As far as I can tell, the only file modified this time around was wp-settings.php. Removing the code from that file fixed my rss feed, but there still may be more modified files that I can’t find as there was last time.
Yes. You can inform, no, you must inform your host. It might happen that the server has been hacked through another site and from there they (the hackers) got access to all sites on that machine…
I’m 99% confident this has nothing to do with a password hack or any type of internal access since the js code is haphazardly appended to the end of various files.
and the permissions of those files were?
—
also:
here are some headers returned by your site:
HTTP/1.1 200 OK
Date: Thu, 21 Feb 2008 03:37:32 GMT
Server: Apache/2.0.54 (Unix) PHP/4.4.7 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2
X-Powered-By: PHP/5.2.3
X-Pingback: http://www.gamerawr.com/xmlrpc.php
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
You may not know this but Apache 2.0.54 is a little dated, and there have been several security issues fixed since that release.
Is that a dreamhost issue, yes, but that doesnt make it any less an issue.
I point that out not necessarily to cast doubt, but to say that files being physically changed lends credence to it not being a WP hack, but a server side problem related to what is hosting your site OR a permissions weakness that allowed a breach.
I can put up a static HTML page on an insecure web server with insecure permissions, and I will be able to find someone that is able to tack malicious code onto that file.
Ok, I will be contact dreamhost… but regarding permissions… how should I set my permissions for a wordpress install? You know how WP is, with the over-simplified instructions. I will be honest, I didn’t do anything but upload all the files and run the upgrade script.
Ok, a support ticket has been sent to dreamhost. Sorry I was so quick to blame this on WP, I just forgot how many variables there are involved in this, especially when running a site on a shared server I don’t administer. I was just under the impression dreamhost was more security conscious than this 🙁
I checked my permissions of wp-settings.php (the file hacked), and it is set to 644, which I BELIEVE is correct. Please let me know if this shines any new light on the issue.
files = 644
folders = 755
That’s the correct setting. However, on many hosts you need to make folders like wp-content 777 (i.e. world writable) in order to be able to upload images…
i’ll bet dollars for donuts that dreamhost calls it out as a WP problem 😛
Not to suggest that it might not be, just that it’s easier for a host to blame a software package, no matter what the cause.
We will see. I gave them a link to this thread as reference. I’ve yet to hear back from them.
Crap. It looks like this may all be my own fault. When my site was first hacked with an ancient wordpress version, yes, I erased my entire http root and installed the latest wp release. But what did I copy back? My wp theme. And what was in my theme directory? TWO HACKED PHP/JAVA SCRIPTS!
One appears to be “nstview”, a file management script included with a lot of “web hacking for newbs” kits. It is tagged at the bottom: <!– Network security team :: nst.void.ru –>
The is “C99madShell v. 2.0 madnet edition” which also looks to be a remote file manager.
Now, I have no way of knowing if these are from a related hack, but clearly these are wide open backdoors that hackers somehow installed on my OLD wordpress installation. I can’t believe I’m dense enough to not thoroughly check my personal theme directory when I was trying to be so meticulous in my upgrade.
With these files removed (that entire theme directory, actually), I guess it’s now just a game of wait and see. I should do a fine search to see if anything else has been tampered with while this backdoor was in place.
Interestingly enough BOTH of these shell scripts as well as “PHP Injection Scanner” tools were recently posted in a “web hacking tools collection” posted on this script kiddie site: http://www.katzforums.com/showthread.php?t=50022 No doubt that package has everything that was used in this exploit.
The only question that remains is: is my site still vulnerable?
I’m nearly certain whoever did this used the hacking toolset I posted above. I’m looking through it all now, and it even includes an xmlrpc vulnerability scanner and exploiter, which is what I believe the latest WP security update patches.
So it looks like case closed. It was a known wp vulnerability that was recently patched. The moral of the story is: always keep your installation up to date, and DO NOT BLINDLY COPY BACK YOUR CUSTOMIZED FILES. Perhaps the WP readme should make a point of this in the future. While the vulnerability was plugged, I was still left with the malicious software that was installed.
Maybe this is a stupid question, but would putting the wp-admin folder under password protection help at all?
So I had a client hacked today who had 2.2.?, and after reading this post, I’ve installed 2.3.3 and then uploaded the custom theme from my computer (which is clean).
The attack was similar, they modified a header.php file and added some javascript code at the end. Would it help if I posted the javascript here (I don’t want to help these hackers, so I wanted to ask first).
We were tipped off when the client looked at his blog on his PC and got a virus alert about JS/Downloader-AUD and said it was a Trojan.
(Note, the client was also on DreamHost)
I just wrote a blog article about this and included a screenshot of the VirusAlert message we received. Hope someone will find this helpful.
http://aldebaranwebdesign.com/blog/wordpress-hack-causes-virusscan-alert/