Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Site Hacked or Security issue (15 posts)

  1. vanadius
    Member
    Posted 1 year ago #

    Guys, I was reading other post looking for answers but i cant find it

    My site http://basschannel.tv was hacked and I know it yesterday. A bunch of bad links was added to the first posts. Im deleting this links but it came back after few hours.

    I was looking into my page code and I found them writen on invisible ( hidden ) way.

    After reading other user post on this forum I look into my chmods and all are set on 644 or 755 so I guess I have installed some kind of script inside my wordpress that automatic re install the links ( each time the links are installed all they are different to the previous links that I deleted, thats what im guessing this is some kind of script installed )

    Any clues about where is the backdoor or where to look for that script ? Please help me

    Thanks

    Dago

  2. whooami
    Member
    Posted 1 year ago #

    <meta name="generator" content="WordPress 2.1.3" /> <!-- leave this for stats -->

    dude, upgrade. to start with.

  3. vanadius
    Member
    Posted 1 year ago #

    Thanks Whooami for the answer

    My hosting company offer automatic upgrade but there is some warning about if you modified theme to not upgrade and I modified my themes.

    What could be the better way and painless to upgrade? I know there is a lot os post about it and I read a lot of them but still found it is hard for someone not with expert level.

    Any advice will be really appreciate. Thanks to all

  4. Gangleri
    Member
    Posted 1 year ago #

    If you only update the WP files, nothing will happen to your theme. That is -of course- if you don't use a modified default theme under the name that you got it from WP. Upgrading is easy, just FTP the files to your server and "install" if needed. I do always try new versions first on a test website, just to be sure.

  5. vanadius
    Member
    Posted 1 year ago #

    Thanks Gangleri

    Lets see....I modificate my themes in this way: Change headers and add some modiciations like banners, advertising, adsense codes and stuff like this . I dont know if plug in could apply as modification.

    If somebody knows if this modifitation affect my upgrade proccess or not please tell me. I dont want to make a mess with the site trying to fix it.

    Do i need to modificate my database? I hope not..

    Again, all advice will be very welcome

    Thanks

  6. wridenour
    Member
    Posted 1 year ago #

    We're dealing with the same issue: links appended to posts in a hidden font (<font style="overflow: hidden; width: 0px; position: absolute; height: 0px">) We were running 2.32 and have just upgraded to 2.33. Does anyone have any clues about how this is being accomplished?

  7. whooami
    Member
    Posted 1 year ago #

    I have a good idea, but cant share it yet, since replicating what's being captured is turning out to be difficult.

    I can tell you that it's been suggested to me that changing your password is paramount. Especially, if your install was compromised from a previous version. And you might want to think about resetting sessions, clearing all user cookies, changing the three cookie names (look inside wp-settings.php at the bottom) etc..

    I have a live blog set up that is a reoccurring victim of these attacks. We have successfully captured the $_POST variables, and know what file is being called, but since we cant prove that the hackers arent using a hijacked cookie, the cookie names are going to be changed next.

    Its a game of cat and mouse.

  8. whooami
    Member
    Posted 1 year ago #

    I have an update on the live "honeypot" blog I have been playing with..

    We changed the cookie names by editing wp-settings.php, and lo and behold when the attacker came back, and tried the same tactic as the previously successful injection attacks -- they failed.

    What this means, is that anyone that was hacked using a previous version, needs to make sure to change their administrator acct's password (this ought to be obvious), and might want to do the same thing with WordPress' three default cookie names that Ive done on the HP blog..

    Again, they are named inside wp-settings.php near the bottom. 

    if ( !defined('USER_COOKIE') )
    define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
if ( !defined('PASS_COOKIE') )
    define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
if ( !defined('TEST_COOKIE') )
    define('TEST_COOKIE', 'wordpress_test_cookie');

    You can just append a few letters or #s if you like, to wordpressuser, wordpresspass, and wordpress_test_cookie.

  9. LenK
    Member
    Posted 1 year ago #

    Great detective work whoo! I was wondering if it had to something to do with cookies especially since replying to a recent thread where poppacket was asking about cross-domain single sign in - that thread really got me thinking about it.

  10. vanadius
    Member
    Posted 1 year ago #

    Thanks fot your help.

    Say Im short in knowledge. I know how to change the name of that cookies in wp-setting.php. Its all that I need? I mean, add a letter to each cookie name?

    Do you know if I can upgrade without trouble if I modified my theme adding ads and adsense codes and banners?

    Thanks in advance for your time. This is a very important issue to resolve asap

  11. whooami
    Member
    Posted 1 year ago #

    Its all that I need?

    Pretty much. And I wouldn't go doing this unless you've had this trouble previously. And realize that unless you do the same after you upgrade, assuming you upgrade correctly, the changes will not be present in your new wp-settings.php

    I dont offer this as any guarantee. Ive also sent all the data onto two of the devs for them to look at. I can, however say, that, at least for now, the last attempt at this exploit failed on a blog where this had been an ongoing problem.

    Ive gotten grief for giving out supposed panaceas on this forum, so I really need to stress that this is just a preliminary observation -- empirical evidence points to this fixing this problem for this ONE blog. Your mileage may vary.

  12. whooami
    Member
    Posted 1 year ago #

    I just finished upgrading a 2.1.x install to 2.3.3 The old install had been exploited with the spam links.

    I changed the admin password, renamed the cookies, and set up logging. Time will tell.

  13. whooami
    Member
    Posted 1 year ago #

    okay, this most recently upgraded site appears to have been "food" for the 2.1.3 admin-ajax.php exploit. There was heavy activity in the log I set up, showing exploit attempts, all of which were fruitless.

    Unless I see something else, case closed.

  14. vanadius
    Member
    Posted 1 year ago #

    Whoo

    I have to say in public a BIG THANKS for your help.

    Whoo FIX my security issues in a hurry attending the urge os save my site ( my main income source )

    I really appreciate all your time and effort. You can found a lot os ANSWERS in Whoo website as I did.

    Even a 1k of more o miles separete us. We were capable to work together and in armony to solve this.

    Thanks for your simpaty on this WHOO

    You have a free fishing trip on Mexico when want to came here. I will close this post as SOLVED

  15. Otto42
    Moderator
    Posted 1 year ago #

    whooami: Could you provide more info about why changing the cookie names works? Changing the names would certainly invalidate their cookies, but changing the passwords should prevent those cookies from being valid anyway. Can't see why one helps and not the other.

    Adding a define('COOKIEHASH', "some_random_string_here"); line to wp-config.php would have the same effect as you're describing. And the test cookie should not affect anything anyway.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags