Roy
(@gangleri)
Dom, there is no clear answer to your question. There are many different hacks. Some hacks change theme files, other hacks change WP ‘core files’, another abuses a plugin, another adds tables to your database or edits existing database tables, another adds a user with admin rights and makes fun in your admin surroundings, etc., etc., etc. I don’t know what kind of hack you suffered, so it’s impossible to give clear advice.
The bottom line if: if files have been changed, you have to clear out the added code. You can do this by comparing the files on your server by the files you downloaded from WP, the place where you got your theme, plugins, etc.
The same goes for database changes, users or tables that shouldn’t be there should be cleared, the content of tables has to be checked.
Yep, that’s a hell of a job, especially when it’s your first time. I just hope I will never have to!
Hi and thanks for the response.
This much I do know. When I first posted I was hacked, a nice gentleman emailed me with this info. He said this code was in the source of my front page, but cautioned that was just the start of the links. So I think that the code may just be confined to my first page (the most recent post).
Malicious Code:
<!– Begin News –><u style=’display:none’>Order Phentermine Online Fast Delivery ……….
I am not being redirected to any sites, but I am stuck on my first page. I can’t access any of my other posts.
Here’s another wrinkle. I have a paid hosting account with Yahoo and set up WordPress through Yahoo. I never downloaded any files to my computer. They’re all on the Yahoo server, which I can access through my FTP program.
When I look in the wp-content folder on the server, I don’t see any of my posts.
Would you know how I can access my posts or is this something I should be asking Yahoo?
Thanks.
Hi,
The hack seemed to only injected hidden spam links to your blog web pages.
Since you use the default theme and the upgrade overwrites core .php files, the hidden links seems to have been removed. I don’t see any hidden spam links. That’s good.
You might want to give the WordPress Exploit Scanner plugin a try. It searches files and database of your website for signs of suspicious activity. It will show if your blog still contains some malicious code.
You can olso use my online service called Unmask Parasites ( http://www.unmaskparasites.com/ ) to check for hidden illicit content on your web pages.
I have found another problem with your site. Individual posts redirect to themselves and introduce infinite loop. Just try to click on any post link – it won’t show. Or see this report:
http://www.UnmaskParasites.com/security-report/?page=fontanafirm.com/fontanablog/2009/02/18/where-are-my-courses/ – endless 302 redirects.
Looks like a problem with .htaccess file. Try to change the permalink structure and then revert it back to the one you prefer. Hope this will rewrite the .htaccess file with correct redirect rules.
Roy
(@gangleri)
You’ve got a nice week ahead of you :-/
Your posts are in your database, you can’t see them using FTP, but of course you can use the “edit” post option in the WP admin to have a look at them (don’t use the visual editor though).
Did Yahoo provide you with a file manager or something (it could be in your control panel/plesk/phpmyadmin/whateveryouhave)? That’s a tedious way of looking through the files, but…
Also you can use FTP to download the whole WP pack from your server to your computer. Also get a ‘fresh’ pack from the wp website and start comparing the files. The same with your theme files.
Thanks, Gangleri. That’s a good idea. I’ll follow your advice and get back to you.
I know there are file comparer programs out there. They compare the contents of 2 files and highlight the differences. Is there one you can recommend?
I use Winmerge:
http://winmerge.org/
But, you really shouldn’t need to compare a lot of files. Just replace the source code with a fresh copy of WP. Delete all your plugins and install all new ones. If you use a custom theme that you haven’t made code changes to, then download a fresh copy of it and install it new as well…then all your code (with the exception of your upload data) will be new…and should be clean of any hacks.
As always, backup before doing anything…
It always helps to use:
ls /dir-of-your-wordpress-install/ |xargs md5sum
ls /dir-of-a-default-wordpress-install/ |xargs md5sum
Compare the hashes and any file not matching will most likely have your ‘malicious’ code.
I’m not in front of a (*nix) box at the moment but i’m sure someone here who is can combine the above two and just pump out the hashes that don’t match.
This is one way of doing things,
Jason
Gangleri,
I had already viewed my front page in the WP editor using html mode, but I didn’t find anything.
I just checked all my theme templates and stylesheets and everything looked okay.
Also, I used the Yahoo File Manager and it works very well. I could see all the files on the server and it allows you to view and edit any file. It’s actually quite well done.
The only thing is I still can’t find my actual posts. Where is the database that you spoke of? The Yahoo server has wp-admin, wp-content, and wp-includes folders, plus a bunch of php files. I checked them and everything seems okay.
Should I just view each of my posts from the WP Admin panel using the HTML editor? Will that show me the malicious code or is it hidden in the editor?
My Blog: http://fontanafirm.com/fontanablog/
Thanks.
figaro:
I just got WinMerge and installed it. It’s a good program to have around. Thanks.
A few questions: I just upgraded WP. I actually went from 2.0.2 to 2.7.1, so I was behind the times. I forgot the exact procedure, but wouldn’t that replace the most sensitive files? As far as my theme goes, I’m using the default theme with a custom header. But I looked at all the theme templates and they seemed fine.
I will delete all my plugins and reinstall them. Should I do the same for my widgets? As far as my upload data goes, in my last post I have 10 links for YouTube videos. Maybe that caused the problem.
Thanks for your help. I’ll do everything you said and report back here.
Hi, jasonjm.
Thanks for the help, but I’m sorry, I don’t really understand what you mean.
> ls /dir-of-your-wordpress-install/ |xargs md5sum
ls /dir-of-a-default-wordpress-install/ |xargs md5sum <
Are these commands I’m supposed to use?
Are you sure the malicious code is still there? I don’t see anything suspicious in the source code of your site.
They are Unix/Linux commands, ignore them if you don’t have access to a *nix command line. Winmerge will do the job for you just as well.
Hi.
Figaro, first, I’m not sure if the malicious code is still there. I actually never saw it. Someone emailed me and said they saw the code. Thanks for the commands anyway, Jason.
UseShots: I don’t know how I missed your response earlier. I must have been posting as you were and didn’t see it until now. I’ll use the ExploitScanner and your site now.
As far as not being able to view any posts, that’s the only problem I’m having with the blog and that’s what I’m trying to fix. I thought it was because of the malicious code, which apparently is now gone. I did run a security widget (forgot the name) on my blog and it reported a problem with the .htaccess file. When I checked, the file is not there on the Yahoo server.
This is probably good news. That must be the problem. I don’t have an .htaccess file. If I can recreate it, then I think the problem will be solved.
Now for the million dollar question:
How do I recreate or get the .htaccess file?
As always, thanks for any help.
Okay, I used ExploitScanner, as per UseShots suggestion, and it came up with a ton of things. It tagged a lot of Suspicious Files, but cautions that some of them could be legitimate code. Here is one example:
“String.fromCharCode” Javascript code used to hide suspicious code, but can also be legitimate code.
/fontanablog/wp-admin/js/revisions-js.php
on(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\\\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\\\b’+e(c)+’\\\\b’,’g’),k[c]);return p}(‘6(4
So, how do I know if I should delete it or if it’s legitimate?
The good news, it reported:
No suspicious plugins found
Hooray! No suspicious plugins found in the active_plugins database record.
No suspicious posts or comments found
Hooray! No suspicious text found in your posts or comments tables
So, how do I know if I should delete it or if it’s legitimate?
Download a fresh copy of WordPress (same version) and compare.
