WordPress › Support » KoiQBOL hack/worm

flamexero
Member
Posted 1 month ago #

Hi
It seems like my blog has been hack (was before i upgraded.)

There is always a huge link farm in either the header or the footer theme template. One paricular is that there is also a js. funktion named KoiQBOL before the links.

Everytime I delete it, its there again the next day.

Things i have tired :
1. Searchning for : base64 eval iframe display:
2. Delete all the users that registed since the hack (via phpMyAdmin), so no hidden users.
3. going through the theme files looking for the back door.

Has anybody had any expireince with this particular hack?
Would really like some help!

Thanks
apljdi
Member
Posted 1 month ago #

Have you tried re-uploading everything from clean sources?

If your hacker got in via a user with elevated permissions that user would have been registered before the hacked files/functions/etc showed up on your site, not after it. Of course, other 'hacked' users could have been added after that first exploit.

Have you searched via PHPMyAdmin for users with elevated privileges? I'd look for any user with better than 'subscriber' and make sure i can account for all of them, but it is also possible to give a role like 'subscriber' a bunch of extra capabilities so you need to look for that too.
whooami
Member
Posted 1 month ago #

stop doing just a little bit of what you need to do, and do EVERYTHING that you need to do.

<start of copy and paste>

Make sure that your files on the server are clean. That means deleting and reuploading. Files that you dont replace, should be swept.

Check for files that dont belong, directories that dont belong. Image files with changed timestamps -- look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

Be suspicious, when youre looking at things.

Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

Make sure ALL of your plugins are current.

Make sure your wordpress is current.

Change your mysql password that wordpress uses (update your wp-config.php with that new password). Especiallly important in cases where you see changes to your mysql database.

Change any admin level passwords on your blog. Change your ftp password(s)

Scan your local machine for malware.

Look at any other software thats being used on your site. Is it current?

That's just an outline and not a complete list.

There's quite a bit to do, but it's all necessary.

If you cant do it all -- get help.

Then there's this:

http://codex.wordpress.org/FAQ_My_site_was_hacked

and

http://codex.wordpress.org/Hardening_WordPress

and this:

http://wordpress.org/support/topic/307660?replies=1

and this:

http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

<stop of copy and paste>
flamexero
Member
Posted 1 month ago #

Hi apljdi and Wooami,

thanks for the replies!
Of course i also deleted the users that was there before. even up to a month before the hack was made. None have elivated privilages (yes i have lookd via phpmyadmin).

I have also changed the passwords of the whole accoun including mysql ftp, the whole package.
I have spend hours and hours reading all those posts that you have suggested. done them all. i have completly upgraded. new plugings, just dont have a copy of the theme files, but i have checked through them as well.
nothing in the .htaccess.

Any idea how i can find a images that is actually a script ?
apljdi
Member
Posted 1 month ago #

Any idea how i can find a images that is actually a script ?

The Firefox extension JSView will catch at least some of these when they load on the page. It has caught javascript files with .css extensions too. Otherwise grep your image directories for short bits of javascript.
justdreamweaver
Member
Posted 3 weeks ago #

I'm having the same issue on one of my blogs. Waited too long to update to 2.8.4 (then .5) so 2.7.1 got hacked. I've scoured my files looking for the js injection, and I did find an upload.php file inside one of my upload folders and removed it.

I removed the function KoiQBOL script and spam links from the header.php file, only to have them return the next day. I set permissions of 444 on the header.php file to see if that keeps it from writing the links in, but it's not a solution. I still don't know exactly where the script is being inserted from.
justdreamweaver
Member
Posted 3 weeks ago #

Update on my issues with this. 444 did nothing as the script returned to the header file.

Upon further scanning of my site files, I found a couple of php files in the uploads directory. One was named new.php and was a base64 encrypted c99madshell hack. Not good. I run a couple of plugins that enable file uploads into the uploads directory, so I'm thinking that may be how the files were uploaded.

WP and all plugins are up-to-date at this point and passwords are changed, but I don't know if there are any legacy files that I haven't found. We'll see what happens.
llworldtour
Member
Posted 2 weeks ago #

Help! I am having the same problem.

I’ve recently been hacked with HIDDEN Spam links in my header.
I did find a bunch of ‘fake’ users in my Users file in myPHPadmin and deleted them.
Then i changed my WP name/password.
But the links came back a week later.
Now i see a bunch of suspicious stuff in my Users Metadata file in myphpadmin. BUT i don't know what is okay for me to delete??

I feel like I am flying blind. I am not to up on the phpmyadmin and there are so many folders/files...

I have the latest WP and Plug-ins, but i fear my backup--is a backup of the hacked version.

Any other tips will be appreciated.
justdreamweaver
Member
Posted 2 weeks ago #

Download your entire site, including all WordPress files. Do a search for the term base64 within all files. Changes are if you find a match with a garbled string of characters behind it, that file either doesn't belong or has been hacked.

I downloaded my SQL backup files as well, and by searching for base64 found one forum user had uploaded a PNG image encoded as base64 and used inline CSS styling to hide the image.
llworldtour
Member
Posted 2 weeks ago #

Hi-
I am hoping i have a handle on this now. I too had this KoiQBOL HACK which ultimately inserted a script with hidden links into my header.php...everyday or so even after I'd deleted them.

Thanks to all the different forums here and other forum searches for bits of advice that i have pieced together.
Here is what I have done (echoing much of whooami):

-made sure i had latest WP version...and even reinstalled it again
-back up all
-deleted 'other' weird users in phpmyadmin in users table
-deleted 'other/strange' meta in users meta table
-deleted xmlrpc.php
(not a bad file, but used for remote access which i don't use and in past has been a security risk)
-checked my permalinks thru dashboard (were fine)
-deleted cache
-RAN the "Exploits" plug in scanner--which found a lot. Some 'risk' words are okay in places...but by really looking at it all, you can see the ones with Base_64 that are bad. I found bad stuff in my plug-ins and some other files:
-FOUND and deleted odd files in uploads folder in my database:
uploads/2008/12/inclode.php
uploads/2008/12/fotter.php (both files had the HACK, bad script and nothing else)
-DELETED all plug ins
-downloaded new plug in files
-Downloaded WP Firewall Plug-in
-changed WP admin user name in phpmyadmin table
-changed WP password
-changed user name and password for my server

NOW today i got an email warning from the new Firewall Plug in warning me it blocked the same KoiQBOL script today in the header etc.
So it was blocked which is good, BUT is obviously programmed to keep trying to attack me. (why me?!?! Poor me!)

So...it is kept at bay, i suppose, but anyone know how to even stop it from even trying to attack?? Hackers are just not nice.

Hope this helps some.
Thanks!!
Lisa
UseShots
Member
Posted 2 weeks ago #

Hi llworldtour,

So the KoiQBOL was in the fotter.php file in the /uploads directory?

Can you share the wording of the email from the Firewall plugin. It is still not clear how they upload the script, so text from the warning may help.

Thanks
llworldtour
Member
Posted 2 weeks ago #

Hi -
Well, it was many places. First and foremost it kept re-appearing in my header.php even after deleted. But then in doing the "exploit Scan" plug in...I found the same string of KoiQBOL code in many plug-ins. I read about the fotter.php and inclode.php in some forums and they came up in exploit scanner as well. I can't say for sure that they had the exact same code.

I can paste some of the wording here, but i read somewhere that it is still dangerous and a bad idea to 'paste' the entire script here.

here is an excerpt from the warning email sent by Firewall:

WordPress Firewall has detected and blocked a potential attack!
Web Page: www.llworldtour.com/wp-content/uploads/2008/12/wp-inclode.php?f=/home1/llworldt/public_html/wp-content/themes/connections/header.php
Warning: URL may contain dangerous content!
Offending IP: 66.148.65.50 [ Get IP location ]
Offending Parameter: hd_h = <script>function KoiQBOL(qNQghUYaEb)...
bottleneck
Member
Posted 2 weeks ago #

In my case Firewall plugin takes my site down soon after it's activated.

@llworldtour,

do you have the latest WP 2.8.5?

Thanks in advance.
llworldtour
Member
Posted 2 weeks ago #

yes. Like i stated in my 'fix' list above...even though i had the latest version...i uploaded it again just in case.

Reply

You must log in to post.

WordPress.org

Forums

KoiQBOL hack/worm (14 posts)

Reply

About this Topic

Tags

Code is Poetry