What does "spamvertised website" mean and has this happened to any one else before? - Printable Version +- Post4VPS Forum | Free VPS Provider (https://post4vps.com) +-- Forum: VPS Discussion (https://post4vps.com/Forum-VPS-Discussion) +--- Forum: VPS Protection (https://post4vps.com/Forum-VPS-Protection) +--- Thread: What does "spamvertised website" mean and has this happened to any one else before? (/Thread-What-does-spamvertised-website-mean-and-has-this-happened-to-any-one-else-before) Pages:
1
2
|
What does "spamvertised website" mean and has this happened to any one else before? - deanhills - 07-30-2019 I've just checked up with Google and this is what a "spamvertized website" means: Quote:A site being “spamvertized” means that the site is being included as a link in spam emails. The most common reason your site appears in spam emails when you’re not the spammer is because your site has been hacked by someone.https://www.wordfence.com/blog/2014/05/why-is-your-site-being-spamvertized-and-what-to-do-about-it/ So an awesome irony occurred. On the very same day when I posted a review of Contabo Contabo received a complaint about my VPS IP being complicit in a spamvertised website. Since I hadn't looked at my e-mails in my VPS Account for a while, I only learned about the problem yesterday morning. Contabo received a complaint about a "spamvertized website" linked to my VPS IP on 10 July. When I didn't respond within 36 hours they suspended my VPS with a notification that re-connection would cost me US$30. So of course I complained heavily to Contabo yesterday. I then wrote to them and asked whether they'd checked my VPS for any abnormalities before they suspended the VPS and they said "yes" they had, but now there was nothing on the VPS - I must have fixed it or had software on the VPS that took care of the problem. So how could I have fixed it if the VPS was suspended? Anyway, I was grateful I didn't have to pay the 30 US$, they unsuspended the VPS, but since the blog doesn't really mean anything to me, I reinstalled the OS immediately, and powered down the VPS as I'd like to get a better understanding of what had happened first. I personally think it was a false positive, but it would be great to hear if this has happened to any other member at post4vps before? At the time of this happening I had only one very small static blog on the VPS. With no users connected with it, no comments enabled, no e-mails, no traffic. A very small blog with my own personal experiences about Contabo. I have WordFence Security Plugin on it - and I'm sure WordPress users know how fast WordFence is with picking up on irregularities. There had been no notifications from WordFence. There is also no e-mail server on the VPS. No automatic scripts running. Only thing that did happen on 9th of July (the day before the complaint) that could have caused something to happen was I updated the following themes and plugins of WordPress. And on the 10th of July I did a Benchmark test of the VPS using @"Hidden Refuge" Benchmark Script. Here is a record of the script, plugins and themes that were updated. Note they are all very straight up and down strictly WordPress products - and they were not actively used - only Wordfence and WP Classic Editor - the other plugins were "inherited" when I copied the Website: 1. The WordPress Script to 5.2.2 2. Plugin: WP Classic Editor 3. Plugin: Contact Form 7 4. Plugin: Duplicator 5. Plugin: Limit Login Attempts Reloaded 6. Plugin: Responsive WordPress Slider (note it's not being used with the WordPress blog) 7. Plugin: WordFence Security 8. Themes: Twenty Thirteen, Fifteen, Sixteen, Seventeen, Nineteen The following themes and plugins were actively used in the blog: 1. WordPress Script 5.2.2 2. WEN-Associate Theme 3. All-in-one WP Migration Plugin 4. All-in-one WP Migration Extension Plugin 5. WordFence 6. Limit Login Attempts Reloaded 7. WordPress Classic Editor I had VestaCP loaded on the VPS without FTP or E-mail Server. I had changed the Port Number in April. When I first took occupation of the VPS in April I noticed a very abnormal number of failed login attempts, like larger than I'd ever experienced before. It completely stopped when I changed the port number. RE: What does "spamvertised website" mean and has this happened to any one else before? - xdude - 07-30-2019 This is not exactly related to what you ask but I do have a question. For what did you use this Duplicator plugin ? i know it does help you to move a Wordpress blog to another place as a clone etc. But once it's done didn't you remove the plugin ? RE: What does "spamvertised website" mean and has this happened to any one e... - deanhills - 07-30-2019 (07-30-2019, 05:23 AM)xdude Wrote: This is not exactly related to what you ask but I do have a question. For what did you use this Duplicator plugin ? i know it does help you to move a Wordpress blog to another place as a clone etc. But once