Hotlink protection hack question

nf_able · Apr 7, 2020

I have searched Google and cannot see anyone who is reporting this issue and am beginning to feel like I'm on crazy pills.

I have been cleaning up hacks on my WP sites all on a reseller server.

A few domains having recurring changes to their Hotlink Protection in cPanel. This has recurred every 5 days or so I will see the following in the 'Configure Hotlink Protection' URLs to allow access:

I also see under 'Redirect the request to the following URL' at the bottom:
^.*

My solution is to disable hotlink protection, then reenable it and it clears the weirdness. A few days later, they are back.

Any help / suggestions welcomed.

nf

cPanelLauren · Apr 9, 2020

Hello,

Are you saying that something is adding those first 4 sites? I'd assume this is something being added from a script associated with the CMS installation you have present if that's the case.

nf_able · Apr 17, 2020

Yes, something is adding those. It is a Wordpress site. I have Wordfence running and scanning the files on the site for mailiciousness but it hasn't put a stop to it. I don't know how to go about tracking it down.

nf_able · May 12, 2020

This has happened again on another site. Is there somewhere I can look to see when changes (timestamp / file update date) to hotlink protecttion occur?

Thank you.

cPanelLauren · May 13, 2020

Hello,

Because you're reseller owner you wouldn't have root access to the server, in order to perform a proper malware scan you'd need this. I'd suggest contacting your provider for assistance, they'd also have logs that could assist you with identifying the source of the issue.

nf_able · May 13, 2020

Thank you, I do have root access via WHM. It is a VPS. Thank you.

cPanelLauren · May 13, 2020

Hello,

In that case, I'd suggest you change your profile to indicate Root administrator so I know to give you the correct advice

So I'd suggest using more than wordfence, check into ClamAV, Linux Malware Detect or ImunifyAV for scanning which will be able to scan all files not just Wordpress core files

nf_able · May 14, 2020

I'm such a noob, I cannot find how to edit my profile like that. I have a VPS cloud server via Liquid Web and run WHM with cPanels. I will look into those suggestions. Thank you.

cPanelLauren · May 14, 2020

That's ok I'll change it for you in that case

Let us know if you have questions or concerns with any of the findings

Thread starter	Similar threads	Forum	Replies	Date
N	Hotlink Protection	Security	1	Jul 20, 2017
L	hotlink protection and IDM	Security	1	Jun 20, 2014
N	Hotlinking Protection	Security	0	Jun 23, 2007
Z	blank referrers and hotlink protection	Security	2	Oct 31, 2006
B	Hotlink protection not working right	Security	8	Jul 7, 2006

Search

Search

Hotlink protection hack question

nf_able

Member

Attachments

cPanelLauren

Product Owner

nf_able

Member

nf_able

Member

cPanelLauren

Product Owner

nf_able

Member

cPanelLauren

Product Owner

nf_able

Member

cPanelLauren

Product Owner