Last Thursday we mentioned how we had come across a hacker that had recently hacked numerous websites hosted with various Endurance International Group (EIG) brands. EIG does business through brands A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. That the hacker was only hitting websites hosted with those brands stood out, since, if say, a hacker was exploiting a vulnerability in a WordPress plugin to gain access to them you would expect to see numerous different web hosts being represented.
At the least, that seems to indicate that the hacker is targeting website hosted with EIG brands, which is possible explanation of that situation. What would seem more likely though is that the hacker is gaining access to some part of EIG’s systems allowing them access to all of the websites on a server. Considering the hacker was hitting numerous website sharing the same IP address, which would likely indicate they are on the same server, that seemed like a reasonable possibility.
Proving that EIG systems are being exploited would be difficult without information they only have access to. Our past experience is that web hosts are rarely even willing to consider that they have been breached, much less admit that it has happened. As we mentioned in the previous post, things are worse with EIG, since they are run by the majority owners of a security company SiteLock and EIG gets a cut of security services sold by SiteLock to their customers. That creates an incentive not to provide their customers the best possible security and what we have heard is when contacted about a hacked websites that they just try to push their customers to SiteLock instead of doing any checking into the situation (that includes someone that contacted us last week that has the been hit as part of this hack).
While doing some more searching around on the message left in one of the files we found on a website hit by the hacker (that is also on the other websites being hit), “Hacked By Isal Dot ID”, we found that a year ago the hacker was claiming to have full access to a server that a website had hacked was on.
At the time of the hack that website was hosted on the IP address 192.185.142.185. The listed ISP of that IP address is Websitewelcome.com, which is HostGator.
(The website is now hosted on the IP address 74.220.219.116. The listed ISP of that IP address is Unified Layer, which is Bluehost.)
While the claim of a hacker isn’t necessarily reliable, it does raise further suspicion that there may be a security issue on EIG’s end. This seems like something they should be addressing. If you have been hit by this hacker and have gotten a response related to that instead of just being pushed to hire SiteLock please get in touch with us or leave a comment on this post.
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.
Came across your articles after finding the site was hacked, hosted by Hostgator. Spent a bit of time trying to fathom out how the files were being placed on the site. Turned out not to be a vulnerability in wordpress console or a plugin vulnerability. The hack was exactly as described in your article which includes a wp-confing.php
Having cleared out the line from index.php and removed the files put there by the hacker, the next morning they had been re-created. No indication that anyone had logged in through CPanel to do this, so check the error logs having cleared files again.
The error_log file says:
Failed opening ‘wp-confing.php’ for inclusion (include_path=’.:/opt/php52/lib/php’)
I’m not 100% but to me that line says there is a connection back to the root of the server which we do not have access to. I suspect a script is running on Hosgator servers and rewriting the hack back to web sites.
The error is indicating that the file wp-confing.php could not be included, which could have happened if you removed that file before removing the line including it in the file index.php. The portion referencing somewhere else on the server, “include_path=’.:/opt/php52/lib/php’” looks like it is just specifying where on the server include is set to look for included files.
I found this article after finding out my website was hacked (Bluehost is my hosting provider). I found a php file containing the aforementioned “Hacked By Isal Dot ID”. I tired removing the malicious files yesterday and they have been recreated today, similar to what a previous poster commented. I contacted Bluehost and was immediately directed to a person from SiteLock pushing a security product to clean up this issue. If this was an issue with EIG systems (Bluehost in my case), then I don’t feel comfortable paying SiteLock to clean up what appears to be their issue. I am now thinking I should just switch my host provider.
If this is an issue with EIG systems then moving away from their hosting could prevent future issues, but from what we have seen so far with websites that we have been hired to clean up, it is likely that the reason the files were recreated is due to you not fully cleaning and securing the website. If you don’t have experience in doing that it really isn’t something you should be doing yourself.
Can you point a person in the direction where they could learn to fully clean and secure a web site?
Considering how often we are brought in to re-clean websites after a company that claims to have expertise in cleaning up hacked website has failed to take basic steps in that process, it seems unlikely that you could find information on that sort of thing that would be useful (the guides we have seen are often quite bad). You would be much better off to hire someone that has expertise in cleaning them up to do it for you.
In terms of securing website, the important things do are mentioned here.
Interesting how my apparent website hack is coming from an IP address located in Greenwood Village, CO. Where is White Fir Design located, I wonder….Greenwood Village CO. Isn’t that interesting. Plus you provide security, another interesting thing. Gig is up
What gig is up?
I find it interesting that the IP address of my current state of constant hostgator and WordPress problems are coming from your city, not EIG’s location.
If you are trying to claim we are attacking your website, that doesn’t make sense. First off, we have approved your comments to be shown to everyone. Second, why would someone launch a hacking attack from a traceable location?
The post you are leaving these comments in is discussing a situation where someone claimed to have full access to one of EIG’s servers, not a claim that EIG was causing problems themselves. So we are not sure where the idea that an IP address from EIG’s location (they have multiple locations) would be causing problems would come from. What is at issue is if EIG system’s are insecure, not that they are attacking anyone.
All I am saying is the nightmare I am currently experiencing is from a hack into my website, hostgator and WordPress. Hostgator is telling me the IP address associated with my info being changed almost weekly is coming from Greenwood Village CO. No maybe that means something to you or maybe not. Considering that my nightmare isn’t correcting itself through all the proper steps needed including hostgator, the problem still continues. The comments above from others are exactly the same I am experiencing.
We would guess the proper steps probably haven’t been taken. We are not aware of HostGator having expertise in dealing with hacked websites. Since you are falsely claiming we are hacking you, we wouldn’t be the right people to help you, so you should find someone else that has the needed expertise to deal with this for you.