it's done didn't you remove the plugin ? I haven't used Duplicator in probably more than two years. I only use the All-in-one WP migration plugin. As I mentioned before, it's a copied blog. I imported it from one that had history in it, and hadn't had a chance to remove all of the plugins and themes I hadn't been using. I started it just before my big move to Canada, and the blog was still a project-in-progress. RE: What does "spamvertised website" mean and has this happened to any one else before? - Mashiro - 07-30-2019 Fortunately I personally have never had such an experience with Wordpress or other software. A few years ago though, when FreeVPS Directory & Discussion was still active, I have had the chance to help a person with exactly the same issue as you. They also hosted a Wordpress site with plugins and other things for Wordpress. Their VPS suspended by the sponsor. I've been asked to help to investigate the case. A few key statements to note: 1) They've only used SSH public key login (no password login allowed at the whole system) with a passphrase protected key pair. 2) They've not used a web hosting control panel or similar. Instead they've setup a LEMP stack by hand via command line. 3) They've installed Wordpress and other things by hand. So the security of the VPS itself was fine actually in terms of SSH and the only attack surface that existed was Wordpress. Maybe worth to note that they hosted multiple blogs via different vHosts and only one was hacked. Hackers placed a phishing page for PayPal on the server and tried to steal information from people. The provider probably got a complaint which however wasn't forwarded to us or the VPS owner. They only suspended the VPS and later answered to our ticket with the reason and a screenshot of the phising page. The provider was pretty cool with the situation though. They unsuspended the VPS, stopped the web server services and such. I have investigate it. The files that were placed by the hacker have been hidden by them deep in the actual hacked Wordpress blog. Until to day I have no clue how it was done. I did discover some PHP shell files though and I guess these ended up there through security holes in Wordpress that allowed an attacker to run arbitrary malicious code to upload the shell. PHP shells are a nasty thing since they can bascially use such security holes to run code modifications on the system as ROOT without SSH access. Well, my two cents about such cases. RE: What does "spamvertised website" mean and has this happened to any one e... - deanhills - 07-30-2019 (07-30-2019, 07:11 PM)Hidden Refuge Wrote: I have investigate it. The files that were placed by the hacker have been hidden by them deep in the actual hacked Wordpress blog. Until to day I have no clue how it was done. I did discover some PHP shell files though and I guess these ended up there through security holes in Wordpress that allowed an attacker to run arbitrary malicious code to upload the shell. PHP shells are a nasty thing since they can bascially use such security holes to run code modifications on the system as ROOT without SSH access.Thanks very much for this response @"Hidden Refuge". It's been worth publishing the thread. My blog didn't have any users or comments on it. So I imagine the hacking must have been done through the plugins that got updated. A good candidate could possibly be the plugin for sliders. As I don't have that one loaded on my other blogs on VPS 9 and at hostus.us. I'm going to research all of the plugins for anything that may have cropped up for this specific hacking. But yes, I now accept that my WordPress must have been hacked. As the complaint came through immediately after I had updated all of the plugins and themes of WordPress. RE: What does "spamvertised website" mean and has this happened to any one else before? - Kururin - 07-31-2019 I feel like wordpress shouldn't be just used anymore. If you just want a static blog why do use Jekyll? Why use bulky software like word press which leaves huge attack surfaces as it still uses PHP and MYSQL. Jekyll is a static blog generator and there's plenty of guides out there while lays out in layman terms how to set it up and use it. And it looks gorgeous with themes. RE: What does "spamvertised website" mean and has this happened to any one e... - deanhills - 07-31-2019 (07-31-2019, 05:24 AM)Kururin Wrote: I feel like wordpress shouldn't be just used anymore. If you just want a static blog why do use Jekyll? Why use bulky software like word press which leaves huge attack surfaces as it still uses PHP and MYSQL. Jekyll is a static blog generator and there's plenty of guides out there while lays out in layman terms how to set it up and use it. And it looks gorgeous with themes. You've got an excellent point Kururin. I have to rethink completely why I'm using WordPress and go for a much safer alternative. Time for a change me thinks. I've been doing it this way as maybe I've become lazy. I spent a lot of effort to do courses, and am reasonably expert at WordPress. So blogs come easy and effortless. However, over the years the security of Websites has become more and more complex to the extent that the way WordPress works with external plugins and themes, the risk for being hacked has become much greater - easy has become expensive in a way. I've just asked another shared hosting host to check my Website, and he told me the exact same thing. I'm not the only one caught with this. WordPress is just not a good option any more if you really want a safe setup. RE: What does "spamvertised website" mean and has this happened to any one else before? - Manal - 07-31-2019 This happened to me a few days back to Shadow Hosting's blog. I was alerted soon when an "unknown" popup appeared asking if I need confirmation for notification. I never installed any plugin where notification was asked so I ran around and checked. I scanned the website using Sucuri's Web Scanner(free) and found out that my website was hacked(or code was injected as you described). This resulted in my domain name listed in Spamhaus. I immediately changed all passwords, scanned everything and found my website was clean. I ran a check again but found nothing this time. I was a little skeptic now because I thought there is something that triggers the malware that if I login into the admin panel, the malware will be disabled for some time. I managed to get the domain out of spam listing. Fast forward few days, this happened again and before it was listed as spam, I immediately downloaded WordFence and scanned. I found some unknown defines in "function.php" of all themes and other things named "wp_vcd" or something which was causing. Since it was an unknown file, I Googled about it and found it is an unknown file and doesn't come with WordPress default config either any plugin. I ran a scan through WordFence, removed all such files, disinfected what was necessary and now my website is all good. So the solution for such problems is, you should keep checking your website for any malware on the homepage with Sucuri's free scan. RE: What does "spamvertised website" mean and has this happened to any one e... - Kururin - 08-01-2019 (07-31-2019, 03:45 PM)deanhills Wrote: You've got an excellent point Kururin. I have to rethink completely why I'm using WordPress and go for a much safer alternative. Time for a change me thinks. I've been doing it this way as maybe I've become lazy. I spent a lot of effort to do courses, and am reasonably expert at WordPress. So blogs come easy and effortless. However, over the years the security of Websites has become more and more complex to the extent that the way WordPress works with external plugins and themes, the risk for being hacked has become much greater - easy has become expensive in a way. I've just asked another shared hosting host to check my Website, and he told me the exact same thing. I'm not the only one caught with this. WordPress is just not a good option any more if you really want a safe setup. That's why software like Jekyll exists. You don't need to do courses on them. Just read the documentation and it will flow to you automatically. It's really simple and I created a full-fledged blog with just command line to display my Political Science project on it back in High School. My teachers were really impressed as how clean and easy was it for me to change content or format my blog and commended me for just using Terminal. So I think you can use it pretty straightforwardly as well as now you have more experience with system administration and around web software and can pull it off. RE: What does "spamvertised website" mean and has this happened to any one else before? - deanhills - 08-01-2019 @Manal Thank you so much for sharing your experience. So now that is in the same time frame as mine. And you probably also update your WP script and plugins as regularly as I do. I wonder whether this has anything to do with the WP last update 5.2.2? I must research this more and check whether any one else has reported it at the WordPress support forum. What is interesting is when I uploaded my "test site" at another server, I had a serious issue to import the backup (with the All in One Migration plugin). Eventually after a few tries, I found that it was because of the up to date version of WordPress that was incompatible with it. Version 5.2.2. Softaculous allows one to choose the version of WordPress one wants to load, and when I loaded an earlier version 4.9 something, everything worked fast and clean. So can't help but wonder whether there are some gaps in 5.2.2 that allows for something to happen that will end up planting something in your Website. If I may ask. How to you create WordPress installation? Do you do it from the command prompt, or with softaculous? And how do you update your scripts, plugins and themes? |