Today I was trying to debug why my Feedburner feed would not display properly in Google's Chrome browser. What I discovered was that there was some code creating errors in my site's original RSS feed. After a bit of searching on the offending code, I ran across a post on my hosting provider's support forum.
According to the response from the forum mod,
This is an issue that's going all around the Internet. These 'hackers' are not getting your FTP information from us - they are logging into our server with your FTP credentials, so they had to have gotten them from somewhere else first.
Well, that sounds like a nice story. However, a quick search of the internet yields results pointing to websites hosted by the same provider (confirmed by doing a whois search on the domain name).
What happened was that my index.php file got overwritten/modified. Here's what the hacked file looked like. The code shown in bold is what I had to remove.
<?php @register_shutdown_function("__sfd1252523454__");function __sfd1252523454__() { global $__sdv1252523454__; if (!empty($__sdv1252523454__)) return; $__sdv1252523454__=1; echo <<<DOC__DOC
<!-- [55cdd10ce02d4e8abf6256391a917480 --><!-- 4543252521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://2309h34b34b34b.cc/sl">.</a></li></ul></div><!-- 55cdd10ce02d4e8abf6256391a917480] -->
DOC__DOC;
} ?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>
<?php error_reporting(0); echo "\n"; @__sfd1252523454__(); ?>
The lesson here I guess is that I'll have to be more vigilant about checking the files on my site. According to the time stamp on my index.php file, it had been changed on Sept. 11! That stinkin' hack had been on my site for a month!
It's unclear to me what problems this might have caused for any of my readers. My deepest appologies to anyone who may have experienced any problems due to this hack.
#
The same thing happened to me but I'm hosting with Hostgater not Inmotion. The search you showed though doesnt seem like its all the same kind of problem. With mine Hostgator showed me the logs and I saw that the problem was an exploit in WordPress 2.8.3. When I upgraded WordPress and changed my FTP password I never had this problem again. Sorry man but the problem is your site not your host.
#
Well, if it was a problem with my site, it was an exploit in WordPress 2.8.4. I upgraded the site to 2.8.4 in August and my site got hacked on Sept. 11. It seems like more than coincidence that 9 out of 10 sites I found showing the same problem were all with Inmotion. BTW, it's been reported on Drupal sites as well.
Perhaps it's my fault for not changing my cPanel password since signing up. Account login information was included in the site activation email, so if someone got into the sent mail at Inmotion they would have several ID's and passwords.
The disappointing thing is that Inmotion knew that there was an issue. They could have run a simple
on each of their servers and found all the hacked accounts. It wouldn't have been too much to ask to send out an email to the affected account holders letting them know of the problem and their proposed solution. Instead, they chose to simply deny any responsibility and left their customers to discover the problem on their own.