Someone made subdomains mysite.com/bellagio without my permission and I cannot remove it

Question

Ok first, It's Not a duplicate question My Problem is different.

I recently searched my domain in google like site:mysite.com and I see a load of links to casinos that are not mine. The subdomain structure is www.mysite.com/bellagio

I never created a folder called bellagio and this subdomain(sry I don't know what we call it) is pointing directly to a casino site.

I am using wordpress on godaddy hosting and registered domain there too.

It is something like this question Phishing site uses subdomain that I never registered but not exactly the subdomains.

I tried actually creating a folder named bellagio and then clicking the link but yet it redirects to that spam site.

When I did some research not only me but hundereds on websites were hacked this way.(try searching The Bellagio - Why To Gamble At Bellagio)

I am using free ssl certificates from startssl, is that the cause ?

any help would be greatly appreciated, atleast tell me what and how to check ?

Answer 1

It's not a DNS issue if the "subdomains" are just part of the path and not of the domain part of the URL; as GoDaddy did suggest you, remove your content from your hosting provider, wipe all anew (something like "formatting", if provided) and re-upload everything.

Make sure you have a strong password, because that's the main cause of someone adding redirects to other sites from your web host, and up-to-date hosting software (say Wordpress, or any other CMS you use).

P.S.: it would have been a subdomain if it was something like "casino.mysite.com" or "bellagio.mysite.com", and in that case that would have been a DNS issue.

Answer 2

Edit: I would just have the site hosting the script doing all this taken down ;)

Interestingly if you look at the source code of the landing pages of all these hijacked sites you get the same site hosting the script that shows all that casino bologna.

If you perform an nslookup of the domain of the link that's hosting the script, you see that it's registered to cloudflare, and if you visit the actual url it shows 'under construction...'. So it seems that the guy doing this knows how to hide. You can contact cloudflare about the domain hosting the script(the domain is spechin.com). They should take care of it because they don't want their IPs blacklisted.