0

I have a shared hosting on hostgator with around wordpress based websites. Out of them 4 stopped working with message as error establishing database connection. On checking the wp-config i found the Db connection details were changed for all of them to

/** The name of the database for WordPress */
define('DB_NAME', 'admin_drr');

/** MySQL database username */
define('DB_USER', 'admin_drr');

/** MySQL database password */
define('DB_PASSWORD', 'sBKDb6E1aM');

/** MySQL hostname */
define('DB_HOST', '46.21.253.40');

There were changes in .htaccess file as well and I had to reset it to default. For one of the site the DB prefix was also change.

I was able to fix the issue but i was unable to understand if it part of some king of hacking or malware, Or not. Any way to find this? Or was it somthing else like due to wordpress's auto upgrade or something else.

I noticed someone else has reported similar issue as well: WP site not accessible and seems like someone hacked the wp-config.php - admin_drr database

Another reason for me to share this is to bring this is issue to others notice and hopefully someone can figure out the exact cause and fix for it.

2 Answers2

2

This info needs to be escalated to your hoster and probably some authorities (if you're in the EU and have user data on that instance), because someone set your DB connection to a DSL line terminating in Moscow.

orithena
  • 121
  • 4
0

there are some steps which you should take to make sure something like that will not happen again.

  • use a security plugin for scanning all of your files. I suggest using Wordfence, it will check your files one by one and see if any of them were modified by malwares. but be sure the scan will be complete and not interrupted by some error (for example execution time up.)
  • after cleaning your website it is a good practice to make your wordpress files read only and remove write permission from them (wp-admin, plugins, theme folder and ...) but leave write permission for uploads folder. this way nobody can change their content. if you need to update wordpress or any plugin you can do it manually or add write permission to the files and remove it after that.
Soheil
  • 21
  • 2
  • The question was how to determine how it happened, not how to prevent it from happening – schroeder Feb 20 '20 at 07:38
  • @schroeder the only way to find out how this was happened is to check log files of the server. but not all servers store file access log. so the solution is to clean the host and prevent its happening again. – Soheil Feb 20 '20 at 08:25
  • Sure, and that's why I made this question a duplicate of question with that as an answer. I'm saying that your answer is not an answer to what was asked. – schroeder Feb 20 '20 at 08:26