Fixing OpenCart Login Failure Due to Missing Logs Directory

We recently had someone come to us for OpenCart support after out of the blue they were unable to login to the admin area of OpenCart anymore. When they tried to log in with the correct credentials they were getting the following messages and nothing else:
Warning: fopen([redacted]/system/logs/openbay.log): failed to open stream: No such file or directory in [redacted]/system/library/log.php on line 6Warning: Cannot modify header information – headers already sent by (output started at [redacted]/admin/index.php:85) in [redacted[/system/library/response.php on line 12

Similar messages were being shown on other pages on the website.

The first warning shown indicated that there was a failure to open a file at /system/logs/openbay.log. When we started looking into things we noticed that there was no directory at /system/logs/, which was the defined location for the logs directory in the config.php file for OpenCart. After creating that directory the warning messages were gone and the website’s owner was able to successfully able to log in.

It is isn’t clear why the issue propped up at the time it did because the file that was unable to be written to was created but empty after the directory was created, so it didn’t seem like there was something that suddenly need to be written to that hadn’t before.

Your Web Host Doesn’t Require That SiteLock Clean Up Your Hacked Website

These days we have a lot of people contacting us looking for advice after the web security company SiteLock or one of their web hosting partners has contacted them about a claimed hack of their website. One of the things that has been coming up fairly often that we don’t quite understand are claims like the following:

I’ve recently had my site (a personal, wordpress blog hosted by Blue Host) deactivated and blocked and they are essentially holding it ransom and saying that I must pay an exorbitant fee to have sitelock ‘fix’ it and then pay a monthly fee on top to keep it safe.

As far as we are aware web hosts don’t require that SiteLock do the cleanup, only that the website needs to be cleaned up before being allowed back online.

Before getting further in to that it is worth noting that the web host in that instance, Bluehost, is one of many web hosting brands owned the Endurance International Group (EIG).  Their other brands include A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. They seem to be SiteLock’s largest partner at this time, which might have something to do with the fact that the majority owners of SiteLock also run EIG.

The first thing we do in a situation where someone contacts us about a claim from SiteLock and or the web hosting partners that a website hacked is to ask about any evidence provided to back up the claim. In this case the person we were dealing with forwarded us an email from Bluehost. The email contained an example of the issue on their website and boilerplate text we have seen in numerous emails from Bluehost about hacked websites. Here is what the boilerplate text says about what needs to be done need to have the account reactivated:

You will need to review your files and clean the account accordingly by removing all malicious files, not just the reported url. Once you have confirmed your files are clean and no longer a threat, please contact us again to have your account reactivated.

It’s possible that in phone conversations Bluehost is telling people something else, but from our experience dealing with lots of website hosted with Bluehost and other SiteLock web hosting partners there is no requirement to use SiteLock. And we have never had anyone have a problem getting the the web host to reactivate the website after we have cleaned it.

The only mention of SiteLock in that email is this:

You may want to consider a security service, such as SiteLock, to scan your website files and alert you if malicious content is found. Some packages will also monitor your account for file changes and actively remove malware if detected. Click here to see the packages we offer: https://my.bluehost.com/cgi/sitelock

The other important thing to note is that while they refer to the account being deactivated, that doesn’t mean you can’t access your website if you want to move it. Usually they only restrict viewing the website, so cPanel and FTP access are still available. So you can copy the website’s files, database, and any other items handled by cPanel while the website is deactivated.

As for the claim about SiteLock’s fees being exorbitant that is true. For the quality level of the service SiteLock provides, which involves them failing to do basic parts of the cleanup, you can spend much less with other providers or for many website we actual charge less while doing a proper cleanup. Part of the reason for this is that a lot of the money you pay to SiteLock doesn’t go to the cost of the work, for example at EIG web hosts, like Bluehost, that company gets over half of the fee despite not doing any of the work.

SiteLock Causes Easily Fixable Hacked Websites to be Abandoned Unnecessarily

In our interacting with lots of people looking for advice after being contacted by the web security company SiteLock, one of the problems we have now seen happen repeatedly is that in SiteLock’s quest to squeeze as much money out of people as possible, they are causing people to abandon hacked websites that could quickly and easily be fixed. This causes time and or money to be unnecessarily spent on a creating a new website, and for businesses that are generating business through their websites, unnecessary financial losses.

The business practice that leads up to this is summed up with part of a recent comment from someone that did abandon their website, as to what SiteLock told them about getting the existing website cleaned up:

if I gave them a hundred bucks a month there will clean it up and make sure it stays clean or a one time fee of 300 dollars but, not responsible if within 2 days it’s hacked again

The reality here is that if a proper one-time cleanup is done the website won’t be hacked again in 2 days. Of course, if SiteLock can get someone to believe otherwise they have a better chance of them purchasing an ongoing plan that would get them $1200 a year versus them only getting $300 from the person. The flipside of this is that it also causes people to abandon websites believing they are going to have to pay all that money to keep the existing website secure and that it makes more sense to just start over (which might not actually resolve the issue).

The other important thing to note about this is that while a website cleaned with proper one-time hack cleanup won’t get hacked again in 2 days, SiteLock doesn’t do proper cleanups for that $300. They skip two key components, which are getting the website secure as possible (mainly by getting the software up to date) and trying to determine how the website was hacked and resolving that. Their $100 a month plans don’t provide those things either as far as we are aware. By comparison for most cleanups we do we charge less than $300 for the cleanup (and we only do proper cleanups) and with other providers you can get a low quality cleanup like SiteLock provides for much less than $300.

As we noted before, SiteLock is actually aware that websites can get hacked again if those two parts of a proper cleanup are not done, but that hasn’t lead them to doing them.

What makes this even worse is that many web hosts and other entities like WordPress help to promote SiteLock, which leads to more websites being abandoned unnecessarily (as well as causing many other problems people face if they get involved with SiteLock).

Google is Again Hosting and Handling Advertising for Website that is Publishing Purported Leaked Credit Card Info

Last week we noted that Google was hosting and handling advertising for the website leakeddata.me, which publishes purported leaked credit card info as well as other types of confidential data. Then on Monday we noted how we had run across another related website, leakeddata.net, but that leakeddata.me appeared to have been taken down by then. Here is what you got when you visited leakeddata.me at that time:

By contrast here is what you get now:

So the website is again being served from Google’s Blogger service with advertising being handled through Google’s AdSense service. The newest entries are of purported username/passwords for several different web services (as shown in the screenshot) and below that are ones for credit card info.

The Reality Behind Praise for a Hack Cleanup Done by SiteLock

In dealing with hacked websites, we are often brought in to redo hack cleanups after another company has done a cleanup and the website gets hacked again. That isn’t necessarily the fault of the company doing the cleanup, but what we have found is that with those websites the company doing the previously cleanup almost always has unintentionally or intentionally cut corners.

The first thing we ask when it is brought up that there was a previous cleanup is if it was determined how the website was hacked. The answer is almost universally that determining how the website was hacked never even came up. Not only is doing that one of the three basic components of a proper cleanup, but if that isn’t done then you have no way of knowing if the vulnerability that allowed the website to be hacked still exists or not and therefore if the website is still vulnerable.

Even after finding out the company that did the previous cleanup didn’t do things right and having to hire us to re-clean the website we have had people say that the previous company did a good job. It is based on things like that, which leads us to believe that positive comments about companies providing security services are often not all that reliable.

A recent example of that type of issue involves frequent topic of this blog, SiteLock. Here was recent tweet from one of their customers:

It sounds like they did a good job, right?

