Posted 3 years ago #
My site provider sent me a notice saying "your WordPress script was vulnerable" and anyone could add/edit/delete any file within my web space using the script. They said that someone uploaded a file named mail.cgi to my site and started sending spam out using that script.
Can anyone tell me how this may have happened and, more importantly, how to avoid it from occurring again? I really don't want to lose my site because of abuse by a third party unknown to me.
There are a number of versions of WordPress, both earlier and current. It would be difficult to guess what's happening without knowing what version you're running, as well as how your web hosting space is set up. If you can provide details, it would help someone to help you.
And who is this host ?
Posted 3 years ago #
I'm using SSLcatacomb Networks from
mymarkdown.com for hosting. I was using WP 1.5 when this happened. I have just upgraded to 2.0.
Posted 3 years ago #
Okay, I replied with my hosting information. I totally deleted all WordPress files. I have no users registered. I used a different password after installing WordPress 2.0. Now, I've been hacked. Check it out:
Now I'm thinking that you guys will say it was some sort of vulnerability with the host I'm using and they'll say it was a vulnerability with the WordPress script. So, I'm wondering what would be the smart thing for me to do at this point?
I had the same problem this past weekend. I would like to know where the vulnerability is, too. No problems with WP yet, just to my html pages which were deleted and replaced with a new index.html file.
Posted 3 years ago #
Yeah, my WP stuff seems to be intact and I was considering upgrading from 2.0 to 2.01, but what's to stop this hacker from destroying my frontpage again? I had never had a problem with WP before and then my host provider said someone had gained access to a WP script to send out tons of spam email to people. So, they deleted the offending file and suggested I look into the matter further, which I did.
I upgraded WP from 1.5 to 2.0 and thought the problem was solved. Now, my site has been hacked again, either through the host provider or WP. Now, my host provider hasn't changed the setup since I've been with them and Lord knows how many upgrades WP has been through (as we've all read the long list of problems with this last upgrade), so I'm inclined to believe the problem lies somewhere with WP.
What do they say when you don't like the program on TV? "Change the channel!" Well, that's easier said than done with all the stuff I've put on my WP. I've been putting my faith in this program for a long time and have appreciated all the support help I've received.
I just hope that someone has a fix for this current one, because I don't want to invest more years of my times making posts that will eventually end up being hacked away.
Yes, there are backup plugins, but the problem with plugins is that they can't keep up with the version changes that WP is going through.
So, what to do?
Posted 3 years ago #
Your Web host is probably the only one who can help you. Bt examining your logs, your host should be able to track down the problem, unless the hackers covered their tracks very well. But even if they did, your host can tell if your logs were reset.
While WP has no know vulnerabilities, there could be something in a plugin that allowed a script kiddie to deface your site but I'm guessing it was something else on your server. If you have Front Page extensions, there is a vulnerability. Not sure how it all works but there is information on site defacement via FP extensions if you do a search.
It's against the law to deface a site but the script kiddies do it because they can. If you do some research, you can even find scripts with instruction on how to deface a site. I have one (a php defacement script) that was used in an attempt to deface my WP blog. It wasn't successful but they tried several times.
Anyway, I'd contact my host and hope they have the skills required to track down the problem. If it is a WP problem, then I'm sure the developers would like to know. Your host will need to supply the evidence that it is a WP problem, not just say it is - that will not help anyone and it will not give the developers what they need in order to fix any possible problem.
Good luck!
My html was not written using FrontPage, but rather just an editor that didn't add any additional tags.
Good deal Jim. But your SERVER may have frontpage EXTENSIONS installed. not you. or your desktop. but the server.
It is frequently alleged that they can be a security risk.
Posted 3 years ago #
I have requested more detailed information from my server and will update this thread as it becomes available. BTW, I do not have FP Extensions installed. I used to use FP as a sort of manual weblog, years ago, but that was with a different server and I verified with my current one, through CPanel, that FP extensions are disabled.
Posted 3 years ago #
jimatwork, the use of FP extensions is not the only way a script kiddie can deface a site. Do the research, there are many server-side applications that they can and do use. PHP, cgi. etc... The fact that your html page was replaced, says they got in somehow or were able to replace that file with a script. Let us hope they didn't actually get into your server, since they could do serious damage if they did.
Contact your host and have them analyze the log files for your site if you don't know how to do it yourself or don't know what to look for. That is the best advice anyone can give you.
Posted 3 years ago #
This is the reply I got from my host:
Did you delete the database?
Database could have been modification so that they can get back in at any time.
Did you delete ALL files within your web space? Files can be modify and hidden in directories so that they can get back in at any time.
Did you keep all files within your web space up-to-date on a daily basis?
Old vulnerable scripts like http://www.bbiverson.com/gallery/ ? Since your domain is now on hacker scoreboards updating daily probably isn't good enough. You should check for updates to your scripts several times per day.
All log files can be accessed using cpanel. Please hire a webmaster if you need help in keeping your scripts within your web space secure and up-to-date.
Best regards,
Web Hosting Services
They're asking me to delete my database? That's the same as deleting WordPress!
I looked under CPanel and there are three references to logs: Raw Access Logs, Raw Log Manager, and Error Log. None of them have anything timestamped farther back than 24 hours ago. Here is a link to my Raw Access Log:
Is that the log my host is referencing, because I don't see any other in CPanel? If the infraction occurred prior to 24 hours ago, how can I determine what caused it and how to avoid it in the future?
I think your host is talking bollocks and while a tiny bit of their info could be seen as possibly correct given that it's their hosting environment, it's scripts in that environment that are being used and that they have control over that environment then asking you to sort it all out shows that they haven't a clue between them.
Move hosts today. Seriously - move to a better host.
---------
Without knowing specifically what databases you have, check the users for each app. Delete all but you. Change all your passwords to long complex strings auch as 8Jik:mNiP(d/GDF53]
CHMOD every file to 644
Every directory to 755
That will go someway to help.
But the best advice is to move and do it now. There are many threads about good hosts but http://www.asmallorange.com and http://laughingsquid.com get no complaints in these forums.
Posted 3 years ago #
If the infraction occurred prior to 24 hours ago, how can I determine what caused it and how to avoid it in the future?
I don't think anyone here can help you, at least not without seeing what's in your directories. I doubt your database was compromised. If you can't change hosts (which I would highly recommend) then go in and delete the html file that's showing right now and look for anything else suspicious and remove it. Back everything up first. Check your logs daily and wait and see what happens. Oh, I would remove the gallery program since there's no photos in it anyway.
You could also backup your database, then remove the wp tables in MySQL, remove everything related to WP and any other program you have installed yourself, including images, from your directories, then do a clean install. You can dump your database content back in after the new install and reload any images you might want. If you need help doing that, email me at glo (at) wild-mind.net and I'll tell you how. If you have changed the look of your blog, save the theme you changed to your hard drive, if you don't already have it on your computer (hopefully you do).
Good luck!
Posted 3 years ago #
Okay, I found this warning by doing a search for Linux_Drox http://secunia.com/advisories/17410/ - so, your database may have been compromised. Before inserting any database backups into a clean install, the content should be examined.
Posted 3 years ago #
I have always respected podz's suggestions and kind of took the one in this thread to heart and wrote back to my provider the same basic verbiage that he used in his post. They replied with this:
We do not provide webmaster services. If you need help in keeping your scripts within your web space secure, and up-to-date hire a webmaster.
Now, I'm totally stupid here. How am I supposed to keep all scripts within my web space up-to-date on a daily basis? What does that entail?
Posted 3 years ago #
I know you guys said to change hosts, but I looked into it and the deal I have is so great (other host providers I read about charge huge fees!) that I'll just try to solve this security vulnerability some other way.
I was thinking about backing everything up. Copy and pasting all my entries to Word. Nuking my site, as if I was a totally new client of my host provider. Installing the latest WordPress and then pasting all my entries to that. I only have 95 posts and I think a third of those were picture collections, so it wouldn't be a big deal to paste them in.
The big problem would be setting up the categories again. I have 101 categories, because the way I had my site divided into people, places, things, and ideas (for future expansion). That would be a major pain in the butt to put back all those categories, 'cause they all have descriptions that go with them and they're organized nicely into sub-cats and sub-sub-cats on the frontpage, which uses a java-based open and close tree-like display for them, which I really like, but can't remember where I got it or how I installed it.
There are also other variables involved with a virgin install, as I'm sure you can all understand. I'm just wondering if this would be a good idea, or is there something less drastic that I could do that would bring about the same high level of security?
your host was spot on in the first thing they told you regarding file and directory permissions, and that someone was able to and probably did, in fact, upload a malicious script to spam.
permissions are key.
files need to be readable but NOT WRITABLE == 644
directories need to be accessable, but NOT WRITABLE == 755
--
There is a very good level of security built into apache, as long as basic common-sense is applied.
Posted 3 years ago #
Thanks, whooami. Sorry to drag this problem out, but my time is limited and I'm not working on my website everyday now. (That, coupled with my ignorance about these things, is probably why it got hacked.)
paraphrazing podz:
CHMOD every file to 644
Every directory to 755
Is that what I should do, AFTER going through the upgrade steps for WordPress 2.0 to 2.01?
Something else concerns me. Some of you keep mentioning "apache" which, if I'm not mistaken, is controlled by my web host. Could the hacker have gotten into my website through a file that I don't have control over, but they do? Is that why some of you said to change hosts, rather than try to deal with the problem from my end (as they suggested)?
I just left the same host you have. And though they are cheap, their customer service skills reflect in the cost. Definitely not enough savings worth the blatant disregard for an issue on their end and the way I was treated, as if I was troubling them, or "calling them out". Ultimately they blamed another site for being a resource hog. Funny thing was, I was due to renew in 2 weeks, and was looking at a much larger package. Guess they have all the business they need.
Don't delete any files before doing a full backup, including the databases. Cpanel has a backup that will automate the process for you. YOu should be able to import your database into a new WP, be it on this site, or another.
And I'd follow Podz's instructions regarding the database users before upgrading.
Posted 3 years ago #
It happened again. My website security was compromised. Someone was using a script on my site to send out spam that used up large amounts of bandwidth. I followed all of the aforementioned suggestions and it didn't seem to matter. Now, I can't even check the logs as to what actually took place, as my webhost terminated my account. So, now I'm looking for another host.
This topic has been closed to new replies.
