Posted 1 year ago #
Hello,
Please take a look at eclipsemagazine.com somehow my site has been hacked. All of the Post Links are being redirected to some weird anti-virus scanner. I looked at the code, changed the .htaccess file so that it's not active, looked at the theme and the permalinks and can't figure out why or how this is being done.
That's some irritating hack!! And the links are even broken (scanner.antivir64.com/?aff=1050). The weird thing is that the url your visitors are pointed to, does not appear in the source of your website. I can't even access the website to see what it is and a Google search doesn't result in much. It is almost as if this is handled outside of WP. To be honest, I have no idea where to start looking, but there's always a few things you can try of course.
1) Change to default theme and see if the problem persists. If it does not, your theme has been compromised, if it does, we have to look for something else.
2) Can you still access the WP admin? Do all internal links work or are they also redirected? What about post links (for example previews or edit links)?
Then a question: when did you upgrade to 2.6 and what plugins do you use?
[edit] another question: I see people can register. Did you get new users recently? What's the role subscribants get? "Contributor" or something with not too much rights I hope?
Posted 1 year ago #
I've tried disabling all the plugins, changing themes, and disabling the .htaccess file. My admin panel works as well. When I looked at the .htaccess file it was blank. It's really weird, it seems like it's completely outside of Wordpress. I looked at one of my test drupal installations and that works fine.
Posted 1 year ago #
Everything in the admin seems to work fine. If you notice the ad on the left is working fine as well.
it seems like it's completely outside of Wordpress
I had the very idea, but how? What about new users?
Are you on a shared server or a dedicated?
Did you check your error logs or contact your host?
Another thing that you could try, but which is tedious, is downloading your WP installation and check the files to see if anything is changed. Perhaps you can use the Windows search inside files function for that.
Oh, when you look at the files on the servers, are there files with a recent timestamp that you're sure you didn't edit yourself? That could be a pointer to what files to have a look into.
Posted 1 year ago #
I'm on a VPN, I don't know how many other people are on it, but not many. There's been no new users registered in the last day, this seemed to have happened sometime yesterday. I did contact my host provider but haven't received a response and they are usually pretty good about responding. I didn't think of looking at the time stamp. I'll do that now.
Posted 1 year ago #
the host provider is claiming it's a wordpress issue and won't fix it without a fee.
It would be nice to know what the issue is.
Did you check the timestamps and error logs?
And in reprise: when did you upgrade to 2.6?
Posted 1 year ago #
I upgraded the day it was released. I'll have to check the timestamps this evening. I'm not sure what to do now. I may just switch to Drupal and be forced to rebuild everything.
There are no known holes in 2.6 and I hope someone didn't find one in your installation. If you can find more information you might want to send an email to security@wordpress.org. It would be helpfull to check the timestamps to see if there are edited files, if yes, which ones and what was edited and perhaps your server logs can tell us something. Too bad nobody with more experience than myself is here to see if it is possible to find the way in. Security will definately want more information than what's not is. On the other hand, if it's a hack of a 2.6 installation that has been going for a couple of weeks and your host says the hackers came in through WP we should all be very curious what and how.
Good luck. I hope you'll find some valuable information before you clean up the mess. It might help the rest of us.
Posted 1 year ago #
I'll try that, thanks for all your help. It seems weird that the admin works though.
Posted 1 year ago #
I'm going to try to export and import when I get home and see if it's there. The only problem is my Import file is totally screwed up and doesn't import files properly. The date sort is completely out of date. I'm not sure what this will prove if it works, though.
I'll try that, thanks for all your help. It seems weird that the admin works though.
That makes me think it is a theme issue afterall. Do "view this post" from admin also work, I mean, when the admin uses the same link as on the site itself, not a preview link or something?
If it IS the theme, your site will still be infected if you keep using it. Instead of doing something drastic, maybe you should just reupload the WP pack. If any WP file is edited, the problem will go away too. I doubt it is something in your database.
Posted 1 year ago #
It can't be the theme though, because I tested 5 different ones and it still happens. I'm going to have to take the site offline tonight if I can't fix it soon. A lot of folks are complaining.
Posted 1 year ago #
Yes, the posts are hijacked in the admin when you click view posts.
Posted 1 year ago #
WOW! This one even has the control of your RSS. Let me dig a bit more deeper. I did check for your CSS files, nothing bad in them.
Posted 1 year ago #
Hmm, I ran a few tests and it seems that you DNS entries may be hijacked! Seems like your host has not patched up yet.
All your php files seem fine to me. Maybe its your hosts DNS flaw.
Please read about Dan Kaminsky's DNS Flaw on Google or http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
Posted 1 year ago #
Wow, that's a new one. But I think it could be correct because if you type in eclipsemagazine/randomname it redirect to the antivirus thing. The weird thing is when I go to my drupal test site that works fine.
Posted 1 year ago #
Can you link me up with your drupal test site?
Posted 1 year ago #
Posted 1 year ago #
Hmm. I was wrong. This is no DNS flaw. Something at the server. Have you checked you database?
Posted 1 year ago #
I thought it might be the sezwho plugin, but not looking like it. Catagory.php was looking suspect, nope. It appears that HTACCESS is the problem.
Check your htaccess files for rewrites or redirects. It appears that the redirects work on all but the top page.
I turned off javascript in my browser, and it still redirects. I think your HTACCESS files may be the issue.
Posted 1 year ago #
I tried changing the name on my .htaccess and I looked at it in a text editor and it's blank.
Posted 1 year ago #
I looked at the databases and haven't seen anything.
Posted 1 year ago #
well, I broke the site. It was definitely an .htaccess hack. The problem is, for some weird reason I had a had a sub directory for each category that only contained an .htacess file, so I went through the site and deleted all those folders. The redirect is now gone, but I'm now getting 404 error messages. I'm going to try reinstalling WP and moving my db tables over, that should fix everything.
Those folders are not WP's. Does anybody know about a plugin that would do something like that? Otherwise it's still a very serious hack. Have you checked error and access logs and found anything out of order?
Btw. We've talked about timestamps. Did you check what timestamp all these weird extra folders and their files had?
When you've fixed things, you still have to make sure there still not a hack file somewhere, or something in your database that shouldn't be there. Make sure to change ALL passwords (WP, database, control panel, etc.) and read the hardening wordpress text in the codex to try and prevent this for the future.
(Actually I'm still curious about the "how" of this hack.)
Posted 1 year ago #
yeah, all the time stamp changes were on those folders, which is why I deleted them. But now I can't get the urls to work at all.
Posted 1 year ago #
Aha! Looks like it may have been an DNS attack after all. Seems I have to change my name servers (but my register isn't letting me change it).
So hopefully later today, once I get a workaround, I'll be able to finally fix this.
Posted 1 year ago #
Issue is resolved thanks for all of your help! It was a server hack, but the host provider really isn't admitting to it or providing me with any information. Changing the name server information seems to have fixed the problem.
Good for you. I've searched the www a little for DNS hacks, but I haven't found much about it. I'm still curious how it's done.
This topic has been closed to new replies.
