Hostgator CPanel hacked & Wordpress plugins uploaded

[caribio]

Someone broke into my hosting account via the admittedly not-so-strong admin password and uploaded some malicious code via plugin installs.

I was notified by Hostgator now, they sent a pretty impressive report (who, when, what)

Clearly my fault. I'd like to think this is due to the weak password and not a possibly hidden keyboard sniffer on my workstation that I'm not aware of.

Looking through the affected files, the pattern seems to be:

/wp-admin/gg.php 
/wp-admin/title.php

Two IPs - one from Barcelona, Spain and Kiev, Ukraine (81.39.13.225 and 193.111.9.98)

I'm not sure yet what the uploaded scripts did (they were already deleted by Hostgator), I'd imagine it dropped some links here and there.

If you've seen this before, let me know.

 

[efeezy]

This was a shared HG account correct?

 

[JCash]

HG's customers are so nub they have "you got pwnt" reports and clean up for you? They see you guys coming, don't they?

 

[medicalhumor]

Stop using Password1

What's the point of starting this thread? To showcase your stupidity?

 

[JCash]

Stop using Password1

What's the point of starting this thread? To showcase your stupidity?

Read the OP. He wants to hunt down whoever the two guys are in Kiev and Barcelona that jacked him and dispense some NOOB JUSTICE.

 

[Pulse]

Just fix your shit and move on.

 

[caribio]

Stop using Password1

What's the point of starting this thread? To showcase your stupidity?

Yes, this was shared hosting.

@medicalhumor - How did you know my password?

No, the password wasn't susceptible to a dictionary attack, but it arguably could have been stronger.

The point of starting the thread was to make you go check for gg.php on your server(s).

It's possible some of you got owned the same and don't even know it.

 

[Yuma504]

Stop using Password1

What's the point of starting this thread? To showcase your stupidity?

That's why I use Pa$$word1.

 

[ThisWebThing]

The trick is NOT using a password. Think about it.

 

[nickCR]

Good luck tracking them down. Chances are those are just VPNs or Proxies. But be fucking sure you CHANGE your password for everything you have hosted with that password or even forum accesses. Also make sure you are 100% sure they didn't leave anything else there dormant that they can call externally.

 

[medicalhumor]

Yes, this was shared hosting.

@medicalhumor - How did you know my password?

No, the password wasn't susceptible to a dictionary attack, but it arguably could have been stronger.

The point of starting the thread was to make you go check for gg.php on your server(s).

It's possible some of you got owned the same and don't even know it.

gg.php is my password

 

[g1c9]

How/When did hostgator get involved? They sent you a report on the damage but did not fix it themselves? I don't understand -- did you email them about this?