Exploits and GoDaddy

Here goes the standard reply,

fix advice:
http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
http://wordpress.org/search/hacked?forums=1

Make sure that your files on the server are clean. If that means deleting and reuploading, than you ought to do that. Files that you dont replace, should be looked at closely.

Check for files that dont belong, directories that dont belong. Image files with changed timestamps — look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

Be suspicious, when youre looking at things.

Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

Make sure ALL of your plugins are current.

Make sure your wordpress is current.

Change your mysql password that wordpress uses (update your wp-config.php with that new password).

Change any admin level passwords on your blog.

Look at any other software thats being used on your site. Is it current?

That’s just an outline and not a complete list.

There’s quite a bit to do, but it’s all necessary.

I just had a run in with this exploit over the weekend as well, and wrote about it here: PHP Script Injection Exploit in WordPress 2.7.1. I cover how it was detected and resolved.

Also, while I’m sure it can happen with other hosts as well, my site is also hosted with GoDaddy.

i was hit with this one too, pretty bad. as i design sites and build custom themes, many of my clients were hit as well. avast antivirus (free) is really good at picking up this particular virus on your machine and through firefox.

thanks kikolani, for your post. looks like i dont have to delete entire installs anymore 🙂 phew!

also, I found 2 plugins that might help to secure wp better.
Secure WordPress for the basics and User Locker to guard against brute attacks.

best of luck to everyone, this virus is a pain in the rump.

i was hacked by the “Saudi Arabia Hackers” and I am running the latest version of wordpress. What I am wondering is if they broke into my website or my email. I am guessing the backend of my site, because I recieved an email stating that my admin password had been Lost/Changed and now suddenly I cannot recieve my password.

Maybe there is a major problem with the 2.8.4 version of WordPress? I am not entirely sure and it’s kind of weird to me. And very random. Since my site isn’t very popular at all.

I am a professional WordPress Developer. I have a client that was being hacked almost immediately after installing WordPress on GoDaddy. The WordPress installation right from the get go has a huge problem. The wp-config.php file in the GoDaddy WordPress installation package is exposed because it does not have the closing tag ?> at the end. This means that your SQL DB username and password can be grabbed. I am finding several other security vulnerabilites and am still in the process of isolating all of them. I have been successful at completely blocking the hackers by adding this .htaccess file below until i am completely done plugging all the holes. I would advise anyone who has WordPress installed on GoDaddy to add this .htaccess code to their website immediately. I have notified GoDaddy yesterday 2-13-2010, but i am not going to wait around for them to act and take care of this. Some of the hacks that occurred to this client. XSS hidden iframe injection, XSS injected code throughout the site affecting all critical .js files, backdoors set up everywhere, the /stats folder on godaddy has a huge security vulnerability – the primary host account password can be grabbed, there are several other security vulnerabilities that i am finding and will add a full detailed report once i have that info. For now like i said i am successfully blocking the hackers with this very restrictive .htaccess file. it will actually block you from activating plugins in your admin panel. this is an temporary inconvenience of course, but for now it is absolutely necessary for ABSOLUTE LOCKDOWN of your website. Everything else is fine ie your website is funtional and viewable by the world and can be indexed by search engines without any problems. Until i am 100% sure that i have discovered every single security vulnerability i am not giving these pricks a shot. And they have been trying now for 2 days. Since they are no longer able to clean their tracks from the logs i am watching the logs fill up with failed attempts after failed attempts at hacking this site.
I recommend you first create a maintenance mode php script and .htaccess file for your website so that if my very restrictive .htaccess file does not allow your site to fully function properly you can just have your site display that is being worked on and under maintenance (503 status code) until you can fix everything. Once again i will post a full description of all godaddy security vulnerabilities and fixes here later once i have completed all of my investigations. This is a 503 error status that you will not be penalized for by search engines.
create a php file called maintenanceXXXXX.php (add something unique to replace the XXXXX’s) from this code

<?php
header('HTTP/1.1 503 Service Temporarily Unavailable',true,503);
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 172800');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="robots" content="noindex,nofollow">
<title>503 - Temporarily Closed For Maintenance</title>
<style type="text/css">
<!--
p
{
    font-family: "Verdana", sans-serif;
}
-->
</style>
</head>
<body>

<p><b>Natural Herbal Remedies</b></p>
<p>is temporarily closed for maintenance.</p>
<p>Normal operation will resume as soon as possible.</p>

</body>
</html>

the maintenance mode 503 .htaccess file code

RewriteEngine On
RewriteBase /
# When enabled, the next code line allows testing.
# It says only do the rewrite if the request is from YOUR IP address.
# Thus, you can close the site only to YOURSELF to make sure it works,
# then comment out the line again to close the site to everyone.
# Set it to your actual IP address at the time of the test.
RewriteCond %{REMOTE_ADDR} ^000\.000\.000\.000$

# The remaining two code lines close the site. They say:
# if the request is NOT for /maintenance.php, send /maintenance.php instead.
# You MUST allow at least one file to be served without rewriting it,
# (maintenance.php in this example), to prevent endless looping.
RewriteCond %{REQUEST_URI} !^/maintenance\.php$
# To allow another file, copy the line above to here and change the filename.

# This line says: no matter what file was requested, serve maintenance.php.
# This is a rewrite (not a redirect), so we use the local file path, no http://
RewriteRule ^(.*)$ /maintenanceXXXX.php [L]

ok now for the very restrictive .htaccess file

setenv PHPVERSION 5

### Turning on the RewriteEngine ####
RewriteEngine on
RewriteBase /
ServerSignature Off

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# FILTER REQUEST METHODS
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

This .htaccess file is so restrictive it will also block you as an admin from activating plugins, but i have been monitoring a hacker for days trying every possible XSS attack string and i see nothing but denied, not allowed, etc. messages in the website error log.

once again i will post a more detailed godaddy wordpress security report once i have completed all of my findings. i am currently looking at the webformmailer.php file that is installed on all godaddy accounts by default – it appears that it is being exploited. You may want to temporarily disable it. gdform.php so far appears to be ok. I recommend that you immediately check your MySQL on your godaddy account and look for any databases that you did not create. clear all of the tables immediately. the db i found was called __piggy. More complete info on this will be posted tomorrow or latest tuesday. Slam the doors on these dirt bags. Good luck to all.