Website is being hacked

[Gamble 4 Keeps]

Hi

I am in need of some help please. It appears my website has been hacked by someone, and i am not sure how to find out or fix the problem. My website is www.gamble4keeps.com hope i can post this here. If not remove the URL

This morning i noticed my website started to take around 3 minutes to load, even though it was working fine when i went to bed. Later this evening, it got to the point i couldnt access my site. So we did a database backup.

Now i am noticing links and redirection on my site that i did not put there and they redirect to a landing page of some sort. Can someone offer any advice urgently.

I have found so far two links that divert to something i never put up or redirected to.

xxhttp://www.gamble4keeps.com/how-to-beat-slots
xxhttp://www.gamble4keeps.com/casino-in-mobile-al

[PromoteCasino]

Hi,

I will be very interested in what the community has to say about this and how it has been achieved. It is worrying that now you don't even to have to have a spam url when they can use someone else's url. Disturbing to say the least. I hope you can get this resolved quickly.

If anyone knows a way to prevent this happening I and many others I am sure would be grateful.

[Gamble 4 Keeps]

Its really strange, hostgators security team are investigating it. but they are unsure at this stage. The only reason i picked it up was because i happen to look at my whos online stats and saw someone view these two links.

Its really strange.

[Gamble 4 Keeps]

ok more links popping up

xxhttp://www.gamble4keeps.com/i-want-to-play-blackjack
xxhttp://www.gamble4keeps.com/how-to-win-playing-slot-machines
xxhttp://www.gamble4keeps.com/best-online--casino-sites

[JackTenSuited]

check the .htaccess file to see if has been modified in any way if not restore it to the default wordpress one and update all your plugins.
then work through this http://codex.wordpress.org/FAQ_My_site_was_hacked

[Scampi]

To fix the problem, update to the latest version of Wordpress, then change theme and change back again. This should fix the problem and remove the spam links.

[wonderpunter]

Install Wordfence, it will lock out repeat attempts "you have to set it up though" it will also notify you of attempts of login, Change User and Password, cleanup the pages that have been hacked, then apply cloud flare and set security to medium at least.. I find this is a good solid protection I have around 100 hack attempts daily

[Gamble 4 Keeps]

Install Wordfence, it will lock out repeat attempts "you have to set it up though" it will also notify you of attempts of login, Change User and Password, cleanup the pages that have been hacked, then apply cloud flare and set security to medium at least.. I find this is a good solid protection I have around 100 hack attempts daily

Have found the issue thanks so much. as soon as i installed and ran this program it picked up which files in my site were affected and removed the added information that was placed in them. You have no idea how gratefull i am. And i highly recommend EVERYONE get this plugin

[wonderpunter]

Have found the issue thanks so much. as soon as i installed and ran this program it picked up which files in my site were affected and removed the added information that was placed in them. You have no idea how gratefull i am. And i highly recommend EVERYONE get this plugin

Awesome plugin, and free.. it should be bundled with every install, Tighten up the lockouts too

[robertwilliams]

Just to stick my nose in to this as well...

Make sure you have a super password strength for your database password, and your WP login. If a hacker gains access to your server it's so easy for them to check your root directories, access your WP-Config files (for wordpress sites, just access your root via Filezilla / dreamweaver and you'll see it) and change your site passwords.

Had this issue late last year and they managed to get into every site on my VPS. Royal pain in the backside - and apparently they profit from selling your logins to others. The cheek!!

[vardan]

Glad everything is fine now for Gammble 4 Keeps.
I installed Wordfence from the beginning and I permanently block all suspicious IP addresses.

[sweetbet]

I had something similar happen to one of my WP sites a long time ago.

Try changing the following and see what happens:

SETTINGS > PERMALINKS > Default

Also, you don't have much security on your site.

You might want to look at the following WP security plugins:

Block Bad Queries (BBQ)
Limit Login Attempts
Rename wp-login.php
SI CAPTCHA Anti-Spam
Stealth Login Page
Wordpress Firewall 2
WordPress Simple Firewall

[universal4]

Another plugin to consider is:
All In One WP Security

I have used all in one and like the features.

