Forums

WordPress › Support » How-To and Troubleshooting

1 2

Security issue, multiple sites (45 posts)

  1. ajparker
    Member
    Posted 5 months ago #

    It's really best to make the edit through something like phpmyadmin - login - select your wordpress database, then look for the wp_options table - then browse the table for the active_plugins row (or you could search for plugin) (on mine this option is listed as option id 39 - not sure if this is always the same.) In phpmyadmin you'll have a pencil to the left of the row - this is a link to edit the entry.

    The whole thing looks kind of like this...

    a:19:{i:0;s:35:"TBValidator/trackback_validator.php";i:1;s:35:"adsense-manager/adsen..... etc etc...

    The first two were the suspicious ones in mine - unfortunately I didn't document things as I went - I just deleted from the first i: to the end " after the second rogue plugin. I made sure that the option at the bottom of the page was to save and clicked GO.

    Then I went in and deleted the one file in the themes folder - the other seems to give permission denied still. (Even after a permissions change.) After all of this, I discovered that the edit essentially disabled all plugins - so I re-enabled my legit plugins.

    I don't know enough about the database to know if it would cause the sky to fall to delete the active_plugins key entirely and then run the upgrade.php again to reinitialize - but that might be an easier fix for most if that's safe. (Could someone speak to this?)

    Good luck!

  2. BurstCollective
    Member
    Posted 5 months ago #

    okay, I figured a couple things out...

    there's a few strange looking databases in my phpadmin area, most look similar to this :

    "rss_1f6c214c60d29cacd0400469cc53ff37"

    and then, inside those, there's RIDICULOUS lines of code filled with all sorts of link bait and queries I've been seeing hit my blog.

    So I'm going to delete them now. I figure I have a backup of te whole database so if I break something I can restore it... but I'm feeling pretty confident here since inside those entries I'm seeing all sorts of evil looking copy and links :

    O:9:"MagpieRSS":17:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:1:{i:0;a:3:{s:5:"title";s:16:"No results found";s:11:"description";s:43:"No results were found for http://burst/blog";s:7:"summary";s:43:"No results were found for http://burst/blog";}}s:7:"channel";a:10:{s:9:"generator";s:15:"Technorati v1.0";s:9:"webmaster";s:43:"support@technorati.com (Technorati Support)";s:4:"docs";s:37:"http://blogs.law.harvard.edu/tech/rss";s:3:"ttl";s:2:"60";s:4:"tapi";a:3:{s:6:"result";s:5:"
    ";s:10:"result_url";s:17:"http://burst/blog";s:19:"result_rankingstart";s:1:"0";}s:6:"result";s:16:"

";s:5:"title";s:23:"Technorati Search for: ";s:4:"link";s:17:"http://burst/blog";s:7:"pubdate";s:29:"Thu, 01 Jan 1970 00:00:00 GMT";s:7:"tagline";N;}s:9:"textinput";a:4:{s:5:"title";s:17:"Search Technorati";s:11:"description";s:43:"Search millions of blogs for the latest on:";s:4:"name";s:1:"s";s:4:"link";s:32:"http://technorati.com/search.php";}s:5:"image";a:3:{s:3:"url";s:50:"http://static.technorati.com/pix/logos/logo_sm.gif";s:5:"title";s:15:"Technorati logo";s:4:"link";s:21:"http://technorati.com";}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:13:"current_field";s:0:"";s:17:"current_namespace";b:0;s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}}

  3. thebes
    Member
    Posted 5 months ago #

    FYI, this exploit extends to 1.5.2 as well. Yeah, I know I have blogs that I need to upgrade... sigh.

    I could not find wp-info anywhere, but had several instances of the backdoor code in php files, several _old.jpgg etc, a phantom wordpress() user and it does indeed say its running 2.5... I am having problems getting into phpMyAdmin (probably unrelated), so I can't say for certain what is in there. From the date codes it looks like I was hit twice, one time on the 16th and once on the 25th, IIRC.

  4. ultrasonic
    Member
    Posted 5 months ago #

    After almost 12 hours, was able to finally fix the Wordpress 2.5.1. "still needs to upgrade to 2.5.1." issue. Most of the suggestions were mentioned already but here are links and steps that might help.

    MAKE SURE YOU BACK UP YOUR DATABASE BEFORE DOING THIS!

    After upgrading my Wordpress version 2.5 to 2.5.1., the dashboard is still telling me that I'm still on version 2.5. That's what brought me to the forums and eventually I found out I have those _new, _old, .pngg.php, .jpgg.ph, etc files in my content directory. So I immediately deleted that. For some reason though I can't find the 'wp-info.txt' file, even while viewing the hidden files (using filezilla).

    This was the most helpful link I got:

    1. http://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/ - read carefully and follow as instructed.

    2. Make sure you delete the phantom "Wordpress" user. To instantly check if you have that user, go to your Wordpress admin "users" page, enter "Wordpress" under Search Users, if you DO NOT get a "No matching users were found!" you definitely have the phantom user in your database. You will notice a weird blank box appearing if you have that user. Another easy way is to Write Post, scroll down to Post Author, if there's an "invisible" author, that's the phantom Wordpress user.

    Check the link provided on #1, and delete it by accessing your database.

