I have been monitoring the server logs as part of making sure the the sitemap spoof got removed. Last night I found a suspicious IP in the logs. I did not have time to do anything about it, and I am busy at work today.
For the sake of safety I am still taking down the entire site until I have had time to check it out.
EDIT: most likely I will do a reinstall from a backup in february just to be sure. But that will take some time
It seems the traffic has something to do with the shared hosting and may be completely normal
Yes, it was the shared hosting site
In the logs, I noticed cron jobs running, and an IP address I didn’t recognize. I got worried and immediately took the site back down, but had to go to sleep.
Now I found the said IP on abuse databases and got really worried, but now I have understood what is going on.
The IP was the IP of the shared hosting and part of the normal routine (probably backing up or whatever they do to maintain shared hosting). Proof of that is easy: if you go to the IP address, you will find GoDaddy “something cool will be made here” a.k.a. the startup page.
The abuses were registered to that IP address yes, but they had not originated (9 months ago) from Pokitto.com. In shared hosting tens / hundreds of sites use the same IP, and Pokitto.com is a subip that changes over time. When abuses are reported, they only list the IP of the shared hosting server - not the site.
In short, I was a bit jumpy, but maybe it’s just good to have learned this also.
I will now have to go sort the website out, because I blacklisted the shared hosting server
Sorry for the false alarm, back up and running
Yea so I got a bit jumpy. Luckily I went to sleep and didn’t do anything dramatic, like wipe out the entire site.
The IP I found was the shared hosting site running its normal maintennance routine.
A word to everyone
I’m not reporting this stuff to create drama or make you worried.
I am reporting this stuff because whatever happens, I want you to have faith that I will honestly tell you if there is anything you need to be aware of. Lots of websites come under attack, its is not a question of if, it is a question of when.
In short, to be perfectly clear:
- If I see anything that is out of the ordinary in the future, I will immediately shut down and notify everyone. You will never have to second guess what is going on
- Your credit card data is not handled by Pokitto.com but off-site payment gateways (by PayPal) and it is not stored anywhere here - in fact it can not be seen
- I have verified the WP installation files, htaccess files, the database and logs. Currently there is no evidence of anything spam/malware and the website checks out clean on all malware checkers
The transparancy is definitely appreciated! It is a breath if fresh air with how involved and inclusive you are to this community. Thank you!