SiteLock then thanked them:

When we first went to look at the website to see if it looked like it been properly cleaned and secured after seeing these tweets, the website was down due to the web host having restricted access to it (a web host that is run by the owners of SiteLock). As of now this is what you get when visiting it:

You don’t have to be a security expert to see that the hack hasn’t been resolved. Beyond what you can see there, which is “hacked by” message and an otherwise empty website, the website is still running an outdated version of WordPress, 4.5.9.

Based on our experience dealing with people who have been customers of SiteLock this poor result isn’t some outlier from an otherwise high quality provider of hack cleanups.

Another Website That Google is Hosting and Handling Advertising for is Publishing Purported Leaked Credit Card Info

Last week we discussed how we found that a website that Google was serving ads for our website was publishing purported leaked credit card info and that the website was also hosted through Google’s blogger service. That seemed to spur action from Google as here is what you get when you visit the address of the website, leakeddata.me, now:

Also since then, our ads were being served on a nearly identical website, leakeddata.net, that looks to be run by the same people as the first website.

The title of the website is “Leaked Data | Exploited and Leaked Information | (UPDATED Daily)” and the subtitle is “Hack Credit Card | Visa | MasterCard | SSN | Amazon | Email Address | MYSQL Database | IP Address | ( HACKED | LEAKED | EXPLOITED )”.

Here is how the homepage of the website currently looks, with portion of the page with ads served by Google bordered in blue:

Like the first website, this website is hosted through Google’s Blogger service.

It looks like this website has been showing purported leaked credit card info since November of 2014.

Google is Hosting and Handling Advertising for Website that is Publishing Purported Leaked Credit Card Info

A month ago we noted that Google’s AdSense program was handling the advertising for a number of websites serving “nulled” web software, which is paid web software being distributed illegal, with at least one of those serving up malicious code with the “nulled” web software. We reported a number of the websites to Google as they are violating policies of the AdSense program, but they are still running ads served by Google.

Part of how we became aware of that was that advertising we were running through Google’s AdWords program was being shown on some of those websites. Today we noticed that our advertising has recently been running on an even more troubling website, leakeddata.me.

The title of the website is “Leaked Data | Exploited and Leaked Information | (UPDATED Daily)” and the subtitle is “| Hack Credit Card | Visa | MasterCard | SSN | Amazon | Email Address | MYSQL Database | IP Address | ( HACKED | LEAKED | EXPLOITED )”. The homepage of the website currently shows the details of seven purported leaked credit cards, with the data shown including the credit card number, CVV number, name of credit card holder, and their address.

The top of the homepage of the website has multiple blocks of Google served advertising (bordered in blue):

When we went to see where the website was being hosted we were surprised to find it was Google. The IP address the website is hosted from is 216.239.36.21, for which the host name is any-in-2415.1e100.net. As Google explains “1e100.net is a Google-owned domain name used to identify the servers in our network.”. At that point we noticed that the website is being hosted through Google’s Blogger service.

It would seem that neither the Blogger nor AdSense service do any sort of proactive monitoring looking for credit card info being show on pages using the services, which seems to be something they could be doing.

It looks like the website has been showing leaked info since December of 2014.

We wanted to report this to the Blogger service, but they don’t have an option if you want to report someone else’s private information is being posted, only your own.

Sample Data Included with Joomla Templates from Template Monster Lead to Website Being Hacked

When it comes to cleaning up hacked websites one of the three basic pieces of doing a proper cleanup is trying to determine how the website was hacked. Without doing that you leave open the possibility that the vulnerability still exists and can be exploited again. Not surprisingly then when people come to us re-clean a hacked website after another company has done that and the website got hacked again there has almost never was an attempt to determine how the website was hacked during the previous cleanup.

Another reason for trying to determine how the website was hacked is so that you can possibly prevent other websites from being hacked through the same vulnerability. We say possibly, because as a hack we recently traced back to a template from Template Monster, trying to work with the party responsible for the vulnerability may not get you anywhere.

Before we get to the vulnerability let’s do a quick walk through how we came to find out it had been exploited.

