file. I limited access to the xmlrpc.php file to my IP and added a heap of recommended lines to the .htaccess file in the root directory.

    I even added IQ country block and blocked every country other than from Australia for websites that only do business in Australia. This so far has managed to keep the hackers out. But every day I get 100's of email notifications from login lockdown showing me someone is trying to access my clients websites. One website, which is just a tradesman's website for his aluminum cladding business was hit for 50 minutes with 3 login attempts each minute. I can't understand that even if Login Lockdown has banned that IP the same IP address can keep submitting the login form for close to an hour. I can't understand that even with the IQ Country blocker blocking all countries that they can still access the form from China, Ukraine, India, Russia, Poland, England, and a range of other countries.

    The attacks have slowed down, but they still continue. There are 100's of different IP's used from all over the world. I have notified the Australian CyberCrime Agency and they are looking into it, but said because the IP's are overseas, there isn't much they can do. While hardening up my websites, I also did the same on websites I have completed recently and are hosted in Australia on a range of different servers and I am now getting Login Lockdown Notifications from these. Even though I have installed the ADL hide WP admin plugin. They are even bypassing the captcha. I don't have any enemies that I know of, and really don't think this is a targeted attack. But I have never experienced anything like this before in 15 years of building websites. Is there anyway of tracing these hackers down as I have lost 2 weeks of production in my studio and I would like to find out who it is.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.