WXSIM.COM got hacked! Fixing ...

The other day MacAffee told me my own web site was dangerous. I thought it was just because I’m “small potatoes” and it didn’t know me. But then I just (a bit belatedly) saw an email from my hosting service (GoDaddy) saying my site was in fact hacked. There are som php files that apparently are intended to direct new traffic to God knows where (probably some advertisers). How it got hacked, I don’t know, but I’m going to totally wipe out the entire site and reupload everything. Might take a day or so. I’m also getting an SSL certificate - not that this would have prevented the hack.

Please understand while I get this fixed. The hack consists of other files somehow inserted onto my site. At this point, I have no reason to think my own code has any problems. Feel free to scan anything you want, and let me know if anything comes up!

Thanks!

Tom

Hi Tom.

Welcome the the Pawen club.
There is nothing you can do to ebate it as it is an issue with the host server having vulnerabilities.
I have had the same issues over the years. Your host will have been done and it has fallen into your site.

As of 28/8/18 your files were virus free. This was the last Day I was on the site and having checked the log files on my server, your site and files are clear.

It is usually only the landing page (home) that will have the script injected into it. but your choice of a full wipe is the best practice.

Have a good weekend.

Rob

Hi Rob,

Thanks for that info! My hosting is GoDaddy, which actually notified me. I’m actually purchasing a service to daily scan the site ($60 a year) and notify me of stuff. Something I could probably do myself, but I get busy and I’m sure I’d forget. This was some php stuff, and a redirect thing (.htaccess file, I think). Apparently it was telling search engines to go somewhere else.

Do you know anything about how such a hack would have occurred? They talk in general terms about “vulnerabilities”, but I’m not sure what that means here. PHP seems to be suspicious, but how does PHP I’ve always used and uploaded myself get “hacked”. What is a vulnerability" in a file that’s just plainly visible script? Not my area of expertise. Anything you know and can tell me would be much appreciated!

I’m also getting the SSL, so search engines and browsers will like me! What a complicated world this digital stuff is!

There is an ability to use a formed url to inject a script into the php file. i.e. enter http…post? into the browser bar and the extra bit is added to the file the server kicks out.

Godaddy offers both cPanel and wordpress.

There are currently 277 (6 in 2018) vulnerabilities for wordpress and 47 (5 in 2018) for cPanel

Without a copy of the index.htm file, it is a bit hard to figure the entry they used as if you haven’t restored it, Godaddy has restored the site.

Rob

Thanks for the info!

One thing I’ve done (though probably not relevant to the hack) is that I got the SSL. I think I’ve activated that properly, but I don’t know much about it. I added a (hopefully correctly written) .htaccess file to the root folder. It’s supposed to be redirecting to the encrypted/secure version. If you can tell by going to my site, please let me know! I’m using a really old browser here.

I’ve also gone through my site and manually removed about a dozen files (I believe all of the ones that were flagged by GoDaddy), dating back to February. One was a .htaccess file that had “google” and “yahoo” in it (I didn’t save a copy - maybe I should have). I think the rest were all php files, scattered through various folders. These all dated from February and March and were NOT anything I wrote or uploaded. In any case, GoDaddy will start daily scans tomorrow.

The only php stuff I have on my site is the plaintext parser. Is that safe to use? Could anybody have gotten in through that? I don’t have any user input boxes anywhere on the site. My GoDaddy interface or whatever is cPanel, for what that’s worth.

I’ve also changed my FTP password, in case somebody stole that.

I know my automated uploads (weather data) will temporarily break because of the password change and also the https (?). I know what to do in my scripts about the password. I’m uploading via WinSCP at the school. Hopefully I can do the SSL OK with that. I’ll look at those settings. Any info or experience Rob or anyone has would be welcome!

Oh, did any of you ever see any strange behavior of my site? The only other “warning” I had was MacAfee telling me (just the other day) that it was dangerous.

Thanks!

Tom

your ssl is configured and working correctly.
your ftp should not be affected as this is a different area within the server farm
your plaintext parser is safe to use as it is not exposed directly to the website. (it is a server side script. client side scripts that run on the users browser are the ones that are affected more)

the .htaccess entries for yahoo and google will have been for search engine optimisation and instructions on what to scan and not scan.
the php files would be normally an issue if php was your primary file type.
a server can be configured to count down from htm, html, asp, php in any order
it usually stops at the first one it finds in the order the server lists. Given your urls are all direct link’s your hack may have started around Feb, your oldest php file.
If you have a copy, dm it to me and I will tell you some more based on what I find in the code.

I have not seen any issues with your site on the several times I have been there recently, but I used a bookmark to the download page.

Rob

Unless the ftp credentials were compromised somehow, I would change the ftp password. The one time I got hacked that was my fault it was pc compromise where filezilla was hacked. (The other time was totally a host server level issue :roll: )