We were recently brought in to clean up hacked Joomla website where the person already dealing with it was removing malicious code from .htaccess files and the index.php files of the installed template, but it kept returning. In situation like that our first step is to review any available log files to see what they show about how the hacker is making the changes. In this case we found suspect requests being sent to a file in the /modules/ directory.

That file was highly obfuscated and due to that, it was fairly obvious that it was malicious without needing to deobfuscate it. What was more important at the moment was figuring out how it got on the website. In looking over the other files in the directory it was pretty clear that the whole directory it was in was not legitimate and had been created by installing an intentionally malicious extension. One of the items that pointed to that was the manifest file for the extension:

<?xml version="1.0" encoding="utf-8"?><install version="1.5" type="module"><?xml version="1.0" encoding="utf-8"?><install version="1.5" type="module">
 <name>System</name>
 <author>Joomla</author>
 <creationDate>08 Jan 2010</creationDate>
 <copyright>Copyright (C)  Profexor Liberty</copyright>
 <license>http://www.gnu.org/copyleft/gpl.html GNU/GPL</license>
 <authorEmail>profexor@hell.com</authorEmail>
 <authorUrl>http://profexor.hell/</authorUrl>
 <version>1.0.0</version>
 <description>ͮ崫��殨��鲯ﲲ橼/description>
 <files>
 <filename module="mod-favicon-image">mod-favicon-image.php</filename>
        <filename module="mod-favicon-image">mod-favicon-image.xml</filename>
 </files>
    <params description="this module has no parameteres" >
    </params>
</install>

The installation of a malicious extension would most likely be done through a hacker’s access to a Joomla admin account. So we then reviewed the database table that stores user accounts and found there were numerous accounts that didn’t look legitimate. Only one of those was recorded as having been used to log in to the website recently.

For that account the email address was “demo@demoolink.org”. We then did a Google search on that address and found a thread on the Joomla Forum where someone had a template that was trying to create exactly the same user using a SQL statement. By exactly the same, the registration time specified for both was exactly the same, down to the second.

What didn’t make much sense to us is why a template would be trying to create a user. Considering that the template in use on the website we were cleaning was a commercial template from Template Monster, we first thought the explanation might be that it had been obtained from a warez website and the template was modified to allow website installing it to be exploited.

When we reviewed the installer file for the template though we found that there was no code to create the user. At that point we thought we had hit a dead end, but after doing some more investigating we found more evidence to connect the account to the template. After that we got access to another file that had come from Template Monster. This file was named fullpackage.zip and in addition to the template, it included a copy of Joomla and a sample data file created by Template Monster. When installing Joomla you have the option to install various sample data files, so when using this file to set up Joomla you could install the sample data provided by Template Monster

In that sample data file was the following SQL statement that created the user:

INSERT INTO `#__users` (`id`, `name`, `username`, `email`, `password`, `block`, `sendEmail`, `registerDate`, `lastvisitDate`, `activation`, `params`, `lastResetTime`, `resetCount`) VALUES
(846, 'Demo User', 'demo', 'demo@demoolink.org', 'ad358a48fb2891854aa8b547c7b151be:jGftU2FbdRXUNikAQrKKeAQl9Is104QE', 0, 0, '2012-10-17 10:56:12', '0000-00-00 00:00:00', '', '{"admin_style":"","admin_language":"","language":"","editor":"none","helpsite":"","timezone":""}', '0000-00-00 00:00:00', 0);

INSERT INTO `#__user_usergroup_map` (`user_id`, `group_id`) VALUES
(846, 8);

Any website that installed that sample data would have a Super User (the highest level user in Joomla) with the same username/password combo. Unless one of those was changed then someone that could figure out the password could log in to the websites where this sample data has been installed. At that point it looked to us that the user might have been installed across multiple Template Monster templates.

