Forums

WordPress › Support » How-To and Troubleshooting

[SERIOUS] numerous hacking attempts (12 posts)

  1. czhannes
    Member
    Posted 1 year ago #

    I have a really serious problems with my Wordpress site.

    It has been at least 4 times in last 7 days. I am running latest version, 2.6.1 with minimum plugins. All the hacks took a different form:

    1) complete redirect to another site
    2) changed links in posts / pages to another site
    3) theme changes, added malicious codes and ad scripts
    4) various files uploaded on the server

    I am pretty sure there are some undocumented exploits being actively used to hack my site. I was running 2.3 version before and thought that upgrading to latest version will fix everything, but it didn't change anything at all.

    I manually removed user "Wordpress" from table wp_users, which was somehow added and not listed in the Users page. This account had most likely admin priviledges. I have no idea how he was able to add it to the database.

    Few minutes ago, I wasn't able to login into wp-admin folder - it always redirected back to root. I checked .htaccess and it was altered by someone.

    I also found these files in wp-content/uploads:

    hlaccess.php
    js_cache/tinymce_0545a56e85e54f37b23350e9b20137b3.gz (74632 B)
    js_cache/wp-load.php

    I edited all files with CHMOD 777 to 644 so noone can edit them without access to server/FTP.

    I changed my pass 3 times in last few days.

    I am quite desperate right now feeling that I have almost no power over my website. I am seriously considering moving to another platform or self-written CMS, however it's not an easy process with 400 000 comments and 10 000 posts.

    List of active plugins: Democracy, Email Users, Math Comment Spam Protection, Feedburner Feedpress, Paged Comments, Wp SuperCache.

    Please help me if it's possible...

  2. mikey1
    Member
    Posted 1 year ago #

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

  3. jdembowski
    Member
    Posted 1 year ago #

    I am pretty sure there are some undocumented exploits being actively used to hack my site. I was running 2.3 version before and thought that upgrading to latest version will fix everything, but it didn't change anything at all.

    I doubt it. Your profile shows that you were hacked before you upgraded. According to your old post someone got in months ago via ftp.

    Upgrading to 2.6.1 is a good start but it is not a fix. Unfortunately you've got a lot of work ahead of you to repair the damage that was done already.

    See this post from Donncha O Caoimh's often quoted blog. Read the whole article. Also you may want to install his exploit scanner. It's not a magic pill but it will help identify the extent of the compromise.

    Do you have separate backups of your files and your database? You'll need them plus you'll need to be able to restore everything if you need to put it all back in case you really mess up.

    You need to so this in baby steps. First install in a separate directory a new blank WordPress install without any plugins or theme. Do this on some box that is clean. Your PC running a local webserver (WAMP) will do. This is just to be able to clean things up.

    Also seriously consider getting a new host: you're current web host gets compromised too often.

    Second, you need to go though the database dump with a text editor and remove all the bad references from your database dump. If you want try using the WordPress export your blog via the dashboard Manage -> Export. I find that editing the .xml file is easier than editing a database dump.

    Now install that cleaned up database onto your blank WordPress installation. If you used the .xml file, import that file. Once you are sure that the install is clean then add customization using fresh copies of the theme and plugin.

    Don't use any existing copies you have already, they are suspect.

    Now here comes the scary part. Once that's all done you need to wipe out the existing database and files.

    DON'T DO THIS UNLESS YOU KNOW YOU CAN RESTORE IT. If in doubt don't do it. I really think you should do this on a new web host that is not managed by the existing hosting company. That way once you are clean just update your DNS record to point to the new box and lose the old one.

    Install a copy of your cleaned up WordPress and if all goes well and you got all of it then you'll be good for now.

    Good luck.

  4. czhannes
    Member
    Posted 1 year ago #

    that was a different blog on a different host which has been hacked before. this one was always fine and secure.

    i am on my own dedicated server, i dont plan moving anywhere else. i tried to enable safe mode but some plugins like wp super cache dont work with safe mode being turned on. i at least added some functions to disabled functions in php settings.

  5. jdembowski
    Member
    Posted 1 year ago #

    You will still have to do the clean up on that blog. No way around it.

    that was a different blog on a different host which has been hacked before. this one was always fine and secure.

    Well, you are compromised now on that blog. Don't know what to tell you: unless you can produce some log data (hard to do after the event) then I have to believe that something is being done incorrectly on the server.

    i am on my own dedicated server, i dont plan moving anywhere else.

    Cool! Doing it yourself is educational, gives you full control of everything and is the way to go. I'm on my own server and many of us are. I hope you are running a Linux, UN*X, *BSD server. I find they are easier to lock down than a Windows server on the Intenet.

    Now please turn of ftp if you have not done so. You should only use ssh on your. I am guessing you are using Windows as your workstation? There are many Windows clients that can use ssh/scp and WinSCP is free and easy to use.

    There are many FAQs via a good google search for securing your installation on the server side.

    Once again, good luck.

  6. czhannes
    Member
    Posted 1 year ago #

    okey, it happened again this night with someone completely changing the frontpage and uploading a different file with redirect there.

    i noticed two things:
    1) few minutes prior the hack, i received an email that password of one of my users has been changed. i guess the hack is directly linked to that, possible some vulnerability in users table
    2) prior to hack, the url was changed in wordpress settings (removed www.) and title and description of the blog was completely removed.

    i still think there may be a private/unknown exploit. the second option is some vulnerability on the server (kernel, apache, sql or any other software), although this doesn't seem that realistic.

  7. mrmist
    Member
    Posted 1 year ago #

    The third option is that your blog was compromised in an earlier version and the hack was not completely removed.

    Which passwords have you changed? You'd need to change -

    FTP/Shell account passwords.
    MySQL passwords.
    WordPress account passwords.

    And delete any unknown / suspicious logins from your server and WordPress. And refresh all the WordPress files and content.

    Basically assume you are still hacked. Because it sounds like you are. You really would be best starting fresh, removing the web content and refreshing with new files, and either exporting and importing your entries into a fresh database, or checking your existing database fully.

    Depending on the extent of the original hack, and the setup of your server, the server itself may have been compromised, though it's more likely it's just a persistent WordPress hack that's subverted your logins.

  8. czhannes
    Member
    Posted 1 year ago #

    i just found an exploit uploaded to my server, it was in /wp-content/uploads.

    here's the code: http://paste2.org/p/67510

  9. czhannes
    Member
    Posted 1 year ago #

    hm... now when you have proof... noone?

  10. whooami
    Member
    Posted 1 year ago #

    thats great, however its proof of nothing, except that someone was able to upload a file. Guess what? Thats the REAL exploit

    What do you hope to accomplish?

    Instead of trying to argue, how about looking through your server logs, and determining how the file was uploaded. Take THAT information, and pass it along to security@wordpress.org

    Oh, and then, while youre at, educate yourself.. while you indicate you are using minimal plugins, using the wrong one is all you need to do. wp-backup or whatever that thing is comes to mind for me.

  11. czhannes
    Member
    Posted 1 year ago #

    i sent an email to wordpress security. i went through hundreds of megabytes of logs but didnt find anything (how they managed to upload the file there, just various ips accessing the file). i updated all software on the server but it still continues...

  12. czhannes
    Member
    Posted 1 year ago #

    okey i found the remote shell.

    i did it by using this useful command which searches for term c99. there are basically two remote shell coming from russian hackers, r57 and c99. i scanned the machine for both of them and there were 2 c99 shells uploaded in folders of other wordpress blogs.

    find /path/to/www/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

    i hope the attacks will stop now

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags