Skip to main content

Hotlink protection hack question

Comments

10 comments

  • cPanelLauren
    Hello, Are you saying that something is adding those first 4 sites? I'd assume this is something being added from a script associated with the CMS installation you have present if that's the case.
    0
  • nf_able
    Yes, something is adding those. It is a Wordpress site. I have Wordfence running and scanning the files on the site for mailiciousness but it hasn't put a stop to it. I don't know how to go about tracking it down.
    0
  • nf_able
    This has happened again on another site. Is there somewhere I can look to see when changes (timestamp / file update date) to hotlink protecttion occur? Thank you.
    0
  • cPanelLauren
    Hello, Because you're reseller owner you wouldn't have root access to the server, in order to perform a proper malware scan you'd need this. I'd suggest contacting your provider for assistance, they'd also have logs that could assist you with identifying the source of the issue.
    0
  • nf_able
    Thank you, I do have root access via WHM. It is a VPS. Thank you.
    0
  • cPanelLauren
    Hello, In that case, I'd suggest you change your profile to indicate Root administrator so I know to give you the correct advice :) So I'd suggest using more than wordfence, check into ClamAV, Linux Malware Detect or ImunifyAV for scanning which will be able to scan all files not just Wordpress core files
    0
  • nf_able
    I'm such a noob, I cannot find how to edit my profile like that. I have a VPS cloud server via Liquid Web and run WHM with cPanels. I will look into those suggestions. Thank you.
    0
  • cPanelLauren
    That's ok I'll change it for you in that case :) Let us know if you have questions or concerns with any of the findings
    0
  • nf_able
    I'm here again with same issue. *But* I think it is being added by .htaccess on that domain, see 2nd screenshot. My question is in cPanel Hotlink Protection settings - the presentation is confusing if indeed sites that I do not trust / am wary of is under an area labeled 'URLs to allow access', which to me comes off as 'URLs that are cool and represent no threat or concern, so allow access to these sites' Am I missing something? Shouldn't it be labeled 'URLs to deny' or 'URLs to prevent access to' ?? Thank you.
    0
  • cPRex Jurassic Moderator
    Hotlink protection is global, so the "URLs to allow access" is a list you want to exclude from the protection.
    0

Please sign in to leave a comment.