WordPress.org

1. merrywema
   Member
   Posted 2 months ago #

   Hi
   My website was hacked yesterday apparently by using something in wordpress. I have now turned off permissions to that folder and so far they havent come back like they did yesterday. They seem to have used wysiwygPro to upload stuff to the site without leaving a trace in the FTP log. Here is a snippet from the file which I cant seem to decode. If anyone has any ideas please let me know. In the meantime, hope it doesnt happen to you guys

   vwFfdMVa5fUKTWf96HuH6NLZEGde1SN6bbQrMM2hakT8ySdAgVVyna5SY0attYvaGkRHW80JIKCFDzRKM_xATpOpo4cSdaNuEOYKZrMSXmqQf8wvRLUQ2VR82DcaiEPyZ2mH0XXrgOhRN9pyJejtTAsPN9RKM0QoC4VkJX9rNnGrUyYkMSsA_LyKoFQcByrjxmK3_2KMO5uoEORRgSZWGMymQQgcilQPI_NlUf19GdIW456w1YGudi2KEnpJpKKc';

2. krembo99
   Member
   Posted 2 months ago #

   Hello merrywema ...

   Your site was infected with some old (probably Iframe) hack.
   What it means is that someone putted an Iframe in your theme in order to "steal" traffic.

   If you want to see where the traffic is redirected to do the following :

   copy ALL of the code (between <script> and </script> , and paste it here :

   http://www.w3schools.com/js/tryit.asp?filename=tryjs_text

   check the text ,
   if you have somewhere document.write, change to window.alert
   if you have eval change to alert.

   when you will the edit button, you will see exactly the link it sends to.

   now to clean the code, you need to open your index.php and just delet the parts between <script> and </script> that are relevant.
   note that you need to do that on the ROOT of site, and if different , also on the WP ROOT.
   Usually those hacks goes into the index.php and not the theme.
   In order to further help you, you will need to paste all the script to evaluate.

   USUALLY this is due to a TROJAN in your local system, so make sure to clean your computer using some anty spyware .
   Plus , from now on use Sftp.

   In the meantime, hope it doesnt happen to you guys

   did happened :-) more than once . and all the hardening of wp will not help (although good to practice) if you are on shared hosting. because sometimes the HOSTING ITSELF is the problem, whereas the hacker just goes to ANOTHER wp install on the same server , and then can "jump" into yours...

3. merrywema
   Member
   Posted 2 months ago #

   Thanks for your hep, but I dont think that is entirely the case from what I can see. I have these files starting WYSIWYGPro_edit which appear to have PHP in them to connect to my ISP and upload another file. I have since restored from backup, but it happened again. The ISP says is a wordpress flaw, but I ahve the latest version. If anyone wants to see the whole file, I am happy to put it somewhere

4. whooami
   Member
   Posted 2 months ago #

   merrywema,

   whats the url to your wordpress blog?

5. krembo99
   Member
   Posted 2 months ago #

   This is not a wordpress flow, It can happen also with any other file (like index.php, Index.htm, index.asp) on any other blogging or CMS system. (althought it is true that wordpress can facilitate that , only because it is so diffuse...)
   It can be a flow on cPanel, the mySql serve, a plugin you installed, actually ANYTHING in your system´s configuration.

   I Myself discovered a few flows like that ,even though I tend to keep them a secret (except notifying who needs to be notified, and most are already patched) - like for example the last that forced the 2.8.4 upgrade, that was known to me for some weeks.

   But like I wrote above, we need to see the WHOLE code, so either put your URL like wahooami suggested, or paste the script here like I said..

   This exact thing happened to me a FEW times on some of my sites .
   It is easy to fix, but we must see the code.

6. merrywema
   Member
   Posted 2 months ago #

   Hi again - thanks yfor your help
   I have taken off permissions for my blog for now, seems to have stopped another attach. The full code is below - I have removed my website address and that of my host to keep things a little secret. This file was in my root folder along with one that says preview which has some other code in it

   Thanks again for your help

   <?php ob_start() ?>
   <?php
   if ($_GET['randomId'] != "vwFfdMVa5fUKTWf96HuH6NLZEGde1SN6bbQrMM2hakT8ySdAgVVyna5SY0attYvaGkRHW80JIKCFDzRKM_xATpOpo4cSdaNuEOYKZrMSXmqQf8wvRLUQ2VR82DcaiEPyZ2mH0XXrgOhRN9pyJejtTAsPN9RKM0QoC4VkJX9rNnGrUyYkMSsA_LyKoFQcByrjxmK3_2KMO5uoEORRgSZWGMymQQgcilQPI_NlUf19GdIW456w1YGudi2KEnpJpKKc") {
   echo "Access Denied";
   exit();
   }
   ?>
   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
   <head>
   <title>Editing index.htm</title>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <style type="text/css">body {background-color:threedface; border: 0px 0px; padding: 0px 0px; margin: 0px 0px}</style>
   </head>
   <body>
   <div align="center">

   <div id="saveform" style="display:none;">
   <form METHOD="POST" name=mform action="http://69..8.218:2082/frontend/sg/filemanager/savehtmlfile.html">
   <input type="hidden" name="charset" value="ISO-8859-1">
   <input type="hidden" name="baseurl" value="http://www.meco.co.uk/public_html/">
   <input type="hidden" name="basedir" value="/home/mc1/public_html/">
   <input type="hidden" name="udir" value="/home/mc1/public_html">
   <input type="hidden" name="ufile" value="index.htm">
   <input type="hidden" name="dir" value="%2fhome%2fmc1%2fpublic_html">
   <input type="hidden" name="file" value="index.htm">
   <input type="hidden" name="doubledecode" value="1">
   <textarea name=page rows=1 cols=1></textarea></form>
   </div>
   <div id="abortform" style="display:none;">
   <form METHOD="POST" name="abortform" action="http://69.1
   .8.218:2082/frontend/sg/filemanager/aborthtmlfile.html">
   <input type="hidden" name="charset" value="ISO-8859-1">
   <input type="hidden" name="baseurl" value="http://www.meco.co.uk/public_html/">
   <input type="hidden" name="basedir" value="/home/mc1/public_html/">
   <input type="hidden" name="dir" value="%2fhome%2fmc1%2fpublic_html">
   <input type="hidden" name="file" value="index.htm">
   <input type="hidden" name="udir" value="/home/mc1/public_html">
   <input type="hidden" name="ufile" value="index.htm">

   </form>
   </div>
   <script language="javascript">
   <!--//

   function setHtmlFilters(editor) {
   // Design view filter
   editor.addHTMLFilter('design', function (editor, html) {
   return html.replace(/\<meta\s+http\-equiv\="Content\-Type"[^\>]+\>/gi, '<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />');
   });

   // Source view filter
   editor.addHTMLFilter('source', function (editor, html) {
   return html.replace(/\<meta\s+http\-equiv\="Content\-Type"[^\>]+\>/gi, '<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />');
   });
   }

   // this function updates the code in the textarea and then closes this window
   function do_save() {
   document.mform.page.value = WPro.editors[0].getValue();
   document.mform.submit();
   }
   function do_abort() {
   document.abortform.submit();
   }
   //-->
   </script>
   <?php
   // make sure these includes point correctly:
   include_once ('/usr/local/cpanel/base/3rdparty/wysiwygPro/wysiwygPro.class.php');

   // create a new instance of the wysiwygPro class:
   $editor = new wysiwygPro();

   $editor->registerButton('save', 'Save',
   'do_save();', '##buttonURL##save.gif', 22, 22,
   'savehandler');
   $editor->addRegisteredButton('save', 'before:print' );
   $editor->addJSButtonStateHandler ('savehandler', 'function (EDITOR,srcElement,cid,inTable,inA,range){
   return "wproReady";
   }');

   $editor->registerButton('cancel', 'Cancel',
   'do_abort();', '##buttonURL##close.gif', 22, 22,
   'cancelhandler');
   $editor->addRegisteredButton('cancel', 'before:print' );
   $editor->addJSButtonStateHandler ('cancelhandler', 'function (EDITOR,srcElement,cid,inTable,inA,range){
   return "wproReady";
   }');
   $editor->theme = 'blue';
   $editor->addJSEditorEvent('load', 'function(editor){editor.fullWindow();setHtmlFilters(editor);}');

   $editor->baseURL = "http://www.meco.co.uk/public_html/";

   $editor->loadValueFromFile('/home/mc1/public_html/index.htm');

   $editor->registerSeparator('savecan');

   // add a spacer:
   $editor->addRegisteredButton('savecan', 'after:cancel');

   //$editor->set_charset('iso-8859-1');
   $editor->mediaDir = '/home/mc1/public_html/';
   $editor->mediaURL = 'http://www.meco.co.uk/';
   $editor->imageDir = '/home/mc1/public_html/';
   $editor->imageURL = 'http://www.meco.co.uk/';
   $editor->documentDir = '/home/mc1/public_html/';
   $editor->documentURL = 'http://www.meco.co.uk/';
   $editor->emoticonDir = '/home/mc1/public_html/.smileys/';
   $editor->emoticonURL = 'http://www.meco.co.uk/.smileys/';
   $editor->loadPlugin('serverPreview');
   $editor->plugins['serverPreview']->URL = 'http://www.meco.co.uk/public_html/.wysiwygPro_preview_fd491768bbe8b2f208d6e5d82758228a.php?randomId=vwFfdMVa5fUKTWf96HuH6NLZEGde1SN6bbQrMM2hakT8ySdAgVVyna5SY0attYvaGkRHW80JIKCFDzRKM_xATpOpo4cSdaNuEOYKZrMSXmqQf8wvRLUQ2VR82DcaiEPyZ2mH0XXrgOhRN9pyJejtTAsPN9RKM0QoC4VkJX9rNnGrUyYkMSsA_LyKoFQcByrjxmK3_2KMO5uoEORRgSZWGMymQQgcilQPI_NlUf19GdIW456w1YGudi2KEnpJpKKc';
   // print the editor to the browser:
   $editor->htmlCharset = 'ISO-8859-1';
   $editor->urlFormat = 'relative';
   $editor->display('100%','450');

   ?>
   </div>
   <script>

   </script>

   </body>
   </html>
   <?php ob_end_flush() ?>

7. krembo99
   Member
   Posted 2 months ago #

   this is not exactly the code I was asking for.
   This is not a "hack" code.
   this is wysiwygPro advanced edit feature regular file.
   wysiwygPro is a feature in cPanel > File Mgr. for editting HTML files.
   You probably have a cPanel on your host, or otherwise, they are using wysiwygPro for some other feature.

   What I needed to see is the code you saw IN YOUR XHTML after the php phrase, or if not, just the parts between <script> and >/script> that you suspect to be malicious ...

8. merrywema
   Member
   Posted 2 months ago #

   This file was newly added to my folder on the day of the hack. They then just added two new index files into my folders - one in the root and one in wordpress. I havent as yet found any other issues - but have restored all files from backup. If this is supposed to be there, then sorry to bother you and thanks for your help

   Mark

9. krembo99
   Member
   Posted 2 months ago #

   but lets go back to the beginning now ....
   WHY do you think you were hacked ? what are the symptoms ?

10. merrywema
    Member
    Posted 2 months ago #

    Someone uploaded an index.html in my root folder and index.php page in my wordpress folder. My ISP told me that this was due to a security flaw in wordpress. Not believing that they know their a*se from their elbow, I had a look around and found new files including these WYSIWYGPro ones.

11. krembo99
    Member
    Posted 2 months ago #

    so actually no harm was done, as far as you know, to either your DB or your wordpress intsall ?
    what was in those index files?

12. merrywema
    Member
    Posted 2 months ago #

    Just lots of normal HTML boasting about who had hacked in and some middle eastern political stuff which I don't want to publicise further. I deleted my main files- restored from backup, turned off all read and execute permissions to wordpress and havent had a good look through the files to see. From a basic search there doesnt appear to be anything amiss, but you never know!

    Its the fact that my ISP immediately blamed wordpress which makes we wonder.

13. Otto42
    Moderator
    Posted 2 months ago #

    WordPress has no currently known holes. There's no exploits for the latest version of WordPress at the moment.

    Hosts love to blame WordPress, mainly because they don't know how to secure their servers properly.

    I would advice switching to a new host.

14. krembo99
    Member
    Posted 2 months ago #

    WordPress has no currently known holes. There's no exploits for the latest version of WordPress at the moment.

    I would not say that ... :-)

    Hosts love to blame WordPress...

    I agree, and most time it´s not wordpress causing the problems ..

    I would advice switching to a new host.

    I second that.

Reply

You must log in to post.