I'm going to re-open this thread since we've posted more information on this issue. Please see below:http://support.inmotionhosting.com/ftp_exploits.html
Do note that other hosting providers are having this issue as well, and it is NOT specific to IMH or our servers. BBQChamp
, your post was a bit suggestive, as running a search for the work 'hacked' for any site hosted with us will indeed only bring up sites we host that were hacked in the past, most of which are irrelevant to this particular issue. We are a hosting provider, and naturally many of our customers are going to have sites that are hacked at some point in time. I'd advise you to redo that search with a different hosting provider's server domain and see what kind of results you get - I bet you'll find it's not all that different. Several other hosting companies now have released advisory statements about the same FTP hacks our customers are reporting, and I believe the reason this looks suspicious for us is that we are one of the first hosting providers to actually report it.
To those who are having a problem with a hacked site, please see the below link:https://support.inmotionhosting.com/cgi ... 94&lang=en
As a system administrator here at IMH, there are four things I've seen attributed to hacked sites:
1) FTP/Cpanel credentials being stolen and used to upload malicious code (as discussed in this thread)
2) Insecure PHP and Perl software (including outdated installations)
3) Insecure permissions (777/666 on files and folders)
4) An actual hack running on the server
Our shared servers are set up to prevent #4 from happening, where a hack possibly let in by one customer's site cannot execute on the server and affect other users. In the rare event of this happening, files set to 666/777 are the only ones that can be affected since the nature of these open permissions allows any user on the system to write to them. We do have measures in place to identify and stop such exploits from occurring, which is why they don't happen - nor have they ever happened on one of our managed platforms. If you are a VPS or DS customer with root access, I highly advise that you take steps to secure your server, as servers of customers that opt for unmanaged hosting are not maintained by us past the hardware level.
For #1, refer to the link I posted. You need to make sure and Adobe and FTP client software is up to date, and your FTP password is changed. Our FTP exploit scanner will automatically reset your password and email you if it detects that malicious code was uploaded. Note that if your site was hacked with this method today, it doesn't mean your FTP information was stolen today. When scanning the servers for the IPs known to execute this hack, we found that some were attempting to use credentials for accounts that were removed as long as 6 months ago - so your FTP information could have been stolen months ago and not used until now. Therefore, the exploit on your PC could have existed at that time but may be fixed now, but it it wouldn't hurt to do a virus scan just in case. This hack is also not Windows-specific, as Mac and Linux users have also seen the same problem.
For #2 and #3, all I can recommend is that you keep your site's software up to date. I can't tell you how many customers have notified us about their sites being hacked, only for us to find out that they haven't updated their Wordpress installation for two years. If you're running PHP or Perl software and you neglect to keep up with security patches and updates, I'm sorry, but you're basically asking for your site to get hacked. Some search engines (like Google) have code searches where hackers can mass find sites running specific software versions (mainly of open-source software where one vulnerability will affect anyone running that software), and use that information to compile a list of targets. Unfortunately some people out there really have nothing better to do than to hack other people's sites, so you need to properly maintain your site to keep yourself from being a victim of a web-based attack. We have security measures on the server end to block many types of attacks, but note that it is really not possible for us to anticipate and prevent all possible attacks for every PHP and perl-based software on the net, especially for those of you that write your own.
Now, IMH's standpoint on these issues is to help out our customers as much as possible, regardless of how the hack occurred. The biggest misconception is that when a site is hacked, it's automatically because the hosting provider's servers are insecure. While this may be the case for some hosts, it isn't for us. Keeping your site secure is rather simple, but it takes some effort from our customers as well. If you put a site on the Internet, you need to maintain it properly which means regularly changing passwords and applying appropriate updates. We as the hosting provider do our part in keeping our servers from being hacked, so site owners need to do their part by keeping hacks off their sites.