1

Anyone have experience and advice to locate the source and stop an ftp hack on my client's Wordpress site hosted on BlueHost? The hackers were able to do the following:

  1. Create multiple ftp accounts with usernames like ss-ee4f8275917dfe28 etc. pointing to folders /tmp/simplescripts/ and /public_html/
  2. Upload php files with names like MMprobe-N5ayJ.php into the public_html folder
Soufiane Tahiri
  • 2,667
  • 13
  • 27
chris
  • 11
  • 1
  • 1
    We cannot possibly know the source of an attack by looking at what they did afterwards. – schroeder Jul 19 '19 at 12:11
  • Contact a professional to aid you. –  Jul 19 '19 at 17:48
  • I just noticed the same FTP accounts that were created and pointing to the "simplescripts" folder. The other FTP accounts point to my root folder. I think this attack happened long ago but the extra FTP accounts went unnoticed. – Wasted_Coder Jan 04 '22 at 10:52
  • apparently these accounts are created by one-click-installs within the cpanel... so the "hacker" would be bluehost's hosting platform itself. I just was looking at the same issue, and saw that commentes. makes a kind of sense, though is not at all a clean solution. – Canelo Digital Feb 01 '22 at 02:01

1 Answers1

0

The best scenario would be to take the last backup of the website and just re-create it fresh on a new server. You should contact their support for help. There could possibly be rootkits and other hidden stuff inside your application files, which could take a lot of time to weed out.

To prevent FTP attacks

  • use latest FTP service version
  • use strong username, password
  • setup fail2ban on FTP to prevent brute-force attacks
Raimonds Liepiņš
  • 992
  • 5
  • 9