At that point we also contacted Template Monster informed them of the issue and suggested that they notify anyone that had purchased the impacted templates about the potential issue. We also suggested that they register the domain name demoolink.org seeing as that isn’t registered and someone could register and use it to gain access to the impacted website without even knowing the password (by resetting the password).

The first response we received was as follows:

Thank you for reaching the Technical Department of Template-Help.com!

Take our apologies for the delayed reply.

We are sorry for inconvenience caused by this. Usually clients change demo email address. We are happy that you managed to resolve it yourself.

Let us know if you are having any other issues with the template.

We responded trying to explain the issue wasn’t just related to the email address and we received the following response:

Take our apologies for the delayed reply.

demo@demoolink.org is added in admin panel as example of demo link, you can easily change it. Please specify with some screenshot what issue exactly you are having so we will be able to check it for you.

At this point we asked if there was a security department we would be transferred to we received the following response:

We appreciate the information you’ve provided. We will forward it to our development department. They will check it more carefully.

Thank you. Have a nice weekend.

While we waited for another response (none has come in two weeks) we wondered if the password might be something really easy to guess. It turned out that we didn’t need to guess it, as we entered the password hash, “ad358a48fb2891854aa8b547c7b151be:jGftU2FbdRXUNikAQrKKeAQl9Is104QE” in to Google and on got this page as one of the results. From that we then knew that the password was “demo123”. Not only is that not strong password, but with that in hand we found a page on the Template Monster website that told everyone what the username and password was for website using this sample data:

Right below that is a message that indicates that they were aware of there being a risk from providing this user account:

You can delete sample user though the Joomla administration panel in the “Users > Users Manager”. In case you are planning to use sample data we recommend you to change Sample Author user login and password.

We still don’t understand what the purpose of creating a sample Super User like this, since another one is created when installing Joomla.

Kaspersky Lab’s News Website Threatpost Spreads Unfounded Claims About Security Threats

The Russian security company Kaspersky Lab has been in the news a lot recently in regards to questions about its relationship with the Russian government, but what deserves to get some focus is how their news website, Threatpost, helps to spreads unfounded claims about security threats coming from others in the security industry.

Back in November over at the blog for our Plugin Vulnerabilities service we looked at a situation where the Threatpost had covered a claim by the security company Checkmarx that they had found “severe” vulnerabilities in several WordPress eCommerce plugins. At the time Checkmarx presented no evidence to back the claim up and stated that it would be “available in the future”. What they did present indicated that the vulnerabilities, if they existed, might be less than severe. In May we went to look to see if any additional information had ever been released, but we couldn’t find any update and we received no response from Checkmarx when we contacted them asking were we could find it.

Today we ran in to another example of the Threatpost spreading an unfounded claim about a security threat. This time it was with a threat resolving around placing the files for WordPress on a website and then not running the installer. The following line in the article stood out:

WordPress experts claim the attack method isn’t exactly new, but that it clearly hasn’t limited its effectiveness.

The article and the cited source for the article do not provide any measure of effectiveness of the attack. The only cited figure is rather underwhelming argument for even covering this, “biggest increase in scans – roughly 7,500 a day”. Considering that there are apparently at least 100s of millions of websites currently, that isn’t a significant number (it does look like attacks occur a lot more than though, but not more than many other threats that don’t receive any coverage).

We left the following comment on the post pointing to the lack of backing for the claim as to effectiveness of attack:

Your article implies the attack is effective, “WordPress experts claim the attack method isn’t exactly new, but that it clearly hasn’t limited its effectiveness.”, but you and Wordfence don’t present any evidence as to the effectiveness of these attacks. We have seen hackers do large scale attacks that had no chance of being successful because they didn’t understand what they trying to exploit, so 7,500 attempts in a day isn’t in any way an indication that this is effective.

Originally it was held for moderation:

But shortly after that it was removed. So they were clearly aware of the issue, but instead of addressing it they would rather not let people know that they are making unfounded claims.

