Constant hacking of our EUKHost Linux VSL

  • Filter
  • Time
  • Show
Clear All
new posts

    Constant hacking of our EUKHost Linux VSL


    I am looking for any help or advice that my be offered.

    For the past three months ago our VSL has suffered from almost continuous hacking attacks resulting in denial of service and in the worst cases intrusions. The attacks appear to take the form or penetration scanning. We think there are multiple scripts being run against numbers of our accounts, attempting to find vulnerabilities. The result of this is that our VSL stuffs up. The hacking attempts take up all resources, such that our sites become unobtainable and we are unable to get to the WHM to reboot the server and so have to call in EUKHost. EUKHost operatives are always very helpful but the chat facility is slow and time consuming (I suspect the staff are supporting too many issues at the same time). Recently many of my evenings have been taken up conversing with Spencer, Magritte, Nikita et al.

    Sometimes the hackers get in. Then we can find that a site will be advertising Canadian pharmacy or sometimes an account will be used to send out spam.

    We have spent so long dealing with this that we have got to the end of our tethers. EUKHost operatives have been very helpful but it gets to the point when each EUKHost operative tells us to do the same things, blithely unaware that the last one told us to do exactly the same things and that we have done them multiple times already! And still our server goes down at least twice a day and sometimes we get hacked. So I am writing here in the hope that the EUKhost community may be able to add something new.

    Almost all out sites are Wordpress. We have secured SSH and WHM to known IP addresses as detailed above. We run ModSecurity, CSF and cPHULK. On each Wordpress site we use all best security practices, inc, keeping everything up to date, only using well known plugins and themes, database table and login page renaming, login capchas, strong passwords and also, we have reinstalled each site multiple times and changed passwords. On each site we run the Wordpress plugins All In One Security and Wordfence, both set to very high security.

    With all this going on we are at a loss to see how scanning and penetration attacks can take our server down for up to 20 minutes twice a day. Surely one of the firewalls should recognise the attacks and block the originating IPs? Why don't they? And of course, we cannot understand how any of these scripts actually gain access.

    Any considered help or suggestions would be very much appreciated. Thanks. BTW. We are not Linux experts (although since taking up a EUKHost VSL I have learnt more than I ever wanted too!)

    Dear Simon,

    Please accept our sincere apologies for delay in reply.

    There are various factors need to be checked if the server/websites continuously getting hacked. As you said, you have already implemented all possible solutions, I suspect that there might be a culprit account through which php shell getting uploaded to the server. Mostly this is done through plugins or themes. Once these PHP shells uploaded to the server, the hacker access that from browser and creates symlinks or uploads files or executes commands from that console. If you still have an issue with this, please open a support ticket and PM me the ticket ID, we will check it and will update you with possible solutions. With wordfence, BulletProof Security plugin will be the best option to secure the wordpress websites.


    Support Team.