Server WWW-29 Compromise – 18 September

A WordPress website hosted on our server WWW-29 was hacked on 16 September. We found evidence that the attacker used a PHP shell script to assemble a collection configuration files for other websites (mainly WordPress and Joomla installations). These configuration files contain MySQL database credentials for the said websites.

If your website is hosted on this server, then please read on…

At this time we are aware of five defaced websites in recent days. The hacker injected into his message into the respective databases.  These cases seem related, but we are unable to say that with any certainty.

The information below was last updated on 19 September at 15:40 GMT.

Has your website been hacked?

Probably not. But please do check.

Typical symptoms of defaced WordPress websites is a message “Hacked by so and so” injected in place of the website name. Depending on the WordPress theme, the message displays visibly on the home page or in the page title meta tag. In some cases it appears that the WordPress menu structure or home page was changed as well; anything that can get the attacker to show his “Hacked by so and so” message.

Is the server itself in jeopardy?

No. This is shared server with hundreds of website. While security policies are in place to prevent access to other user’s files, somewhat permissive settings are required to host all the website. This does allow a rouge script to

What is the risk?

If you ARE NOT running WordPress or Joomla on this server, then you are probably not affected by this threat. But read on in any case.

If you ARE NOT running WordPress or Joomla on this server, then all of the following applies…

We have mitigated the immediate threat to your website. The long-term risk is undetermined.

It is not possible for an attacker to access your MySQL database from outside the server. But they might be able to do so if they had access to a compromised website on our server and if they have your database logins.

Of some concern is that the hackers now have sufficient information to figure out your cPanel password. They also know the password you have been using for a database. If that is just some random password, then no worries. But if it is also the password that you use for cPanel or other business, then you are be in serious trouble and need to take immediate action.

What should you do?

No action: If you do not host WordPress, Joomla or a MySQL database on our server, then no action is required.

Minimum action: Given that your database logins may have leaked to bad actors, we urge you to change your database logins immediately. To set new database user passwords, use the MySQL Databases function in cPanel. Once you have change passwords, also update the configuration files for your web applications (e.g. wp-config.php for WordPress or configuration.php for Joomla).

Suggested action: If you used a database password for cPanel or other business too, then change all passwords related to your domain: cPanel, mailboxes, databases, the whole lot.

In all cases: Keep your WordPress, Joomla or other web applications up to date with the latest version to mitigate the risk of attack. The same applies to plugins, extensions and themes: keep them up to date with the latest. Finally, remove any inactive plugins, extensions and themes that are not in use. Older version of these elements are often open to exploits.


If you have any questions about this notice, please contact us.