Hotlink protection hack question

nf_able

Member
Apr 7, 2020
6
0
1
Biloxi, MS
cPanel Access Level
Root Administrator
I have searched Google and cannot see anyone who is reporting this issue and am beginning to feel like I'm on crazy pills.

I have been cleaning up hacks on my WP sites all on a reseller server.

A few domains having recurring changes to their Hotlink Protection in cPanel. This has recurred every 5 days or so I will see the following in the 'Configure Hotlink Protection' URLs to allow access:



I also see under 'Redirect the request to the following URL' at the bottom:
^.*

My solution is to disable hotlink protection, then reenable it and it clears the weirdness. A few days later, they are back.

Any help / suggestions welcomed.

nf
 

Attachments

Last edited by a moderator:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello,


Are you saying that something is adding those first 4 sites? I'd assume this is something being added from a script associated with the CMS installation you have present if that's the case.
 

nf_able

Member
Apr 7, 2020
6
0
1
Biloxi, MS
cPanel Access Level
Root Administrator
Yes, something is adding those. It is a Wordpress site. I have Wordfence running and scanning the files on the site for mailiciousness but it hasn't put a stop to it. I don't know how to go about tracking it down.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello,

Because you're reseller owner you wouldn't have root access to the server, in order to perform a proper malware scan you'd need this. I'd suggest contacting your provider for assistance, they'd also have logs that could assist you with identifying the source of the issue.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello,


In that case, I'd suggest you change your profile to indicate Root administrator so I know to give you the correct advice :)

So I'd suggest using more than wordfence, check into ClamAV, Linux Malware Detect or ImunifyAV for scanning which will be able to scan all files not just Wordpress core files
 

nf_able

Member
Apr 7, 2020
6
0
1
Biloxi, MS
cPanel Access Level
Root Administrator
I'm here again with same issue. *But* I think it is being added by .htaccess on that domain, see 2nd screenshot.

My question is in cPanel Hotlink Protection settings - the presentation is confusing if indeed sites that I do not trust / am wary of is under an area labeled 'URLs to allow access', which to me comes off as 'URLs that are cool and represent no threat or concern, so allow access to these sites'

Am I missing something? Shouldn't it be labeled 'URLs to deny' or 'URLs to prevent access to' ??

Thank you.
 

Attachments