-1

Ok first, It's Not a duplicate question My Problem is different.

I recently searched my domain in google like site:mysite.com and I see a load of links to casinos that are not mine. The subdomain structure is www.mysite.com/bellagio

I never created a folder called bellagio and this subdomain(sry I don't know what we call it) is pointing directly to a casino site.

I am using wordpress on godaddy hosting and registered domain there too.

It is something like this question Phishing site uses subdomain that I never registered but not exactly the subdomains.

I tried actually creating a folder named bellagio and then clicking the link but yet it redirects to that spam site.

When I did some research not only me but hundereds on websites were hacked this way.(try searching The Bellagio - Why To Gamble At Bellagio)

I am using free ssl certificates from startssl, is that the cause ?

any help would be greatly appreciated, atleast tell me what and how to check ?

Community
  • 1
rex purve
  • 7
  • 3
  • I talked with godaddy and They said my website file manager was hacked, I should remove all contents from there and re-upload all my contents, but if someone infected one of the file won't it be there when I reupload ?? Any things I should take into account ? How do I do a safe reinstall and make this thing stop from happenning again – rex purve Apr 17 '15 at 07:42
  • http://meta.serverfault.com/questions/963/what-information-should-i-include-or-obfuscate-in-my-posts has some information that can be used to improve this question. – kasperd Apr 17 '15 at 10:17
  • i cleaned everything, without a backup because it was a new site, I deleted everything from the account and then started from fresh, and guess what after doing it from ground I was able to remove those redirects , but now they are showing again , can any one please guide me to how I safeguard my wordpress, I edited my htaccess to a great limit and yet this happened , loosing my confidence in wordpress, if you were in my place would you consider another cms , framework or doing it in simple php or asp ?? really want this ecommerce site up and running – rex purve May 06 '15 at 19:18

2 Answers2

2

It's not a DNS issue if the "subdomains" are just part of the path and not of the domain part of the URL; as GoDaddy did suggest you, remove your content from your hosting provider, wipe all anew (something like "formatting", if provided) and re-upload everything.

Make sure you have a strong password, because that's the main cause of someone adding redirects to other sites from your web host, and up-to-date hosting software (say Wordpress, or any other CMS you use).

P.S.: it would have been a subdomain if it was something like "casino.mysite.com" or "bellagio.mysite.com", and in that case that would have been a DNS issue.

Alex Mazzariol
  • 148
  • 5
  • So you're saying his account got hacked and somehow that path was created but the owner of the account is not able to see it or overwrite it? – demiAdmin Apr 17 '15 at 09:13
  • I'm just curious, interesting stuff. – demiAdmin Apr 17 '15 at 09:15
  • Yes - since DNS deals only with domains, if the situation is a new URL under the www.mydomain.com host, then this is not a DNS issue. It may be some web server configuration (mapping a route to some other directory) or the CMS being configured this way; either way, since it's unauthorized, it may have been a known exploit (hence the update-your-software suggestion) or an easy password guess (hence the ensure-your-password-is-strong suggestion) – Alex Mazzariol Apr 17 '15 at 09:45
  • thanks for your reply, I feel confident now , but now I would have to reupload everything :( let's see and hope it doesn't happen again and btw my password included capital small and special characters too, It would have taken few months to brute force that password. free SSL thing is okay right ?? nothing wrong there ?? – rex purve Apr 17 '15 at 12:42
  • I wouldn't think they brute forced anything. They may have found a way into godaddy's network and uncovered a list of unencrypted username/passwords or a list of usernames and unsalted hashes. I'm not too familiar with the security features of godaddy's CMS but I would think there's a timout for brute force attacks. – demiAdmin Apr 17 '15 at 13:44
  • Again, if there was a security breach at GoDaddy you would have been notified. Check any WordPress plugins for security issues, or configuration mistakes in wordpress itself (e.g. start from http://codex.wordpress.org/Hardening_WordPress). If you can manage WP on your own, check if you have the latest version and upgrade if applicable. – Alex Mazzariol Apr 17 '15 at 15:05
  • It was a crappy file in the free downloaded theme *Lesson Learned* – rex purve May 17 '15 at 20:02
1

Edit: I would just have the site hosting the script doing all this taken down ;)

Interestingly if you look at the source code of the landing pages of all these hijacked sites you get the same site hosting the script that shows all that casino bologna.

If you perform an nslookup of the domain of the link that's hosting the script, you see that it's registered to cloudflare, and if you visit the actual url it shows 'under construction...'. So it seems that the guy doing this knows how to hide. You can contact cloudflare about the domain hosting the script(the domain is spechin.com). They should take care of it because they don't want their IPs blacklisted.

demiAdmin
  • 155
  • 1
  • 9