KoiQBOL hack/worm

  • Heinrich

    (@flamexero)


    14 years, 6 months ago

    Hi
    It seems like my blog has been hack (was before i upgraded.)

    There is always a huge link farm in either the header or the footer theme template. One paricular is that there is also a js. funktion named KoiQBOL before the links.

    Everytime I delete it, its there again the next day.

    Things i have tired :
    1. Searchning for : base64 eval iframe display:
    2. Delete all the users that registed since the hack (via phpMyAdmin), so no hidden users.
    3. going through the theme files looking for the back door.

    Has anybody had any expireince with this particular hack?
    Would really like some help!

    Thanks

Viewing 15 replies - 1 through 15 (of 15 total)
  • s_ha_dum

    (@apljdi)

    14 years, 6 months ago

    Have you tried re-uploading everything from clean sources?

    If your hacker got in via a user with elevated permissions that user would have been registered before the hacked files/functions/etc showed up on your site, not after it. Of course, other ‘hacked’ users could have been added after that first exploit.

    Have you searched via PHPMyAdmin for users with elevated privileges? I’d look for any user with better than ‘subscriber’ and make sure i can account for all of them, but it is also possible to give a role like ‘subscriber’ a bunch of extra capabilities so you need to look for that too.

    whooami

    (@whooami)

    14 years, 6 months ago

    stop doing just a little bit of what you need to do, and do EVERYTHING that you need to do.

    <start of copy and paste>

    Make sure that your files on the server are clean. That means deleting and reuploading. Files that you dont replace, should be swept.

    Check for files that dont belong, directories that dont belong. Image files with changed timestamps — look at those. Its VERY common for there to be scripts on sites that are named in such a way to mask the fact that theyre scripts.

    Be suspicious, when youre looking at things.

    Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?

    You need to check your database. Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.

    Make sure ALL of your plugins are current.

    Make sure your wordpress is current.

    Change your mysql password that wordpress uses (update your wp-config.php with that new password). Especiallly important in cases where you see changes to your mysql database.

    Change any admin level passwords on your blog. Change your ftp password(s)

    Scan your local machine for malware.

    Look at any other software thats being used on your site. Is it current?

    That’s just an outline and not a complete list.

    There’s quite a bit to do, but it’s all necessary.

    If you cant do it all — get help.

    Then there’s this:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    and

    http://codex.wordpress.org/Hardening_WordPress

    and this:

    http://wordpress.org/support/topic/307660?replies=1

    and this:

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    <stop of copy and paste>

    Thread Starter Heinrich

    (@flamexero)

    14 years, 6 months ago

    Hi apljdi and Wooami,

    thanks for the replies!
    Of course i also deleted the users that was there before. even up to a month before the hack was made. None have elivated privilages (yes i have lookd via phpmyadmin).

    I have also changed the passwords of the whole accoun including mysql ftp, the whole package.
    I have spend hours and hours reading all those posts that you have suggested. done them all. i have completly upgraded. new plugings, just dont have a copy of the theme files, but i have checked through them as well.
    nothing in the .htaccess.

    Any idea how i can find a images that is actually a script ?

    s_ha_dum

    (@apljdi)

    14 years, 6 months ago

    Any idea how i can find a images that is actually a script ?

    The Firefox extension JSView will catch at least some of these when they load on the page. It has caught javascript files with .css extensions too. Otherwise grep your image directories for short bits of javascript.

    justdreamweaver

    (@justdreamweaver)

    14 years, 6 months ago

    I’m having the same issue on one of my blogs. Waited too long to update to 2.8.4 (then .5) so 2.7.1 got hacked. I’ve scoured my files looking for the js injection, and I did find an upload.php file inside one of my upload folders and removed it.

    I removed the function KoiQBOL script and spam links from the header.php file, only to have them return the next day. I set permissions of 444 on the header.php file to see if that keeps it from writing the links in, but it’s not a solution. I still don’t know exactly where the script is being inserted from.

    justdreamweaver

    (@justdreamweaver)

    14 years, 6 months ago

    Update on my issues with this. 444 did nothing as the script returned to the header file.

    Upon further scanning of my site files, I found a couple of php files in the uploads directory. One was named new.php and was a base64 encrypted c99madshell hack. Not good. I run a couple of plugins that enable file uploads into the uploads directory, so I’m thinking that may be how the files were uploaded.

    WP and all plugins are up-to-date at this point and passwords are changed, but I don’t know if there are any legacy files that I haven’t found. We’ll see what happens.

    llworldtour

    (@llworldtour)

    14 years, 5 months ago

    Help! I am having the same problem.

    I’ve recently been hacked with HIDDEN Spam links in my header.
    I did find a bunch of ‘fake’ users in my Users file in myPHPadmin and deleted them.
    Then i changed my WP name/password.
    But the links came back a week later.
    Now i see a bunch of suspicious stuff in my Users Metadata file in myphpadmin. BUT i don’t know what is okay for me to delete??

    I feel like I am flying blind. I am not to up on the phpmyadmin and there are so many folders/files…

    I have the latest WP and Plug-ins, but i fear my backup–is a backup of the hacked version.

    Any other tips will be appreciated.

    justdreamweaver

    (@justdreamweaver)

    14 years, 5 months ago

    Download your entire site, including all WordPress files. Do a search for the term base64 within all files. Changes are if you find a match with a garbled string of characters behind it, that file either doesn’t belong or has been hacked.

    I downloaded my SQL backup files as well, and by searching for base64 found one forum user had uploaded a PNG image encoded as base64 and used inline CSS styling to hide the image.

    llworldtour

    (@llworldtour)

    14 years, 5 months ago

    Hi-
    I am hoping i have a handle on this now. I too had this KoiQBOL HACK which ultimately inserted a script with hidden links into my header.php…everyday or so even after I’d deleted them.

    Thanks to all the different forums here and other forum searches for bits of advice that i have pieced together.
    Here is what I have done (echoing much of whooami):

    -made sure i had latest WP version…and even reinstalled it again
    -back up all
    -deleted ‘other’ weird users in phpmyadmin in users table
    -deleted ‘other/strange’ meta in users meta table
    -deleted xmlrpc.php
    (not a bad file, but used for remote access which i don’t use and in past has been a security risk)
    -checked my permalinks thru dashboard (were fine)
    -deleted cache
    -RAN the “Exploits” plug in scanner–which found a lot. Some ‘risk’ words are okay in places…but by really looking at it all, you can see the ones with Base_64 that are bad. I found bad stuff in my plug-ins and some other files:
    -FOUND and deleted odd files in uploads folder in my database:
    uploads/2008/12/inclode.php
    uploads/2008/12/fotter.php (both files had the HACK, bad script and nothing else)
    -DELETED all plug ins
    -downloaded new plug in files
    -Downloaded WP Firewall Plug-in
    -changed WP admin user name in phpmyadmin table
    -changed WP password
    -changed user name and password for my server

    NOW today i got an email warning from the new Firewall Plug in warning me it blocked the same KoiQBOL script today in the header etc.
    So it was blocked which is good, BUT is obviously programmed to keep trying to attack me. (why me?!?! Poor me!)

    So…it is kept at bay, i suppose, but anyone know how to even stop it from even trying to attack?? Hackers are just not nice.

    Hope this helps some.
    Thanks!!
    Lisa

    UseShots

    (@useshots)

    14 years, 5 months ago

    Hi llworldtour,

    So the KoiQBOL was in the fotter.php file in the /uploads directory?

    Can you share the wording of the email from the Firewall plugin. It is still not clear how they upload the script, so text from the warning may help.

    Thanks

    llworldtour

    (@llworldtour)

    14 years, 5 months ago

    Hi –
    Well, it was many places. First and foremost it kept re-appearing in my header.php even after deleted. But then in doing the “exploit Scan” plug in…I found the same string of KoiQBOL code in many plug-ins. I read about the fotter.php and inclode.php in some forums and they came up in exploit scanner as well. I can’t say for sure that they had the exact same code.

    I can paste some of the wording here, but i read somewhere that it is still dangerous and a bad idea to ‘paste’ the entire script here.

    here is an excerpt from the warning email sent by Firewall:

    WordPress Firewall has detected and blocked a potential attack!
    Web Page: http://www.llworldtour.com/wp-content/uploads/2008/12/wp-inclode.php?f=/home1/llworldt/public_html/wp-content/themes/connections/header.php
    Warning: URL may contain dangerous content!
    Offending IP: 66.148.65.50 [ Get IP location ]
    Offending Parameter: hd_h = <script>function KoiQBOL(qNQghUYaEb)…

    bottleneck

    (@bottleneck)

    14 years, 5 months ago

    In my case Firewall plugin takes my site down soon after it’s activated.

    @llworldtour,

    do you have the latest WP 2.8.5?

    Thanks in advance.

    llworldtour

    (@llworldtour)

    14 years, 5 months ago

    yes. Like i stated in my ‘fix’ list above…even though i had the latest version…i uploaded it again just in case.

    floridan

    (@floridan)

    14 years, 4 months ago

    To those of you who have been hacked, the answer has been repeated over and over in these forums: The hacker is gaining access to your WP installation through your FTP on your desktop.

    And your WordPress blog is being hacked because you have a trojan hiding on your PC. You are wasting your time securing or upgrading your WP installation if you do not find and delete the trojan and/or malware on your PC first.

    Changing your passwords and upgrading WP is useless if your PC is still infected with a trojan. I can almost guarantee the hacker has hidden a PHP shell script somewhere on your servers outside of your WP install. To find it you must either run a virus scan on your entire server (or ask your host to run one) or you can manually eyeball the dates inside every single folder on your server (inside and outside of WP) to see which file was updated recently or to find filenames that you know you didn’t create.

    Once you remove the PHP shell file(s), you must scan your hard drive for trojans/malware. Once your HD is clean you can then change your passwords and upgrade your WP install or simply overwrite your files with clean files. I would suggest using several different anti-virus/anti-malware programs to find the trojan. Malwarebytes is a good start.

    Amin Y

    (@oscomsupport)

    14 years, 3 months ago

    Check your root or includes folder for any new files and check the coding there. Also check if theres any file called configuration.php, check the code in that file, that could be the virus file.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘KoiQBOL hack/worm’ is closed to new replies.