But yeah, Westhost has been great with this hacking mess. What ended up happening after my initial post here was that it turned out that the hacker either got back in or had another backdoor and deleted everything as far as my files and some configuration stuff. Westhost then took my account offline to try and locate the exact problem and then I ended up talking to one of the guys directly on the phone. He’d asked if it was ok if he could call me. So he explained it a bit more and at that point, they were bringing things back up and they restored all my files and said that it was a waiting game, had to see if there was another back door. He’d personally been going through, like, every file, though, to make sure they were clean. The processes that were apparently running were coming from a CLEAN WordPress install that I’d done the day before in case that person’s account was not updated/was not clean. It was in the wp-includes folder and was named to appear that it was a WP file. The IP address trying to access that file was 64.229.176.4 which is curiously similar to one of the ones trying to DoS me last month which was 64.229.225.34 (the other trying to DoS was 219.129.239.147). I’ve contacted the abuse department at Bell Canada but have yet to receive even a canned response.

Which reminds me… it’s been so long since we talked about IP blocking that I guess I don’t remember a lot of how it’s done. I can do IP filtering by the server level (I guess, that’s how I thought they explained it to me) and they blocked both of those 64… IPs. But… if it’s a DSL user all they really have to do is turn off their modem for a bit and it will pick a new IP right? So how far should one block? 64.229.* ??

So, anyway, he said after restoring everything that it was pretty much a waiting game to see if they had another backdoor yet and that they were keeping close watch. That was mid-Thursday so, so far so good.

V xx