    3. As mentioned in one of the entries above, look under database wp_options the VALUES 'active_plugins' and 'deactivated_plugins'. It is very likely you will notice a plug-in that's not supposed to be there. Here's what I get in mine:

    i:0;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpw6d0cG/sess_dea436 and so on (a very long plug-in entry)

    Remove that entry. If it works, then fine. If it doesn't, you can delete the entire line entry (active_plugins and deactivated_plugins) and Wordpress will automatically create new entries BUT MAKE SURE YOU BACKUP FIRST! THIS HAS NOT BEEN VERIFIED TO WORK FOR EVERYONE, but that's what I did on mine and it worked. When I enter the admin page, I just have to re-activate the plug-ins.

    Check your dashboard. You'll read the message: "This is WordPress version 2.5.1.". BACKUP your database immediately to help you against new or missed exploits.

    What I noticed is that removing the offensive files will still give you the false version message in your dashboard. What cleared it are steps #2 and #3.

    I strongly suggest you download the WP Security Scan plug-in (newly updated, just google it). It checks your writable directories as an added insurance that your directories have the correct chmod. If you tend to edit your themes often, don't forget to give them back their original permissions for added security.

    I hope this helps. BACKUP first before trying.

  5. karcher
    Member
    Posted 5 months ago #

    ultrasonic, this was a HUGE help.

    I'll be keeping an eye on my db for a while to see if more problems crop up.

    Thanks so much for all the sleuthing.

  6. karcher
    Member
    Posted 5 months ago #

    I don't know if this is helpful information to anyone trying to track down the source of this problem, but I'll post it just in case.

    I discovered the hack today when I tried to upgrade from 2.5 to 2.5.1. After following this thread, I found the offending lines of php code in one of my templates, plus all the rest.

    Up until April 19, I was running WP 2.0.4. On April 19, I backed up my entire site in preparation for the move to 2.5.

    I've had a look through that backup. On that date, my template files were OK. So the hack hadn't been triggered yet. However, in my wp-content/uploads folder, there is a file called js.php, dated April 3.

    This file seems to be the one with the payload for the hack. I'm not really a php coder but have enough of a software background to recognize it's not doing nice things, and believe I've found the piece of code that injects the offending line of PHP code into the beginning of people's files. The file makes several references to the following URL http://unurex.cn

    Is there anyone I can send this file to for study? I'm not that familiar with the system around here.

    Katrina

  7. karcher
    Member
    Posted 5 months ago #

    Me again.

    After studying the payload file, I would really appreciate someone more competent than me having a look:

    1) To tell me the extent of the damage to my security. What exactly did the hack do and what did the hackers get from me?

    2) To tell me if the steps mentioned by above posters are sufficient for getting rid of it. js.php seems to try to restore the hack, or embed stuff to restore it. It also seems to affect wp-includes/functions.php, or try to, which worries me, because I hadn't seen that mentioned by anyone yet. I'm assuming my update to 2.5.1 clobbered whatever it did to functions.php, but I can't be sure.

    Just tell me who to communicate with to send the file to and I will pass it along.

    Kat

  8. silverelf
    Member
    Posted 5 months ago #

    Hm.. my site got hacked too.. It seems that all the index.htm/index.php files contained in my public_html folders were deleted and switched. I'm using wordpress version 2.5. In additions, index files in subdomains that were locked up were also switched.

    http://sgorchids.com/

    I will be leaving my site the way it is for a while till about two weeks later. Just wondering if anybody experienced security issues with wordpress version 2.5.1 yet? I'm hoping to rebuild my site on a security stable version of wordpress.

  9. blogjam
    Member
    Posted 5 months ago #

    ultrasonic: thanks for all your hard work on this - I finally got everything cleaned up on my installation. Much appreciated.

  10. bluedonkey
    Member
    Posted 4 months ago #

    I've had a couple of sites hit by this, and spent a while cleaning up the mess. Now that's done, I've been looking at the logs and all the accesses I can find so far for the hacked files are from two IP addresses, both in the same block:

    194.110.162.23 and 194.110.162.79

    The earlier accesses are with the .23 and later ones .79. The block is registered to extendedhost.com in Canada, though there is no website there I can find.

    Will continue to dig a little and see what else I can find.

  11. Ashok Kumar
    Member
    Posted 4 months ago #

    I have installed wordpress 2-3 times taking new build from wordpress.org. But after some hours, it get hacked by some person called cesar. Can you please check if there is some loophole that needs to be patched!

    my site URL is http://aksblogger.com

    Regards,
    AKS.
    http://Shrink2One.com

  12. karcher
    Member
    Posted 3 months ago #

    As a final clean-up note for your databases, not only should you check your active plugins database entry in wp_options, but in your wp_posts, and wp_postmeta tables, look for the following and delete these entries:

    in wp_posts:
    any post titled rzf.txt (or a filename/title you do not recognize). Make a note of the post_id if you find any of these.

    in wp_postmeta:
    entries that list an attachment for the post_id you noted above. They will have meta_keys of _wp_attached_file and _wp_attachment_metadata and post_ids matching any hidden posts you found above. the meta_value will point to files like rzf.txt, or the bad pngs and jpegs mentioned in prior posts

    I was just doing some extra surveying of my site when I came across these entries I overlooked the first time around. Since I'd cleared the attachments out of uploads already, no extra harm done.

  13. Jingan Eugen
    Member
    Posted 3 months ago #

    You should check this article too: http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/

  14. VRocKs
    Member
    Posted 2 months ago #

    Crazy hackers...

  15. VRocKs
    Member
    Posted 2 months ago #

    Seems to me a hundreds of thousands of wordpress sites got hacked and wordpress doesn't know exactly how it happened.

    I was using the current version each time my site was hacked.

Reply

You must log in to post.

About this Topic

Tags