Forums

WordPress › Support » How-To and Troubleshooting

1 2

My site was Hacked (38 posts)

  1. Thread7
    Member
    Posted 2 months ago #

    My site was hacked. The home page had a warning message from SnipeR-BaghdaD with an email address hackerpro79@yahoo.com.
    Anyways, I've read some good post in here on what to do in order to recover. Immediately after the discovery I got into admin and noticed I already have 2.8.4.
    I'm not sure which version I had before the problem. Maybe the hacker upgraded? But probably not. I was probably exploited with 2.8.4 on my system.
    So my question is this. I was using a template called Revolution Lifestyle 2.0. We had changed a lot of graphics, etc.
    Can certain templates have security vulnerabilities?

    Thanks.

  2. UseShots
    Member
    Posted 2 months ago #

    Do you have any other scripts on your site? Forums? What plugins do you use?

    You might want to contact your hosting provider to investigate the issue.

  3. Thread7
    Member
    Posted 2 months ago #

    I have two plug-ins that are active:
    Simple Sidebar Navigation ver 2.1.0 (2.1.2 is available)
    All in One SEO Pack ver 1.6.4.1 (1.6.5 is available)

    I have 3 more plug-ins that are inactive:
    Featured Content Gallery
    Hello Dolly
    Akismet ver 2.2.6

    I don't have any forums. Are the plug-ins the more likely culprit? Both active ones were not updated to the most recent version.

  4. Thread7
    Member
    Posted 2 months ago #

    bump

  5. iridiax
    Member
    Posted 2 months ago #

    Themes and plugins can have security vulnerabilities, but most likely these were not the cause of your hack. Do make sure that your theme and plugins are upgraded however.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

  6. Thread7
    Member
    Posted 2 months ago #

    Hmmm. Once thing that is too bad is that just about all the plug-ins that help you with security are out of date and untested with 2.8.4.
    Especially:
    Chap Secure Login
    WordPress Exploit Scanner
    AskApache Password Protect
    WP Security Scan

  7. Thread7
    Member
    Posted 2 months ago #

    I search these forums and I can't find good discussions about protecting against vulnerabilities. I follow the links provided by the people above who were kind enough to answer me, and there is a lot of good information on those sites. I've followed the recommendations. But frankly a lot of that information is a year old. I still have no idea how I was hacked if I had version 2.8.4. If I do a Google search for my culprit - hackerpro79@yahoo.com - I get 5000 results! Thousands of other sites were hacked just like mine yet he/she isn't even mentioned once in these forums. And still this forum is so busy that my post can't stay on the front page for longer than 45 minutes.
    I just think there is a big problem and no one is addressing it. I want to get a discussion going. Either a Wordpress developer will notice and investigate the problem or a forum admin will realize there needs to be a forum dedicated to security.
    I used to use an ASP based forum package and it was riddled with security holes that were always addressed too little too late. I finally had to stop using it. Since I've discovered Wordpress I like it and want to keep using it. But if security isn't given enough attention I'll be faced without a tough decision.

  8. jdembowski
    Member
    Posted 2 months ago #

    I just think there is a big problem and no one is addressing it.

    *COUGH*nonsense*COUGH*hyperbole*COOOUUGHHH*

    Sorry, only one cup of coffee and I hope you can appreciate my early morning humor.

    What's not being addressed? One of the top sticky links on the forum:

    http://wordpress.org/support/topic/307660

    From the Codex
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://codex.wordpress.org/Hardening_WordPress

    iridiax had already posted a reply that clearly said plugins were "most likely these were not the cause of your hack" and gave you a link for remediation of your problem.

    If a vulnerability gets discovered it get's addressed in short order. WordPress is used my a metric ton of people on the Internet so it's no surprise that it's a popular target for hacks. Spammer/exploiters go where the market is.

    I still have no idea how I was hacked if I had version 2.8.4.

    Neither do we. What you need to understand is that you got hacked but you have not identified if it was the remnant of you using an old version or your server was hacked. Or maybe you've been hacked and your passwords were captured. Or the boogey man.

    It's a common refrain: "I don't know how I got hacked. I'm running WordPress so that must be it. Why is this not being addressed?"

    Finding out how you got hacked does not work by process of elimination. Web servers are too complex to say "I ruled out everything so it must be XYZ". If you can provide logs showing where the entrance point of your compromise was, and can demonstrate that it was WordPress 2.8.4, send the logs and a description of the exploit to security@wordpress.org.

    But if security isn't given enough attention I'll be faced without a tough decision.

    If you keep getting hacked and it's happened to you before or you switched from an .ASP solution to avoid being hacked, then seriously, consider moving to a managed service.

    Good luck. I hope you find the entry point; if not you'll get hacked again.

  9. Thread7
    Member
    Posted 2 months ago #

    Thanks jdembowski. If you read your reply again carefully you prove my point.
    #1. Your first link (to http://wordpress.org/support/topic/307660 ) states that all security problems are with older versions of WordPress. I've already stated in this thread several times that I was using the most recent version.

    #2. There is no sticky thread in this forum stating that if you've been hacked to send your logs to security@wordpress.org. None of the links that people have provided or I've found myself ever mentioned to do this. I would think that should be a little easier to find, don't you?

    That is why I am saying security in WordPress isn't being taken as seriously as it needs to be. I'd guess the 5,000 other sites that were hacked by the same guy would agree.

    Don't believe me? I Googled the guy and here are several other sites that were hacked, all using WordPress 2.8+.
    http://www.ecolifeadvisors.com/ - WordPress 2.8
    http://unlimitediphoneapps.com/ - WordPress 2.8
    http://spyera.com/tag/sms - WordPress 2.8.4
    http://chodely.com - WordPress 2.8.3

  10. jdembowski
    Member
    Posted 2 months ago #

    Sigh, you'd think I'd learn. I think the important thing is that you've been pointed to a link to help you clean out the hacked blog.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Now for a little diatribe:

    First thing: There will be an exploit or proof of concept against WordPress 2.8.4. Guaranteed. Hopefully it will be long after 2.8.4 is in the dust bin.

    Onto your points.

    #1 That link was to illustrate that security is taken seriously.

    #2 Nope, you are right, there is no sticky thread for that. Perhaps a moderator will fix that. In the meanwhile that e-mail address is mentioned over 2,000 times in these forums

    http://wordpress.org/search/security%40wordpress.org?forums=1

    This is a volunteer self help forum so the organization may be off. Sorry to point this out but self hosted WordPress really is not for the faint of heart. Self hosted anything on the Internet requires work and I'm confident you know that too.

    #3 Never once said I don't believe you. What I did say is that you are making a leap in claiming it's WordPress 2.8.4 without proof. You top two examples of 2.8 just confirm what was said before: upgrade to 2.8.4 or deal with the consequences.

    So a hacker was prolific and broke +5,000 websites. A script kiddy exploiting the same flaw repeatedly; that's not news or even original.

    Now do you know if those sites had a plugin that was weak or did the script exploit an old weakness? Any details on how they or your blog was compromised? Not guesses or suspicions but anything that can help actually solve a problem?

  11. nudm
    Member
    Posted 2 months ago #

    Hi Thread7, my site just got hacked by the same guy. Maybe we could compare notes and try to get to the bottom of this. Please email me if you would like.

  12. jxrtau
    Member
    Posted 1 month ago #

    jdembowski, it is smart alec know it all people like you that frustrate internet users.
    Your link for a hacked blog is about as useful as turning your computer off and then on again.
    If you have nothing to add to a specific request then don't bother.

  13. blondishnet
    Member
    Posted 1 month ago #

    Alright, I am adding my advice in as a small webhost over the past 5 years.

    It could be your server, not just your WordPress was hacked in particular. It happens and I have seen it a lot.

    As for your WordPress, those plugins you listed are okay. I would say if you are already using the most current version of WordPress, you can harden your security. You can follow the tutorial link below to my tutorial to do that - http://blondish.net/articles/tutorials/how-to-secure-your-wordpress-blog/

  14. jdembowski
    Member
    Posted 1 month ago #

    jdembowski, it is smart alec know it all people like you that frustrate internet users.

    A fan! And here I thought my comedy was unappreciated. I'm not a know it all, but I do know something about this. That link was the most helpful part of my post. The rest, as indicated, really was a diatribe.

    Your link for a hacked blog is about as useful as turning your computer off and then on again.

    This is a self-help volunteer support forum. What would be really useful for anyone who was hacked if they could get someone on their box who knows what they are doing to do a postmortem on the hack. That sort of help is often paid for, and there are people who do that sort of thing on this forum (not me, but http://jobs.wordpress.net/ is there for pro work).

    So that link, while you don't appreciate it, is really a good resource for helping yourself.

    If you have nothing to add to a specific request then don't bother.

    Sure thing Boss! Hey, so what did you bother to add? Sorry, that's just the smart alec in me talking.

  15. samboll
    moderator
    Posted 1 month ago #

    jdembowski, it is smart alec know it all people like you that frustrate internet users.
    Your link for a hacked blog is about as useful as turning your computer off and then on again.
    If you have nothing to add to a specific request then don't bother.

    What did you add to this thread? Oh yea, a smart alec observation - IOW...nothing

  16. mrgray
    Member
    Posted 1 month ago #

    My site too was hacked yesterday. I think part of the problem could the be the webhost as the hacker attacked a number of other sites all on the same shared IP address. I was able to regain access by uploading a backup of my theme files, and will now work on trying to strengthen security. Will also revert to a database backup from a few days ago and upload new core files, plugins etc. Am still worried though that maybe the hacker has been working on the site for a while now and had placed something in the database. Is this something I should be worried about or am I just paranoid now?

  17. jdembowski
    Member
    Posted 1 month ago #

    Is this something I should be worried about or am I just paranoid now?

    You've been hacked so I don't think a little paranoia is uncalled for...

    On the WordPress front, you can double check your database by exporting it to a text file and then look for things like hidden or <iframe, etc.

    The codex link about has more info via this post:

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Check out item #8 to look for damage within your posts.

    On your webhost front, that gets a little tricky. If the hacker got in via file access from an insecure webhost, you might not be able to do anything yourself. The webhost would have to lock the server down. Check with your provider and see what they say.

  18. jxrtau
    Member
    Posted 1 month ago #

    jdembowski, hopefully thread7 is still monitoring this post and hasn't given up all hope of finding a solution.
    I believe thread7 was looking for people who have also suffered the virus and have immediate solution to getting rid of it and eliminating re-occurrence.

    I found the thread and also hoped someone would supply a fix. I felt i should comment on your comment as not responding
    to thread7's direct request. Your help was in fact rather condescending, bleeding obvious and vague. As I also found no
    helpful responses to the request I had to trawl through my site and ferret out the source of the virus and fix.

    If thread7 is still around here is what i found and did.

    The hacked front page can be removed by changing your theme template. Use a different template for the time being. Once changed delete the corrupted template, you could upload a fresh uncorrupted version of your template.

    I am unsure of how the hacker gained entry or was able to change my password, but Cron jobs or RSS feeds could have something to do with it from viewing my access logs. You can modify these entry points.

    Entry was gained through a sub domain site. The virus drilled down and changed my template of my main site which has joomla installed.

    The hacker is lazy and sloppy and left tracks all through his code(a cry for attention?). Hopefully i can return the favor to him somehow.

  19. jdembowski
    Member
    Posted 1 month ago #

    Your help was in fact rather condescending, bleeding obvious and vague.

    Riiight. Sorry, but your behavior is rude and pointless. But keep trying.

    The hacked front page can be removed by changing your theme template.

    Or restoring a prior backup, or many other file modifications to the hacked files. That's also "bleeding obvious". As it's bleeding obvious that if you don't close the door that the attacker came in through, the script kiddie will be back.

    So, have you found out how the hacker gained access and modified those files? Was it via a poorly written script on your Joomla site or was it something in a WordPress installation such as a plugin or theme? Was it on a shared host and the file permissions were not hardened?

    I'm not being condescending here: Since you are trying to help Thread7 and others, why not share how the attack was implemented on your system? That might help others who have had their site defaced too.

  20. apljdi
    Member
    Posted 1 month ago #

    On the WordPress front, you can double check your database by exporting it to a text file...

    I just ran across this-- anywhereindb. Haven't tried it but it looks handy. Maybe it will help someone.

  21. ClaytonJames
    Member
    Posted 1 month ago #

    @jxrtau

    I am unsure of how the hacker gained entry or was able to change my password, but Cron jobs or RSS feeds could have something to do with it from viewing my access logs. You can modify these entry points.

    Entry was gained through a sub domain site. The virus drilled down and changed my template of my main site which has joomla installed.

    The hacker is lazy and sloppy and left tracks all through his code(a cry for attention?). Hopefully i can return the favor to him somehow.

    Bullshit.

    You have absolutely no idea what happened, or what you are talking about.

  22. blondishnet
    Member
    Posted 1 month ago #

    None of you do and it is both funny and irritating at the same time.

    If you were concerned to have read my reply- oh no, I am a woman, but I have been webhosting for more than 5 years.

    Your site/server had not been targeted personally as a means to get at you. It was someone who decided to hack 5000 websites for their pure enjoyment. It happens. Grow up, start your site over with a fresh and up to date version as even suggested by Matt Mullenweg himself, and make sure your webhost took care of the issue on their end by securing the server.

    So sorry to hear about your site being hacked... you are not the only one who has been. Instead, please read the valid suggestions made by myself and the only other logical person who responded jdembowski.

    Hey...any mods want to close up the topic before more ridiculous comments are shared?

  23. mrgray
    Member
    Posted 1 month ago #

    Thanks jdembowski for your tips.

  24. topgunscooter
    Member
    Posted 1 month ago #

    Check your user list for hidden admin users and remove any that aren't authorized. We suffered a similar hack a couple of months ago and that is how continuing access was gained.
    As for the comment about all vulnerabilities being in previous WP versions, do you not think the hack weenies are all over a new build from the day it hits beta release? They aren't going to procrastinate in starting their search for new holes to exploit.

  25. bmoon
    Member
    Posted 1 month ago #

    I have had 3 sites hacked THREE times. I have wp-security scan, all in one seo, all plugins updated. Built all three sites in 2.8.4, and now have web clients breathing down my neck telling me NOT use wp. Don't want to give up that easily.

    I have done extensive scanning on my laptop to make sure it didn't have a keylogger or anything pernicious running, hours of testing came back negative.

    Checked with host, they have everything going fine.

    I am using very encrypted passwords....

    Somebody please HELP HELP HELP!

    Sniper-Baghdad......

    I know how to restore the sites, search find for code in index page, which is usually buried on some back page....

    I'm desperate!

    J

    Pls somebody help and take this seriously!!!!!! 2.8.4 is NOT secure in my estimation.

  26. bmoon
    Member
    Posted 1 month ago #

    Continued...let me add, the database is fine. There are no hidden admin users. FTP was not breached. Only my wp sites.

    I rec'd notice from web client that site was hacked (again, and again for third time.)

    Each time, I went in and found the offending page, uploaded a fresh one which immediately restored the site. Checked all pages just in case.

    Then changed username AND password once again.

    Double checked the wp-security-scan. Have htaccess in wp-admin. Username is never "admin."

    I've read everything i can find on wp forum about hardening security, but I'm really stumped this time.

    I have several plugins, all updated. Don't know where the hole is?

  27. whooami
    Member
    Posted 1 month ago #

    bmoon, I have a plugin that might help find a hole, if one is to be found. I dont know that I would put it on a clients site though .. but if you have a personal one thats having trouble.

  28. jimzippy
    Member
    Posted 1 month ago #

    hi bmoon,

    I have noticed both you and thread7 are using similar plugins (as are others who have recently suffered).

    If you don't really need them - my advice would be don't use them!

    Make sure your hosting provider is a good one! - if you run your own servers and you're having security issues - i'd stop now and out source it. Are your three site sharing the same space? or on separate accounts?

    Double check your laptop again (bit outside the scope of this thread), but - bit defender online scan and spybotSD are good places to start for the basics.

    Wipe your server space clean (everything! e.g cgi-bin, etc), wipe your database and any others db's you may be running (e.g for joomla), change all ftp logins and start again!

    Download the latest WP again and run a fresh install - Keep everything as simple as you can (except your passwords lol). Change all your MySQL connect settings. Set your DB privileges appropriate to your use (more secure the better). Only keep the one theme you're using online and always update it... any additional javascript you may use - make sure it comes from a good/reliable source!

    If you can help it, don't re-use a backup as the issue could still be in it! (check that separately and thoroughly).

    If you or anyone gets hacked, please list all details about what you were using - as much as possible as it may help highlight an issue with a third party item.

    good luck!

  29. bmoon
    Member
    Posted 1 month ago #

    Hi again, and thanks for some quick responses.

    Ran over 10 hours of scans on my laptop, avg, spybot, malwarebytes, atf cleaner....had it get rid of some malware ad stuff, then reran every program again til it was clean.

    What's the plugin Whoamii, that you suggest for finding holes???? Would love to try.

    Great suggestions JimZippy......and tomorrow is a new day, and will try them all. Thanks.

    J

    What about AskApache Password protecter??? or even purchasing ssl for the admin?

    Yes, i've got a few of my own sites running 2.8.4 too...will try on mine first, but it's my clients who are getting hacked.

    yes, secure server and all sharing the same one....interesting, i know.

    J

  30. bmoon
    Member
    Posted 1 month ago #

    A few more things I'm finding on security...

    FROM
    http://codex.wordpress.org/Hardening_WordPress

    Securing wp-config.php

    You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation.

    **I tried moving the wp-config.php and it broke stuff. I moved it to one level above web-root. So what is the other trick to making this work? And is this considered a good move?

    Thanks again and always, for the help.
    J

Reply »

You must log in to post.

About this Topic

Tags