It also worth noting that first part of the sentence “WordPress experts claim the attack method isn’t exactly new” isn’t all that accurate. It isn’t just a claim that the attack method isn’t new, it actually is factually true that it isn’t new. For example, the issue was brought up five and half years ago and we discussed it at the time.

Mr.ToKeiChun69 Defacement Campaign Seems to Be Targeting Websites Hosted with Endurance International Group (EIG) Brands

Yesterday we were contacted by someone looking for second opinion as to whether the web security company SiteLock’s claim that their website contained malware was true. The website’s owner believed that their web host BlueHost and SiteLock might be trying to scam them.

In the case of this website it wasn’t hard to determine that the website was hacked, as this is what was shown on the homepage:

That type of hack is referred to as a defacement hack.

By malware, that may have been what SiteLock was referring to because as we found while previously giving someone a second opinion, for some reason SiteLock labels evidence of a defacement hack as malware (that seems to be a general issue, as they also labeled a spam link that way as well).

After we let website’s owner know that unfortunately the website was hacked, they responded that they felt it was an inside job. We didn’t believe that to be the case, but instead of just saying that was unlikely, we wanted to be able to provide more concrete evidence.

One way to do that would be to find some other websites hit with same defacement that were not hosted with the same web hosting company or another one partnered with SiteLock. When we did a search on Google for “Mr.ToKeiChun69” the first result was a page documenting defacements by Mr.ToKeiChun69 on the web site Zone-H.org, which documents defacements of websites.

In looking at some of the websites that had been defaced by Mr.ToKeiChun69 we found that they all were hosted by web hosting brands owned by the Endurance International Group (EIG). Their brands include BlueHost, as well as A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. SiteLock has a “security partnership” with EIG where SiteLock pays EIG a majority of the fees from services sold through the partnership. The majority owners of SiteLock also run EIG.

While that might lead some to see the worst case, that this was inside job, for us it didn’t. But it did seem rather odd that all the websites would be at one web hosting company and that was possibly an indication that the company has some security problem.

To better understand if there was really a correlation between the web hosting provider and these defacements we did a more thorough check of where the defaced websites were hosted. We checked the first ten websites listed on the 1st, 11th, 21st, 31st, and 41st page of results for this defacement on Zone-H.org. That checked websites that are dated on there as far back as June 29.

Below are the results. We have listed each domain name, the IP address it currently is hosted on, and finally the ISP listed for that IP address or the web host. The ISP Websitewelcome.com is connected to HostGator and Unified Layer is connected to BlueHost, though the websites might be hosted with other EIG brands.

Page 1

  • endblameshameguilt.com: 192.254.236.84 (Websitewelcome.com)
  • acimfordummies.org: 192.254.236.84 (Websitewelcome.com)
  • wakechild.com: 192.254.236.84 (Websitewelcome.com)
  • tena-frank.com: 192.254.236.78 (Websitewelcome.com)
  • acourseinmiraclesfordummies.com: 192.254.236.84 (Websitewelcome.com)
  • decodingacim.com: 192.254.236.84 (Websitewelcome.com)
  • endblameshameguiltgame.com: 192.254.236.84 (Websitewelcome.com)
  • toddtylermusic.com: 192.254.236.80 (Websitewelcome.com)
  • lachildrensridingcenter.com: 192.254.236.8 (Websitewelcome.com)
  • topsportscamcorders.com: 192.254.236.8 (Websitewelcome.com)

Page 11

  • iphonenstuff.com: 192.254.236.82 (Websitewelcome.com)
  • sneakerpicks.com: 192.254.236.82 (Websitewelcome.com)
  • dalmatianadvice.com: 192.254.236.82 (Websitewelcome.com)
  • subscribesave.com: 192.254.236.82 (Websitewelcome.com)
  • helpmebuilda.com: 192.254.236.82 (Websitewelcome.com)
  • bestboatplans.com: 192.254.236.82 (Websitewelcome.com)
  • spelbonusar.com: 192.254.236.82 (Websitewelcome.com)
  • gamingnshit.com: 192.254.236.82 (Websitewelcome.com)
  • marenart.com.au: 192.254.236.82 (Websitewelcome.com)
  • retailstartupbookinabox.com: 192.254.236.82 (Websitewelcome.com)

