Spammy Domain Hijack

One of my web sites config name and URL in Piwik got changed to ‘IVYSkin’ and

Seems like some sort of domain spam hijack

I am using latest Piwik on server and latest WordPress Piwik plugin on site.

I ran a Succuri malware scan on the site and it came up clean, what’s worrying is how my site server web config got changed the spammy domain takes on the look and feel of the original domain but with bogus beauty products added.

I have about 10 other tracked domains on the Piwik server that are unaltered.

Trying to figure out what happened here.

Looking into this more I see is an access domain in use by GoDaddy - some background here - What is belongs to...

Question is how on earth did my Piwik website config change to it without me doing it. And how is the spam access domain inheriting a lot of the same content and all the styling of the real website.


This is just a wild guess as there could be hundreds of resons:

Probalby Wordpress (or an WP Plugin) was outdated and had a security flaw that allowed automated bots getting access to the wordpress account. There it was able to modify your webshop and add random products to it. Afterwards they found a way to upload custom PHP files and so execute every code. This propably deleted some folders (including the piwik folder) and replaced it with spammy advertising.

I’d recommend you to delete as much as possible, rollback to a backup that was definitly before the attack and update everything (including web server, PHP, apache, etc.) to the latest version.

Issue is Piwik server is a seperate server instance nothing on the server but Piwik - it monitors over 12 sites - but just the config of one was changed.

I am wondering if the domain expired and inherited an access domain which Godaddy owns and somehow that config was used.

The WordPress site in question on another server has no malware hits via Wordfence, maldet or sucurri scans.