In fact it offers a lot of the features in a single plugin that some of the others recommended.

It makes renaming the admin login easy, has a built in firewall, limits login attempts based upon your settings and more.

Rick
Universal4

[Gamble 4 Keeps]

Update: Sites hacked again whole thing is taken down this time.

Webhosting is trying to fix it. Will update more info when i get it.

[Gamble 4 Keeps]

Quick Update:

Site has been infected by a malware hack, named Cryptophp. It has installed multiple versions of a file named social.png
It looks like its an image, it is infact a php file that injects throughout your entire server so people can control the site.

Hostgator are placing my account through a deep clean, but i may lose everything

Be warned, it can happen evem if you have the best security plugins installed hostgator told me

[universal4]

I agree that in situations like this one has to be vigilant, but in order for the hack to take place, either they have to exploit an installed plug-in, brute force a password or otherwise gain write access to the web folder. If you are on shared hosting, one has to hope it did not come from hacked root access from any other shared client on the server.

There are also sql injection type hacks, but this would normally only take place through an exploited plugin.

If you ever find out the hack that was used, do let us know so others can also be warned if it happens to be a common plugin or such that was exploited.

Rick
Universal4

[Gamble 4 Keeps]

I agree that in situations like this one has to be vigilant, but in order for the hack to take place, either they have to exploit an installed plug-in, brute force a password or otherwise gain write access to the web folder. If you are on shared hosting, one has to hope it did not come from hacked root access from any other shared client on the server.

There are also sql injection type hacks, but this would normally only take place through an exploited plugin.

If you ever find out the hack that was used, do let us know so others can also be warned if it happens to be a common plugin or such that was exploited.

Rick
Universal4

Sure was on a shared server, that is changing that's for sure. Very valuable lesson here, make sure you do regular backups. Mind due in my case this hack has affected all stored backups that the hosting has done also. I never did any backups to my computer which is guttering.

Hopefully i will have the site back up over the next 2 days But this is one thing everyone needs to be aware about. It caqn affect all wordpress, Joomla and other popular CMS. From what i have read over 23,000 sites have been infected with this Crypto PHP Hack

[wonderpunter]

Sure was on a shared server, that is changing that's for sure. Very valuable lesson here, make sure you do regular backups. Mind due in my case this hack has affected all stored backups that the hosting has done also. I never did any backups to my computer which is guttering.

Hopefully i will have the site back up over the next 2 days But this is one thing everyone needs to be aware about. It caqn affect all wordpress, Joomla and other popular CMS. From what i have read over 23,000 sites have been infected with this Crypto PHP Hack

Add Cloudflare to your site also, It will refuse attempted connection whilst giving you a speed boost, Once a hacker is in the best bet is really fresh install or rollback to a previous date, i back up my site daily as I post daily.. so if anything happens I will only lose 24 hours of work

Just noticed... By chance did you download a free *Premium template? these are usually embedded with malware from the onset

[Gamble 4 Keeps]

Add Cloudflare to your site also, It will refuse attempted connection whilst giving you a speed boost, Once a hacker is in the best bet is really fresh install or rollback to a previous date, i back up my site daily as I post daily.. so if anything happens I will only lose 24 hours of work

Just noticed... By chance did you download a free *Premium template? these are usually embedded with malware from the onset

No I had purchased a template, however the hack was all through it. It also injected itself into all plugins i had. The biggest thing i find hard is, its infected my computer as well. Just running Melwarebytes and Avast as i speak.

[robertwilliams]

So sorry to hear this has happened again - hoping this gets resolved quickly for you.

When taking backups via the host, download them weekly too, then delete the hosted version. This is quite a good habit to get into as if you move away from shared hosting, to a VPS or similar, the chances are that you'll no longer have 'unlimited' webspace. The addiction of creating multiple sites means that 30GB of space get's used up verrrrrry quickly.

On a side note, are there authorities you can report these kind of hacking attempts too? The amount of our time that is stolen fixing this kind of crap.