A site I’m working on has been having a security issue that I haven’t seen before.
Some starting background, the site was originally hosted on host gator and I was first alerted to a problem when the client emailed me saying the site was down. Ended up the site had been taken down by host gator for a trademark infringement claim and the email had been missed by the client.
When we finally got temporary access back to the site and while we were waiting on it, I completely scoured the database for any reference to the pages that host gator has specifically called us out about. And found absolutely nothing in the DB or WordPress file structure. Even downloading a local copy resulted in a site without these pages.
The pages themselves were things like url/international-dating and there was a /siterss.xml url I found that linked to a page listing a whole bunch of different urls like it, all of which did go to pages when you put them in.
To be clear these pages did not redirect at all, and when doing an IP check share the same IP address as the regular site.
The pages themselves were static with no javascript running, and they were built to look exactly like the client website just with different main body content. But changing the theme of the website/header features/etc. didn’t change them at all. Disabling all plugins also did nothing to these pages.
After fighting with Hostgator for over a week we finally up and moved over to WP Engine, a move that was recommended before this anyways. Initially things were great no weird pages. But then the next morning they were suddenly back.
A quick contact with WP Engine support and they supposedly cleaned some entries out of our comments db and the pages were gone. I didn’t fully trust this to be the end though as the comments they deleted were ones I’m pretty sure were in spam, and didn’t seem like they would have been the source of this large of a problem.
Sure enough less that 24 hours later, and the pages are back.
Has anyone dealt with something similar to this? What was the ultimate cause of it?
[ad_2]
As an edit, plugins and themes are updated, only active ones are present. All users have been forcibly logged out and had their passwords reset.
Could be a hack that is going out and getting content and dynamically displaying it when you hit specific URLs, so the content itself wouldn’t be part of your site. If you want, DM me the URL and a sample URL that has the content.