Page 21

  • www.blackandwhitesecurityltd.com: 192.254.232.90 (Websitewelcome.com)
  • dallasgayboys.com: 192.254.232.86 (Websitewelcome.com)
  • untieeecs.com: 192.254.232.86 (Websitewelcome.com)
  • jonathanjoyner.com: 192.254.232.86 (Websitewelcome.com)
  • www.smcntx.com: 192.254.232.86 (Websitewelcome.com)
  • www.culinairteamzeeland.nl: 192.254.232.90 (Websitewelcome.com)
  • strandvakantieman.nl: 192.254.232.90 (Websitewelcome.com)
  • napers.nl: 192.254.232.90 (Websitewelcome.com)
  • www.camping-renesse.nl: 192.254.232.90 (Websitewelcome.com)
  • www.campingdebrem.nl: 192.254.232.90 (Websitewelcome.com)

Page 31

  • 81tagorelane.com: 50.87.147.75 (Unified Layer)
  • skies39-newlaunch.com: 50.87.147.75 (Unified Layer)
  • newlaunch-gshplaza.com: 50.87.147.75 (Unified Layer)
  • 3dinvisibilitycloak.net: 192.232.251.55 (Websitewelcome.com)
  • professional-liability-insurance.net: 192.232.251.55 (Websitewelcome.com)
  • lyynx.net: 192.232.251.55 (Websitewelcome.com)
  • aksolution.net: 192.232.251.55 (Websitewelcome.com)
  • krilloils.org: 192.232.251.55 (Websitewelcome.com)
  • 3dinvisibility.org: 192.232.251.55 (Websitewelcome.com)
  • ellipticalmachineshelp.com: 192.232.251.55 (Websitewelcome.com)

Page 41

  • topwebber.com: 192.185.21.208 (Websitewelcome.com)
  • yoholly.info: 192.185.21.208 (Websitewelcome.com)
  • myironsuit.com: 192.185.21.208 (Websitewelcome.com)
  • laptoplifestylecafe.com: 192.185.21.208 (Websitewelcome.com)
  • bellyfatcombat.net: 192.185.21.208 (Websitewelcome.com)
  • herbzombie.com: 192.185.21.208 (Websitewelcome.com)
  • biggerbuttshortcuts.com: 192.185.21.208 (Websitewelcome.com)
  • blowtalk.com: 192.185.21.208 (Websitewelcome.com)
  • waisttraineraustraliaco.com: 66.198.240.58 (A2 Hosting)
  • besthairextensions.co.nz: 192.185.44.88 (Websitewelcome.com)

With 49 of the 50 websites currently being hosted with EIG that would certainly seem to point to there is some correlation between the web host and the hackings. As with something that doesn’t have a connection to a web host, you would expect to see a fair amount of different web hosts showing up with that many websites.

So what about the one website that isn’t currently hosted with EIG? It turns out it was hosted with them at the time it was defaced. The IP address of the website on June 29 according to Zone-H.org was 192.185.44.88, which is one connected to HostGator. The records for the domain name were changed on July 4, which is probably when the web hosting was changed.

We don’t know what the cause of this is. It could be that the person or persons behind the Mr.ToKeiChun69 defacements is only targeting EIG hosted websites, has been unsuccessful in targeting websites at other web hosts, or only notifying Zone-H.org of websites hosted with EIG. What would seem more likely is that they are taking advantage of some security issue in EIG’s systems.

To be clear we don’t think that this is an inside job.

We notified the person that contacted us about the correlation, which they hopefully will pass along to BlueHost.